Posted on

27-Sep-2013

It’s a phisherman!
One of the sites I encountered a few days ago now appears to be a bad guy. Though the header appears to be valid:

Return-Path: internationalcardservices.notificationiare@mailing.internationalcardservices.nl
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Fri, 27 Sep 2013 10:57:27 +0000 (UTC)
X-PMAS-MAIL-FROM:
internationalcardservices.notificationiare@mailing.internationalcardservices.nl
Received: from unknown ([87.106.96.232] EXTERNAL) (EHLO s16978676) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Fri, 27 Sep
2013 10:05:41 +0000
Received: from mailing.internationalcardservices.nl ([127.0.0.1]) by s16978676
with Microsoft SMTPSVC(7.5.7601.17514); Fri, 27 Sep 2013 12:05:28 +0200
From: International Card Services
<internationalcardservices.notificationiare@mailing.internationalcardservices.nl>
To: (my address)
Subject: Uw rekeningoverzicht bekijken en betalen
Date: 27 Sep 2013 12:05:26 +0200
Message-ID:
<20130927112751.4EA0D4FB379FEEC7@mailing.internationalcardservices.nl>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_219D19A8.7D241EFA"
Return-Path:
internationalcardservices.notificationiare@mailing.internationalcardservices.nl
X-OriginalArrivalTime: 27 Sep 2013 10:05:28.0797 (UTC)
FILETIME=[17F140D0:01CEBB69]
<internationalcardservices>

and the content as welll, it is a phising attempt.
First, ICS normally sends just one reminder, and not two within a few hours. Nor will ISC send from an unknown address:

Received: from unknown ([87.106.96.232] EXTERNAL) (EHLO s16978676)

So I was triggered to check the included URL, and that is definitly NOT an ISCCards address:

href="http://www.lemrith.net/images/ICS.php"

Of course, the address has no longer access to the my network.
Lemmrith.net is actually a valid site: a small town in Germany (it is safe to check www.lemrith.net) but they have not secuired their site – given the fact that someone dropped a .PHP file on thein images directory. They have been notified.

Posted on

Phishing using Paypal

Sometimes you see interesting attempts.

paypal phishing attempt

The header looks like this:

Return-Path: service@paypal.com
Received: from XXXXXXXXXX.GROOTERSNET.NL (192.168.0.2)
by xxxxxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 29 Oct 2007 10:14:17 +0100 (CET)
Received: from www.outsidepride.com ([69.20.59.177] EXTERNAL) (EHLO
www.outsidepride.com) by xxxxxxxxxx.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.0); Sun, 28 Oct 2007 21:34:22 +0100
Received: from User ([89.137.232.120]) (authenticated bits=0) by
www.outsidepride.com (8.12.11.20060308/8.12.11) with ESMTP id l9SKWQo4011442;
Sun, 28 Oct 2007 16:32:27 -0400
Message-Id: <200710282032.l9SKWQo4011442@www.outsidepride.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Date: Sun, 28 Oct 2007 22:32:56 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by www.outsidepride.com id
l9SKWQo4011442
Blocked by the anti-spam frontend, for the following reasons:

X-PMAS-External: www.outsidepride.com [69.20.59.177] (EHLO
www.outsidepride.com)
X-PMAS-Software: PreciseMail V3.0 [071027] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_FTP_TO_IP: Uses a dotted-decimal IP address in URL (1.000)
X-PMAS-BDY-IMAGE_LINK: Image that links to web site (3.000)
X-PMAS-BDY-INCREASE_YOUR_SOMETHING: Message has phrase "Increase your..."
(3.000)
X-PMAS-BDY-FOR_MORE_INFO2: Includes "for more information" (1.500)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format
(5.000)
X-PMAS-META-1PIXEL_IMG: Message includes 1x1 img link (20.000)
X-PMAS-META-PHISHING_02: Message appears to be a phishing scam (10.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-DEAR_SOMETHING: Contains generic 'Dear (something)' (1.596)
X-PMAS-META-STOP_RECEIVING: Specific spam text "to stop receiving" (5.000)
X-PMAS-Final-Score: 78.732
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from the fact that the sender server is not within the Paypal domain 🙂

The interesting part is on the inside.
Most often, links refer to some site using the http protocol (never https, of course), but this one is different – twice using FTP got get your data:

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Travelling
confirmation Here</a></td>

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Re-activate your account Here</a></td>

The addresses mentioned are Romanian, at least, two of them.

  • 192.102.104.2 is indeed owned by onix.ro – it is possible that it;s a source of abuse: an internet cafe, probably
  • 217.156.19.129 is owend by vl.ro – named analog Digital Systems Inc. RDS – Radio Data Systems? That makes sense. But ause like this, I doubt it!
  • 62.177.188.59 is owned by bbeyond – a Dutch network operator without a Romanian domain: bbeyond.ro does not exist.

    • The address mentioned in the liks refers to a network operator in Canada, and there is an abuse address in their Whois data. So I’ll forward the message to them.

