Category: Alerts

This message arived today – form an Ebay – I mean, Eday member:

With Outlook, Eday is easily read as Ebay…

Fake of course, sent to obtain credentials.
The header shows it’s origin: Australia – given the names, I’d say Melbourne:

Return-Path: member@eday.com
Received: from mail.southern-ro.com.au (203.46.24.242)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Thu, 30 Aug 2007 13:40:27 +0100 (CET)
Received: from User ([195.84.14.70]) by melbserver.southern-ro.com.au with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 30 Aug 2007 21:40:16 +1000
Reply-To: <member@eday.com>
From: "member"<member@eday.com>
Subject: message from member
Date: Thu, 30 Aug 2007 13:40:15 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: member@eday.com
Message-ID: <MELBSERVERAtC33BcZY00000e29@melbserver.southern-ro.com.au>
X-OriginalArrivalTime: 30 Aug 2007 11:40:16.0643 (UTC) FILETIME=[891CAD30:01C7EAFA]
that is: from address 195.84.14.70, and this is NOT an Ebay address, nor is the mailserver that connected (203.46.24.242). Nor would Ebay use Outlook Express. In other words: it is a basic PC. no TO: line either, I wonder how the message got here in the first place.
No name in the message – which is not like ebay would do it.

Almost all links that could require a login, refer to a site at oberleitner.biz. Even the ones wheer you could signal or learn about abuse:

Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is
this message an offer to buy your item directly through email without
winning the item on eBay? If so, please help make the eBay marketplace
safer by reporting it to us. These external transactions may be unsafe
and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

A bit more down:

<B>Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace
safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/"
target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

and

Learn how you can protect yourself from spoof (fake) emails at:<BR><A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT
color=#003399>https://pages.ebay.com/education/spooftutorial</FONT></A>

It looks like Oberleitner.biz’s business is getting user credentials. Or it’s domain is abused.

I received another job offer today. The same one as two days ago – from a different sender, for the same company and another link.

The new header runs:

Return-Path: akstcxylbmnsdgs@xylb.com
Received: from 87-205-210-108.adsl.inetia.pl (87.205.210.108)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Fri, 24 Aug 2007 23:14:43 +0100 (CET)
Return-Path: <akstcxylbmnsdgs @xylb.com>
Received: from 218.66.102.106 (HELO mail.xylb.com)
by grootersnet.nl with esmtp (?< ?*A+.7,/0 >)(7)
id S.DCAR-TAHH0N-+)
for willem@grootersnet.nl; Fri, 24 Aug 2007 21:15:33 -0100
Message-ID: <01c7e693$e85df080$6c822ecf@akstcxylbmnsdgs>
From: "Enid Mullen" </akstcxylbmnsdgs>l<akstcxylbmnsdgs @xylb.com>
To: (me)
Subject: job for you
Date: Fri, 24 Aug 2007 21:15:33 -0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-2";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663</willem></akstcxylbmnsdgs>

So the sender – or relay – is Polish. Or it’s a zombie.
The message-ID is bogus (I didn’t even bother checking), so it the return address. Don’t try explaining a user “akstcxylbmnsdgs” would actually exist. I don’t think theer is such a user on XYLB.COM.
However: XYLB.COM does exist (and is valid) otherwise it wouldn’t get so far anyway.

Did the previous sender use MSN, this one seems to use good old Outlook Express. Hardly a professional method, I’d say.

If you follow the link you’ll end up on JSB Register – like the previous job offer – but the link is different:

http://58.65.239.116/zaka/
and in the page, the hiodden data is:

<input type="hidden" name="icq" value="zaka">

Another way to get control.
Mohammad@northwest.edu (unsure wether this is genuine but I have my doubts)
sent me a mail:

HELLO.

We would like to offer you a job in the JBS REGISTER Company.

We have many vacant positions, and we can grant you perfect and very profitable job.

MINIMAL MONTHLY INCOME: 1500 EURO (2-4 hours of your time is required)

The job is processing of money orders of our clients.

