Spoofers and Phishers

Steam: Get free games (spoof)

2011-09-26T00:36:48Z

Be on the look out for Steam -spoofed e-mail.

STEAM is an online community that allows game players to access thousands of games: purchase, download and play from any computer. Players can also chat online with other players while gaming with a microphone.

There is now an e-mail claiming to be from Steam Support stating that free games are now available and to claim such an offer, he/she just simply click on the provided link to activate.

The link points to a possibly hacked website: steampowered.countryplans.com

Registrant:
CountryPlans LLC
5010 Inglewood Dr.
Langley, Washington 98260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: COUNTRYPLANS.COM
Created on: 02-Aug-97
Expires on: 01-Aug-13
Last Updated on: 26-Mar-10

PayPal: Your account has been temporarily limited !

2011-06-22T16:31:59Z

Image via Wikipedia

The e-mail is supposed to come from PayPal (updates-int@paypal.net) and is with an attachment "Restore_your_account_PayPal.html", it's about 10.3KB in size. The e-mail itself originated from Korea (ne07.tt.co.kr [211.47.69.62]).

It states:

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

If they have access to my account information, would it not have greeted using my name? This is by far the weakest of spoofed e-mails involving PayPal. It does not have the standard legal disclaimer, it does not have the security statement, everything that would make it more believable.

Facebook Mail Notification

2011-06-13T05:46:28Z

Image via CrunchBase

Be on the look out for fake Facebook e-mail notifications telling you that someone is looking for you. The spoofers used the 'notoficationsfacebook' handle in the email address, notoficationsfacebook @ myfisrstphotoinc.com. The mail item originated from illimail.com (75.126.156.14), a domain currently hosted on godaddy.com.

The e-mail boils down to you clicking on a link that's provided within the e-mail which points to:

http://facebook-rplymsgsimm.ahlamoontada.com/h7-page

Now ahlamoontada.com is a domain hosted on the same IP address by the same domain company. There are two additional IP addresses that's associated with ahlamoontada.com (74.86.145.74 and 74.86.145.73).

American Express Email

2011-06-06T20:09:47Z

Beware of email claiming to come from American Express warning you that your information is not complete.

The link provided in the e-mail actually points to a website (chinacdc.cn) own by the Chinese Domain Registry.

Skype - Password Successfully Changed

2011-05-24T01:53:41Z

Be on the look out for "Password Successfully Changed" e-mails that claims to be coming from Skype. Needless to say that it looks slightly authentic but there is one gotcha that makes everything so suspicious -- a salutation that missing your name.

All the links all point to a non-Skype IP address that's owned by HostDime.com, Inc. (72.29.83.6) and specifically points to an user account "~jasonmou".

National Alliance of Male Executives: Scam

2011-01-27T19:56:15Z

A day after I've received my Distinguished Professionals Online invite e-mail, I get another invite from the National Alliance of Male Executives. The click-through link points to http://www.newjobclassifieds.com/ but that website is the default CentOS Apache 2 Test Page. This domain is registered with the same domain name registrar as http://www.careertipstoday.com, the one hosting the Distinguish Professionals Online.

Dear Wu, John,

We are excited to offer you an extraordinary opportunity to take part in a complimentary listing in N.A.M.E. --- National Alliance Of Male Executives.

N.A.M.E. is a unique on-line community providing a premium service and forum for business and social Networking, discounts on Activities, Marketing solutions and Entertainment services.

We recognize male executives who have achieved professional success as well as those looking to further their career, expand their business opportunities and enjoy the finer things in life.

Our mission is to make your life easier by providing business, recreational and personal services.

As a member you can look forward to being featured among other like-minded executives and professionals as well as us providing you with the quality service you deserve.

Why spend hours searching other websites when you can use ours in just minutes?

Please click here to get started.

We look forward to accommodating you in the near future.

Sincerely,
Michael Wahl
Vice President, Public Relations

N.A.M.E
P.O. Box 235
Oyster Bay, NY 11771
USA

Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please delete the communication and unsubscribe from the mailing using the options available in this email.

To remove yourself from future mailings, please visit here to use our automated removal system. You will be removed from our mailing database within seven (7) days.

Thanks

Domain Name:     newjobclassifieds.com
Registrar:       Name.com LLC

Protected Domain Services Customer ID: NCR-2960246

Expiration Date: 2011-12-05 04:46:28
Creation Date:   2010-12-05 04:46:28

Name Servers:
        ns1.newjobclassifieds.com
        ns2.newjobclassifieds.com

REGISTRANT CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

ADMINISTRATIVE CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

TECHNICAL CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

BILLING CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960246
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: newjobclassifieds.com@protecteddomainservices.com

Distinguished Professionals Online: Scam

2011-01-27T04:16:08Z

Apparently, all my time and efforts on the IntraWeb has gotten me chosen as a potential candidate to represent my professional community in the 2011 Edition of "Distinguished Professionals Online". Okay, definitely not legit. You have to send them money.