    Posted on

    Paypal phishing attempt blocked

    The phishing attemps are now blocked by the anti-spam gateway so they do no longer arrive in any of my mailboxes. Which, of course, is what it is the intended use, plus it allows a closer look to the message code without having the message actually delivered.

    This one came in a few days ago:

    <p><b><font face="Verdana" size="2">You are required to upgrade your PayPal
    Account by subscribing to our New Security Center.</font></b></p>
    <p><font face="Verdana" size="2">Please <b> <a href="http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php">click here</a></b> in order to upgrade your PayPal account.</font></p>
    <p><font face="Verdana" size="2">If you not perform the update now, your account will be placed on hold. On hold accounts can still send money, but they cannot withdraw or receive funds.</font></p>

    Mind the hyperlink-address:

    http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php

    This is NOT a paypal address.

    PMAS signalled this – as is shown in the message header:


    Received: from unknown ([72.54.216.109] EXTERNAL) (EHLO mail.iei-web.net) by
    xxxxxxxxxxxxxxxxxxxx ([192.168.0.200]) (PreciseMail V3.0); Sun, 07 Oct
    2007 06:41:42 +0100
    Received: from User [62.14.249.101] by iei-web.net with ESMTP (SMTPD-9.10) id
    A0F40294; Sat, 06 Oct 2007 23:39:00 -0600
    Reply-To: <member_service@paypalsecurity.com>
    From: "PayPal Inc."<member_service@paypalsecurity.com>
    Subject: New Paypal Security Center: Update Your Account
    Date: Sun, 7 Oct 2007 07:40:01 +0200
    MIME-Version: 1.0
    Content-Type: text/html; charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Message-Id: <200710062339882.SM03048@User>

    What are the findings:


    X-PMAS-External: unknown [72.54.216.109] (EHLO mail.iei-web.net)
    X-PMAS-Software: PreciseMail V3.0 [071006] (diana.GROOTERSNET.NL)
    X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
    X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)

    Quite well so far – except the “unknown” external address.
    But now the problems show up:


    X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
    X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
    X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry (4.000)
    X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
    X-PMAS-URI-NORMAL_HTTP_TO_IP: Uses a dotted-decimal IP address in URL (0.942)
    X-PMAS-URI-IP_LINK_PLUS: Dotted-decimal IP address followed by CGI (0.708)
    X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
    X-PMAS-META-MISSING_BODY_TAG: Message has </BODY> tag, but no <BODY> tag (3.000)
    X-PMAS-META-MISSING_HTML_TAG: Message has </HTML> tag, but no <HTML> tag (3.000)
    X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format (5.000)

    You learn something new every day


    X-PMAS-META-NO_HTML_BEGIN: Message has </html> but not <html> (3.500)
    X-PMAS-META-PHISHING_01: Message is a phishing scam (50.000)
    X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
    X-PMAS-META-LAME_PAYPAL_SCAM: Claims to be from PayPal, but no PayPal URIs (20.000)

    I thought so 🙂


    X-PMAS-META-CLICK_BELOW: Asks you to click below (0.727)
    X-PMAS-META-BLIND_DATE3: Blind date spam (3) (20.000)
    X-PMAS-Final-Score: 139.513
    X-PMAS-Spam-Level: ********************+
    X-PMAS-Spam: Yes

    Apart from what is unusual in Paypal: no addressing header (should use your Paypal name).

    Posted on

    More E[B/d]ay to come

    At least according Hoff on his blog (read here). One good reason to have all incoming traffic run over the OpenVMS box (small chance that will be infected!), and being able to screen messages before actually donwloading them onto Windows boxes. (I would like to have apple systems around but having game-playing kids around, I’m stuck to Windows. And the company I work at – and their customers – heavily rely on Windows boxes for their office work…)

    There is a fair chance that this type of scam is now filtered – even better!

    Posted on

    Ebay kit?

    This might be correct:

    kit message

    The header looks quite honest as well:

    Return-Path: sellers.tools@getfreenow.com
    Received: from host75-97.pool217169.interbusiness.it (217.169.97.75)
    by diana.intra.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Sat, 1 Sep 2007 12:44:47 +0100 (CET)
    Received: from User ([70.91.163.25])
    by mail.publiposter.it (Merak 7.4.2) with ASMTP id BJV74577;
    Sat, 01 Sep 2007 12:44:42 +0200
    Reply-To: <no.reply@eBay.com>
    From: "eBay"<sellers.tools@getFREEnow.com>
    Subject: Your eBay Success Kit has arrived
    Date: Sat, 1 Sep 2007 05:45:17 -0500
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 1
    X-MSMail-Priority: High
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    but without a TO: line, and a reply-to address at ebay, makes it suspicious. As well as the user address: 70.91.163.25. This is located in the USA:

    Comcast Business Communications, Inc. CBC-CM-3 (NET-70-88-0-0-1)
    70.88.0.0 - 70.91.255.255
    Comcast Business Communications, Inc. CBC-LITTLEROCK-4 (NET-70-91-163-0-1)
    70.91.163.0 - 70.91.163.255

