Another way to get control.
Mohammad@northwest.edu (unsure wether this is genuine but I have my doubts)
sent me a mail:
HELLO.
We would like to offer you a job in the JBS REGISTER Company.
We have many vacant positions, and we can grant you perfect and very profitable job.
MINIMAL MONTHLY INCOME: 1500 EURO (2-4 hours of your time is required)
The job is processing of money orders of our clients.
You should have several hours a day for execution of our orders.
EACH CANDIDATE GETS A JOB IN OUR COMPANY.
Please, fill the questionnaire, and in 24 hours you will receive instructions and documents (contract) for beginning of the work.
http://58.65.239.116/buri/
THANK YOU VERY MUCH.
Of course, the first thing to check is the header;
Return-Path: Mohammad@northwestern.edu
Received: from dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Thu, 23 Aug 2007 03:06:23 +0100 (CET)
Message-ID: <E9E15B67.6162678@northwestern.edu>
Date: Thu, 23 Aug 2007 20:05:31 +0200
From: Mohammad <Mohammad@northwestern.edu>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: (me)
Subject: job offer
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Mail exchange ? dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237) doesn’t seem something from an educational institute….The address does not refer to a domain, it seems. Prod-Infinitum.com resides in the US, and has another address. It’s a hack,it seems. com.mx doesn’t translate to an address either but gave som Spanish comments:
Meta Keywords:
diseñador, gráfico, freelance, diseño, web, site, sitio, paginas, Internet, animacion, flash, multimedia, mexico, México,
Meta Description:
Portafolios en lÃnea del Diseñador Gráfico Luis Francisco Reyes Aceves
The website (www.com.mx) seems to exist but you have no access.
Northwest.edu has nothing to do with this either. I bet there isn’t even a “Mohammad” user registered:
nslookup northwest.edu
Server: nlutrdc03.nl.hr.group
Address: 172.21.206.1
Name: northwest.edu
This is an university in the Northwest of Ohio.
JSB Register seems to be a known company – Google gave the same IP address. The link in this message leads to aserver in Hong Kong, accoring the address.
If you follow the link, you get:
This is the result of a PHP script – or, when filled, it is send to an PHP application:
<FORM action=form.php method=POST>
But that is the compnay entry page. If you use the link in the message, the outcome in the browser is exactly the same, but when displaying the source, there is a difference at the end of the message: there is a hidden INPUT item, and that makes it suspicious:
The page linked from Google states:
<input type="hidden" name="icq" value="orig">
and the link from the message states:
<input type="hidden" name="icq" value="buri">
It might be genuine but I have my doubts. I guess their server is hacked….
What would be the outcome if you DID subscribe? Some malware planted on your PC, I assume.