You should have several hours a day for execution of our orders.

EACH CANDIDATE GETS A JOB IN OUR COMPANY.

Please, fill the questionnaire, and in 24 hours you will receive instructions and documents (contract) for beginning of the work.

http://58.65.239.116/buri/

THANK YOU VERY MUCH.

Of course, the first thing to check is the header;

Return-Path: Mohammad@northwestern.edu
Received: from dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237)
by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Thu, 23 Aug 2007 03:06:23 +0100 (CET)
Message-ID: <E9E15B67.6162678@northwestern.edu>
Date: Thu, 23 Aug 2007 20:05:31 +0200
From: Mohammad <Mohammad@northwestern.edu>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: (me)
Subject: job offer
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

Mail exchange ? dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237) doesn’t seem something from an educational institute….The address does not refer to a domain, it seems. Prod-Infinitum.com resides in the US, and has another address. It’s a hack,it seems. com.mx doesn’t translate to an address either but gave som Spanish comments:
Meta Keywords:
diseñador, gráfico, freelance, diseño, web, site, sitio, paginas, Internet, animacion, flash, multimedia, mexico, México,
Meta Description:
Portafolios en línea del Diseñador Gráfico Luis Francisco Reyes Aceves
The website (www.com.mx) seems to exist but you have no access.

Northwest.edu has nothing to do with this either. I bet there isn’t even a “Mohammad” user registered:
nslookup northwest.edu
Server: nlutrdc03.nl.hr.group
Address: 172.21.206.1

Name: northwest.edu
This is an university in the Northwest of Ohio.

JSB Register seems to be a known company – Google gave the same IP address. The link in this message leads to aserver in Hong Kong, accoring the address.
If you follow the link, you get:

This is the result of a PHP script – or, when filled, it is send to an PHP application:

<FORM action=form.php method=POST>

But that is the compnay entry page. If you use the link in the message, the outcome in the browser is exactly the same, but when displaying the source, there is a difference at the end of the message: there is a hidden INPUT item, and that makes it suspicious:
The page linked from Google states:
<input type="hidden" name="icq" value="orig">
and the link from the message states:
<input type="hidden" name="icq" value="buri">

It might be genuine but I have my doubts. I guess their server is hacked….

What would be the outcome if you DID subscribe? Some malware planted on your PC, I assume.

Another one as if from Paypal

if displayed in HTML format – as it is received in Outlook (or Outlook Express, as most innocent users would).

No name – so bogus. Look at the date: 28-Aug-2007, which is two weeks ahead. It might indeed be the date when your account will be abused IF you react on this message.

If you look to the raw data, it’s not that obvious in first glance because the names seem to match:

Return-Path: service@paypal.com
Received: from cpe-71-65-23-167.twmi.res.rr.com (71.65.23.167)
by xxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Tue, 21 Aug 2007 18:56:32 +0100 (CET)
Received: from 208.188.111.32 by ; Tue, 21 Aug 2007 18:57:49 +0100
Message-ID: <qtprxvpwrckqwbprqtl @msn.com>
From: "PayPal" <service@paypal.com>
Reply-To: "PayPal" <service@paypal.com>
To: (me)
Subject: Restore your account access
Date: Tue, 21 Aug 2007 10:54:49 -0700
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--2194093895003147"
X-Priority: 1
X-MSMail-Priority: High

However, what about:


X-Mailer: AOL 7.0 for Windows US sub 118

That is America OnLine – an ISP – and I’m pretty sure Paypal has it’s own servers, and won’t use a broadband- or dial-in service from one of the biigest ISP’s in the world.
The sender address from where I got the message is RR.COM – RoadRunner, an ISP located in the US. Not really payPal…

Nor would Paypal use MSN for sending a message:


Message-ID: <qtprxvpwrckqwbprqtl @msn.com>
X-MSMail-Priority: High

Looking into the message, the pain is in the central link:

