New phishing email used to spread HTML files with fake PayPal login forms:
Received: from ns3.komvos.gr (ns3.komvos.gr [22.214.171.124])
Received: by ns3.komvos.gr (Postfix, from userid 48)
Subject: Attention ! Votre compte PayPal a été limité !
From: Service Paypal
Date: Mon, 4 Jun 2012 13:00:12 +0300 (EEST)
Content-Disposition: attachment; filename="Informations Compte Paypal .zip"
Another phishing email against Italian users of Mastercard / Visa:
Received: from mail.oceano.hn (mail.oceano.hn [126.96.36.199])
Received: from User ([188.8.131.52]) by oceano.hn with MailEnable ESMTP; Fri, 25 May 2012 08:04:39 -0600
Subject: Abbiamo limitato l'accesso visa/mastercard account. Si prega di attenersi alla seguente procedura per risolvere. (Case # PP-001-546-712-069 - ORM001)
Date: Fri, 25 May 2012 17:04:41 +0300
Content-Type: application/octet-stream; name="visaita.html"
Content-Disposition: attachment; filename="visaita.html"
Received: from mail.artworkdigital.com.br (ns1.artworkdigital.com.br [184.108.40.206])
Received: from User (216-107-107-254.static.networktel.net [220.127.116.11]) by mail.artworkdigital.com.br (Postfix)
Subject: Periodic Maintenance
Date: Fri, 18 May 2012 06:56:14 -0500
Content-Disposition: attachment; filename="PayPal_ReactivationFORMay2012.html"
As we can see, the malicious files are hosted in a DSL hostname:
The website adsl-068-157-210-061.sip.bna.bellsouth.net is hosted at BellSouth.net and its current IP address is 18.104.22.168 (adsl-068-157-210-061.sip.bna.bellsouth.net). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix NET and the keyword of the domain is bellsouth. The organization is BellSouth.net.
We have logged other phishing emails used to steal details of Visa users:
From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [22.214.171.124])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (email@example.com@126.96.36.199)
From: "verified by visa" firstname.lastname@example.org
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
Note from the email header the source of the message:
Received: from ser.just3d.tv (unknown [188.8.131.52])
It has nothing to do with Visa, and note also the emails:
See the visaltalia.it is a l and not an i.
The message of the email:
A causa del nostro recente aggiornamento sui nostri server
(23/04/2012) e necessario aggiornare il tuo profilo.
Per una maggiore sicurezza e di accesso, si prega di compilare il
Vi ringraziamo della vostra collaborazione.
Copyright Visa Europe 2012. Tutti i diritti riservati
There is also an attached file named visaitalia.html:
Another email containing malicious URL used for phishing attack against MasterCard and Visa users:
Received: from mailrtr1.deltacom.net (mailvip.deltacom.net [184.108.40.206])
Received: from User ([220.127.116.11]) by mailrtr1.deltacom.net (MOS 4.1.10-GA)
Subject: Votre carte bancaire est suspendue
Date: Sun, 7 Aug 2011 00:12:08 -0500
Bonjour clients de visa carte,
Votre carte bancaire est suspendue, parce que nous avons rencontre un probleme sur votre diagramme.
Nous avons determine qu'une personne doit peut-etre utiliser votre diagramme sans votre autorisation.
Pour votre protection, nous avons suspendu votre compte bancaire a travers votre carte de credit. Pour soulever cette suspension,
et suivre le procede indique pour mettre a jour votre compte par la carte de credit.
Received: from mail.ktmtalk.com (mail.ktmtalk.com [18.104.22.168])
Received: from User [22.214.171.124] by mail.ktmtalk.com with ESMTP
From: "eBay Member jxavier14"<email@example.com>
Subject: New Unpaid Item Message from jxavier14: #14027471062 -- response required
Date: Sat, 6 Aug 2011 06:34:47 -0500
eBay member charly1 has left you a message regarding item #14020078062
View the dispute thread to respond.
Another email that is used to spread a fake PayPal message containing a malicious link used for phishing attack against PayPal users:
Received: from mailrtr4.deltacom.net (mailvip.deltacom.net [126.96.36.199])
Received: from User ([188.8.131.52]) by mailrtr4.deltacom.net (MOS 4.1.10-GA)
Subject: Centre de securite PayPal
Date: Sat, 6 Aug 2011 00:11:18 -0500
Received: from WIN-ATAF5I4OOP1 (unknown [184.108.40.206])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
Note that the email come from:
The domain paybal.com is parked!
Malicious URL that redirects to the phishing PayPal login page:
Received: from sds-16.hosteur.com (sds-16.hosteur.com [220.127.116.11])
Received: from www-data by sds-16.hosteur.com with local (Exim 4.69)
Subject: URGENT - Your bank card has been blocked
From: Banking Service <firstname.lastname@example.org >
Sender: www-data <email@example.com>
The clickable link “Access to your form” redirects to a new (suspicious) URL:
Report 2011-04-07 16:38:44 (GMT 1)
Domain Hash 91fa19172a89f4c10b8dc0ca8b0460ec
IP Address 18.104.22.168
IP Hostname static.22.214.171.124.clients.your-server.de
IP Country DE (Germany)
AS Number 24940
AS Name HETZNER-AS Hetzner Online AG RZ
Detections 2 / 22 (9 %)
Analyzing the URL content, we can see suspicious code:
1) The page title looks like a scam
2) Why CSS style is located in the directory “/zzz/css.css” ?
3) Why Google Analytics (?) code is located in the directory “/zzz/gas.js” ?
4) Why there is an iframe related to adboost. com/index6.php ?
5) Why there is another iframe realted to (long URL) krystalweb. co. uk ?
6) Where is SSL ?