Dear John,

You were recently chosen as a potential candidate to represent your professional community in the 2011 Edition of Distinguished Professionals Online.

We are pleased to inform you that your candidacy was formally approved January 24th, 2011. Congratulations.

The Publishing Committee selected you as a potential candidate based not only upon your current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals. Given your background, the Director believes your profile makes a fitting addition to our publication and our online network.

There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your online listing within 7 business days.

Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishment within their own geographical area.

To verify your profile and accept the candidacy, please visit here. Our registration deadline for this year's candidates is February 20th, 2011. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee I salute your achievement and welcome you to our association.

Sincerely,
Robert Patterson
Vice President, Research Division

Distinguished Professionals Online
26 Bond Street
Westbury, NY 11542, USA

Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please delete the communication and unsubscribe from the mailing using the options available in this email.

To remove yourself from future mailings, please visit here to use our automated removal system. You will be removed from our mailing database within seven (7) days.

Thanks

Domain Name:     careertipstoday.com
Registrar:       Name.com LLC

Protected Domain Services Customer ID: NCR-2960243

Expiration Date: 2011-12-05 04:46:26
Creation Date:   2010-12-05 04:46:26

Name Servers:
        ns1.careertipstoday.com
        ns2.careertipstoday.com

REGISTRANT CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

ADMINISTRATIVE CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

TECHNICAL CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

BILLING CONTACT INFO
Protected Domain Services - Customer ID: NCR-2960243
P.O. Box 6197
Denver
CO
80206
US
Phone:         +1.7202492374
Email Address: careertipstoday.com@protecteddomainservices.com

Semi-Authentic Spoofed E-mail from Netflix

2010-09-29T04:08:33Z

Image via CrunchBase

Socially sharing knowledge has proven to come back to bite users in the proverbial butt, well in this case, me. It wasn't a total success in duping me but the fact that the information I shared has come back to me. This one comes from sharing your Netflix movie rental with the public in trying to make friends with the same taste in movies. Spoofers have taken this public information and fashioned an e-mail to take on the form of a 'reported missing movie disc' notification. This would have been very convincing e-mail but there was some mistakes.

You should examine the various links embedded in the e-mail, this e-mail all points to http://kimian.net/1.html ... not http://www.netflix.com . Never click on any of the links that's provided in the e-mail if you have any suspicion about the origin of the e-mail; always go to the site directly by manually typing the URL.

YouSendIt: You have received a file from ... via YouSendIt.

2010-08-06T06:19:15Z

Image via Wikipedia

The popular file sharing, YouSendIt, has been spoofed by attackers looking for unsuspecting recipients to open the zip file that's sent as an attachment. The file is named 'YouSendIt_reader.zip' and it's about 10.3KB in size.

has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008

The service, YouSendIt, is the FTP alternative. Rather than having someone download the file via FTP (username/password), the owner of the file would simply upload the file to the server and, from there, he or she can have the service simply email the file to one or more email recipients.

YouSendIt has close to 12 million users with more than 15 million transfers monthly across 220 countries and is the solution of choice for businesses and independent professionals alike -- the latter including creative designers, photographers, business consultants and media producers. Over 10,000 corporate users from companies including Levi's, Ritz Camera, Vmware, Salesforce, Reuters and Kelly-Moore Paints rely on YouSendIt for the secure delivery of their time sensitive data

Email: US$35,000,000.00 [EMRCP] Project!

2010-08-02T19:31:00Z

Image via Wikipedia

Excess Maximum Return Capital Profit (EMRCP) Project would like to help you achieve this goal for the benefit of both. Yup, that's the email I gotten today from someone claiming to be part of the EMRCP Project.

Please review the attached copy of the detail and advise on how we can achieve this goal for the benefit of both.

As promised, there was an supposedly document attached to this email labeled as "THE DETAIL.doc" and it's about 25.0KB is size. The payload's nature is currently unknown of it's intent but you don't click on it to find out on a whim.

Webmail: Your webmail quota has exceeded the set quota which is 20GB

2010-06-28T14:53:11Z

Another variant of the "Your webmail quota has exceeded the set quota" scam. This one is sent from "Localhost" and one of the BIGGEST CLUE that this is a scam... Do you know someone named "Localhost"?

There's nothing very specific in the details of this e-mail to lead you to believe that they have any information about you and was sent out to see if anyone would take the bait. Definitely something you can simply throw away and not worry about. Just don't click on the link provided.

Your webmail quota has exceeded the set quota which is 20GB. you are currently running on 20.9GB. To re-activate and increase your webmail quota please click the link below.

http://ow.ly/244BZ

Failure to do so may result in the cancellation of your webmail account.