<table width=3D"100%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
olor=3D"#FFFECD" align=3D"center">
<tr><td class=3D"pp_sansserif" align=3D"center">
<a href=3D"http://centrala.junis.ni.ac.yu/.../.paypal/.confirm/index.htm"
title=3D"Please click here to restore your account access">
Please click here to restore your account access</a>
</td></tr></table>

And there are some links at the bottom that do not show up – because it’s behind the </html> tag:

<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/=
Statistics data collection code --><script

language=3D"JavaScript" src=3D"http://hostingprod.com/js_source/geov2.js">=
</script><script language=3D"javascript">geovisit

();</script><noscript><img src=3D"http://visit.webhosting.yahoo.com/visit.=
gif?us1173035983" alt=3D"setstats" border=3D"0" width=3D"1"

height=3D"1"></noscript>

and that’s something you won’t find on a real Paypal message. They have their own servers and will not host on Yahoo.

I checked the node in the link: It looks like a telephone exchance:

Hacked, most likely, given the stealth location of /.../.confirm (It’s a Unix/Linux box and a dot as first character renders the file (or directory) invisible). No real wonder for a university….

I contacted the site on this.

Once again, somone tries to get credentials using EBay-style messages.

As usual, you should be alarmed by the full header:

Return-Path: member@ebay.com
Received: from mail.neel.net (71.165.245.13)
by xxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Sat, 18 Aug 2007 20:18:13 +0100 (CET)
Received: from User ([202.28.4.25])
by mail.neel.net (Merak 7.6.2) with ASMTP id EAA74438;
Thu, 16 Aug 2007 13:13:34 -0700
From: "ebay"<member@ebay.com>
Subject: confirm your email address on file at eBay
Date: Thu, 16 Aug 2007 11:15:32 +0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Outlook Express – so BASIC Internet Explorer – I’m not fooled by such stupidity.
no TO line, and the message actually states:
For security reasons your registered name and email is not included.
Makes sense – since they don’t know it. They want you to supply it to them – and your password….

The mailserver has little or nothing to do with EBay: it’s a Verizon address:

$ dig -x 71.165.245.13

; < <>> DiG 9.3.1 < <>> -x 71.165.245.13
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 17107 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.245.165.71.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.245.165.71.in-addr.arpa. 69628 IN PTR mail.neel.net. ;; AUTHORITY SECTION: 245.165.71.in-addr.arpa. 69628 IN NS ns2.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns2.bellatlantic.net. 245.165.71.in-addr.arpa. 69628 IN NS ns4.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns1.bellatlantic.net.

EBay may relay over Verizon or Bell Atlantic, but given the sender is from Thailand:

$ dig -x 202.28.4.25

; < <>> DiG 9.3.1 < <>> -x 202.28.4.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 15689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;25.4.28.202.in-addr.arpa. IN PTR ;; ANSWER SECTION: 25.4.28.202.in-addr.arpa. 86400 IN PTR libmod25.lib.kmutt.ac.th. ;; AUTHORITY SECTION: 4.28.202.in-addr.arpa. 86400 IN NS libmod.lib.kmutt.ac.th.

I have my doubts.

More important: the links for your email contain a link that is NOT Ebay at all:
<div><FONT face="Arial, Verdana" size=2>To confirm your email address on file at eBay, just click the button to the right: </FONT></div> <div><FONT face="Arial, Verdana" size=2>You can also copy and paste the following link into your web browser: <BR><A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0xcfead15b/signin.ebay.com/ws/index.htm"
target=_blank>http://cgi4.ebay.com/ws<WBR>/eBayISAPI.dll?ChangeEmailConfi<WBR>rm</A>
The address is coded in HEX: 0xcfead15b, and this translates to 207.234.209.91. This is the owner of the addres:
Affinity Internet, Inc AFFINITY-207-234-128-0 (NET-207-234-128-0-1)
207.234.128.0 - 207.234.255.255
Affinity Internet, Inc AFFINITY-DEDIATED-207-234-209-0 (NET-207-234-209-0-1)
207.234.209.0 - 207.234.209.255