    # ARIN WHOIS database, last updated 2007-09-01 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    The receiving server (mail.publiposter.it) could be geniune:

    Domain: publiposter.it
    Status: ACTIVE
    Created: 2002-06-14 00:00:00
    Last Update: 2007-06-30 00:04:10
    Expire Date: 2008-06-14

    Registrant
    Name: Publiposter & Multimedia s.p.a.
    ContactID: PUBL355-ITNIC
    Address: Publiposter & Multimedia s.p.a.
    Isola Delle Femmine
    90040
    PA
    IT
    Created: 2007-03-01 10:39:36
    Last Update: 2007-03-01 10:39:36

    Admin Contact
    Name: Alessio Alessi
    ContactID: AA1731-ITNIC
    Address: Publiposter & Multimedia s.p.a.
    Isola Delle Femmine
    90040
    PA
    IT
    Created: 2002-06-14 00:00:00
    Last Update: 2007-03-01 07:39:08

    Technical Contacts
    Name: Centro Gestione Village
    ContactID: CGV35-ITNIC
    Organization: Telecom Italia Spa
    Address: Telecom Italia Spa
    Via Pontina, km. 29,100
    Roma
    00040
    RM
    IT
    Created: 2007-03-01 10:25:57
    Last Update: 2007-03-06 14:04:12

    Registrar
    Organization: Telecom Italia s.p.a.
    Name: INTERBUSINESS-MNT

    Nameservers
    dns6.interbusiness.it
    dns3.nic.it

    and interbusiness.it – also Italian – as well:

    inetnum: 217.169.97.64 - 217.169.97.95
    netname: IDC-DIALUP-POM-BLCK3
    descr: IDC - Telecom Italia - network used in dialup access - Pomezia
    country: it
    admin-c: ITR2-RIPE
    tech-c: ITR2-RIPE
    status: assigned PA
    mnt-by: FULCOM-MNT-RIPE
    source: RIPE # Filtered

    role: IT Telecom Role
    address: Telecom Italia S.p.A.
    address: Via Oriolo Romano, 257
    address: Italy
    phone: +390665679934(3)
    fax-no: +390636870532
    e-mail: ripe-noc@telecomitalia.it
    remarks: trouble: ripe-noc@telecomitalia.it
    admin-c: ITR2-RIPE
    tech-c: ITR2-RIPE
    nic-hdl: ITR2-RIPE
    remarks: ##############################################
    remarks: Pay attention
    remarks: Any communication sent to email different
    remarks: from the following will be ignored !
    remarks: ##############################################
    remarks: Any abuse and spamming reports, please
    remarks: send them to abuse-ripe@telecomitalia.it
    remarks: ##############################################
    mnt-by: FULCOM-MNT-RIPE
    source: RIPE # Filtered

    Used in dial-up access – you can tell by the full address as well.

    The domain: interbusiness.it is valid also:

    Domain: interbusiness.it
    Status: ACTIVE
    Created: 1996-01-29 00:00:00
    Last Update: 2007-01-30 00:36:13
    Expire Date: 2008-01-29

    Registrant
    Name: Telecom Italia S.p.A.
    ContactID: TELE616-ITNIC
    Address: Via Paolo Di Dono, 44
    Roma
    00143
    RM
    IT
    Created: 2007-03-01 10:44:12
    Last Update: 2007-03-01 10:44:12

    Admin Contact
    Name: Camillo Di Vincenzo
    ContactID: CD2-ITNIC
    Address: Telecom Italia S.P.A.
    Via Paolo Di Dono, 44
    Roma
    00143
    RM
    IT
    Created: 2000-11-15 00:00:00
    Last Update: 2007-03-01 07:49:08

    Technical Contacts
    Name: Domain Registration Staff
    ContactID: DRS9-ITNIC
    Address: Telecom Italia S.p.A.
    Via Campania 11
    Taranto
    74100
    TA
    IT
    Created: 2005-07-19 00:00:00
    Last Update: 2007-08-08 10:51:21

    Name: Gian Luca Mattu
    ContactID: GLM2-ITNIC
    Address: Telecom Italia SpA
    Via Oriolo Romano, 240
    Roma
    00189
    RM
    IT
    Created: 2005-03-09 00:00:00
    Last Update: 2007-03-01 07:37:44

    Name: Fabio Ginocchi
    ContactID: FG82-ITNIC
    Address: Telecom Italia
    Via Oriolo Romano, 257
    IT
    Created: 2000-11-02 00:00:00
    Last Update: 2007-03-01 07:38:47

    Registrar
    Organization: Telecom Italia s.p.a.
    Name: INTERBUSINESS-MNT

    Nameservers
    dnsti.interbusiness.it
    dns.opb.interbusiness.it
    dns3.nic.it
    dnsts.interbusiness.it

    and makes sense because this domain is mentioned earlier – it’s name server is used.

    The link in te mesage however, leads to Russia – it looks like a valid page but the contents are Russian, contains a huge amount of redirects on CGI, and the link to get an English page returns”a 404-message: Document not found.

    This stinks!