Thanks, and sorry for the inconvienence.

Localhost

This email originated from Treasure Valley Community College and it appears as though someone's account got hacked/compromised.

Amazon: Your Amazon.com Order ...

2010-06-27T07:24:05Z

Image via CrunchBase

You may have done business with Amazon-dot-COM in the past and if you have, this is something you'll need to beware and scrutinize. An e-mail was received stating that my Amazon order had been shipped. Everything about the e-mail looks legit except for the fact that I didn't order anything recently. This quickly let to closer examination of the e-mail and found the links were NOT pointing to Amazon's website.

The header information of this particular e-mail showed that it originated from Russia (net218.186.188-49.dynamic.omsk.ertelecom.ru/188.186.218.49), this may not be the only source of the spoofed email and in fact, one of the routes that the e-mail went through Amazon's own servers.

Always scrutinize e-mails that you've received from businesses, especially e-mail from businesses you seldom have contact, if any at all.

Twitter: Bogus E-mail Requesting Information

2010-06-09T20:32:11Z

Image via CrunchBase

Recently, I've gotten an e-mail from Angelina Jolie asking me to join her on Facebook. Needless to say, that was a bogus request. Today, I've gotten a supposedly e-mail notification from Twitter stating that I recently changed my e-mail address associated with an Twitter account and that I needed to click on a link to confirm. That automatically threw up flags everywhere.

While this e-mail originated from someplace in the United Kingdom (78.150.94.45), the link in the e-mail points to some Russian website (http://bygirl.ru/vcqf.html).

As always, examine your e-mail very carefully, if at all possible, try going to the directly on your web browser and not through the link that's provided within the e-mail. Check for spelling errors, though this is not direct proof that the e-mail you've received is bogus/fake, it does warrant further investigation.

Facebook: Bogus Invites to Join Facebook

2010-06-08T13:24:52Z

Image via Wikipedia

"Angelina Jolie" invited me to join Facebook and the invite looks all legit and everything or does it? The email address that the invite was sent to is already registered with Facebook so then "WHY" would it be asking me to sign up? "WHY" would it be asking me to add the email address to my Facebook account?

This new phishing attempt tries to get users to click on the link(s), drawing them to a website that's not Facebook, for reasons unknown but definitely nefarious.

Like any phishing emails, the links do not taking you to the actual site (e.g. Facebook) and in this instance, if you click on the button or the links, it will take you to some compromised site(s). In fact, all the links on the email has been substituted with the alternate site (see below for list of sites).

The email itself originated from a different IP locations:

217.12.70.152 (RU) 95.72.115.111 (RU)

So, the bottom line, the email request looks very authentic if weren't for the following, "Why would Angelina Jolie be asking me to join Facebook"? Be warned, be cautious and be alert.

Compromised/Free Hosting Sites used by Phishers:

http://xyddds.110mb.com/index.htm
http://grapevinephotography.com.au/1.htm

Phishing: Email Administrator IT Service

2010-05-16T01:40:48Z

If you recently received an e-mail from something as vague as "Email Administrator IT Service", don't believe it (not that you would have anyways). The body of the message is something like the following:

Dear subscribers. This message is from the Email Administrator IT Service to all our email account subscribers.You are to provide to us the below information to revalidate your account due to spam and to upgrade the new 2010 spam version. Notice:Your access.k12.wv.us Email account will be expired after a week, if you do not revalidate or update your account. Please do co-operate with us so we can serve you better, contact the adminstrator!!**** User Name: Password: Confirm Your Password: Alternative Email : Thank You. Email Administrator Warning Code :ID67565434

Okay, just reading this message should be throwing up alarms in your mind. No IT administrator would ever ask you for your password, they are admins and have the ability to make changes that doesn't require your password. This particular e-mail originated from within Canada.

Received: from duo.kics.bc.ca (68.233.169.222) by XXXXXXXXXXXXXXXXX with SMTP; 15 May 2010 17:16:15 -0400 Received: (qmail 18103 invoked from network); 15 May 2010 21:08:54 -0000 Received: from unknown (HELO squirrel.kics.bc.ca) (68.233.169.222) by kics.bc.ca with SMTP; 15 May 2010 21:08:53 -0000 Received: from 82.128.112.55 (SquirrelMail authenticated user market@eco.kics.bc.ca) by squirrel.kics.bc.ca with HTTP; Sat, 15 May 2010 14:08:53 -0700 (PDT) Message-ID: <46ef1fc8b2696f757c51403ff8ec660f.squirrel@squirrel.kics.bc.ca> Date: Sat, 15 May 2010 14:08:53 -0700 (PDT) Subject: Dear subscribers. From: "E-MAIL. MANAGEMENT" Reply-To: upgradingteam@24.tc

This is something to look out for. Below is a capture of the actual email item.