Topic: [WARNING] Email phishing - paypal (Read 1278 times)
never click links in emails you don't except. 100% of phishing resolved thank you have a nice day
$ whois 78.129.222.148
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '78.129.222.0 - 78.129.222.255'
inetnum: 78.129.222.0 - 78.129.222.255
netname: ThrustVPS_8
descr: Thrust::VPS
country: GB
admin-c: RF5058-RIPE
tech-c: RF5058-RIPE
status: ASSIGNED PA
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
person: Russell Foster
address: 530 W. 6th Street
address: Suite 901
address: Los Angeles
address: CA 90014
address: US
phone: +447919373537
abuse-mailbox: [email protected]
nic-hdl: RF5058-RIPE
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
% Information related to '78.129.128.0/17AS20860'
route: 78.129.128.0/17
descr: Iomart Hosting Ltd
origin: AS20860
mnt-by: GB10488-RIPE-MNT
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '78.129.222.0 - 78.129.222.255'
inetnum: 78.129.222.0 - 78.129.222.255
netname: ThrustVPS_8
descr: Thrust::VPS
country: GB
admin-c: RF5058-RIPE
tech-c: RF5058-RIPE
status: ASSIGNED PA
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
person: Russell Foster
address: 530 W. 6th Street
address: Suite 901
address: Los Angeles
address: CA 90014
address: US
phone: +447919373537
abuse-mailbox: [email protected]
nic-hdl: RF5058-RIPE
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
% Information related to '78.129.128.0/17AS20860'
route: 78.129.128.0/17
descr: Iomart Hosting Ltd
origin: AS20860
mnt-by: GB10488-RIPE-MNT
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered
That's what you get for posting your email in plain text on public forums 
and you just did it again when you posted the headers from that email. The crawlers will be happy 
Haven't seen that mail before, so, thank you for the heads up
and you just did it again when you posted the headers from that email. The crawlers will be happy Haven't seen that mail before, so, thank you for the heads up
LOL, you catch me ^^'. Yes I've intentionally post my email address in plain text in public forum for making it more easy to people who are not aware of obfuscated emails.
It's maybe an attack directed for me only, I had a lot of hacking attempt for btcrow.com and this was maybe their last hope to screw me.
will let you know if I receive more email like that.
That's what you get for posting your email in plain text on public forums and you just did it again when you posted the headers from that email. The crawlers will be happy
Haven't seen that mail before, so, thank you for the heads up
and you just did it again when you posted the headers from that email. The crawlers will be happy Haven't seen that mail before, so, thank you for the heads up
Hi, just wasn't sure if I should post this here because this is not really related to bitcoins but I post it anyway cause I received this email with a email address I only use for bitcoin: [email protected]
Here's the headers of email with some informations removed and replaced with (removed.fqdn.server):
------------------------------------------------ CUT -----------------------------------------------------
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from WIN-5D8CTVHD5GU (unknown [78.129.222.148])
by removed.fqdn.server (Postfix) with ESMTP id 199E035425C
for <[email protected]>; Sat, 16 Jul 2011 12:50:33 -0500 (CDT)
Received: from User ([127.0.0.1]) by WIN-5D8CTVHD5GU with Microsoft SMTPSVC(7.5.7600.16385);
Sat, 16 Jul 2011 18:50:06 +0200
Reply-To: <[email protected]>
From: "[email protected]"<[email protected]>
Subject: Notification de conexion a votre compte PayPal .
Date: Sat, 16 Jul 2011 18:50:06 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 16 Jul 2011 16:50:06.0179 (UTC) FILETIME=[6A44C330:01CC43D8]
To: undisclosed-recipients:;
------------------------------------------------ CUT -----------------------------------------------------
This first (before seing the message sound spammy and fishy to me cause of return-path and reply-to fields.
here's the screenshot of the message now:
Also there's the source of the html email mesage:
------------------------------------------------ CUT -----------------------------------------------------
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
http://www.w3.org/1999/xhtml">
http://playaussierules.com/wp-admin/images/form.png" width="598" height="699" border="0" usemap="#formpaypal" />
------------------------------------------------ CUT -----------------------------------------------------
As you can see the scam image and the form once you click the link are hosted (It's a guess but I'm sure at 99%) on a hacked website.
The 2 url are:
hxxp://esroros.net/url/url
and
hxxp://playaussierules.com/wp-admin/images/form.png
They use the area shape trick to fake a real link from paypal but once you click it it redirect to their fake form to steal you paypal credentials.
Just want to warn people here who aren't familiar with that type of messages to never ever complete it.
Paypal / Visa / MasterCard / Your Bank, anything which is relative to keeping safe your money won't ever send you message asking you your password and login informations.
If you have doubt when receiving this kinda email, Always verify with the genuine website in order to be sure that nobody want to phish you.
If you have questions it will be a pleasure to answer them here.
EDIT: I'll shortly send email to owner of esroros.net and playaussierules.com in order to let them know that their websites have been hacked.
Here's the headers of email with some informations removed and replaced with (removed.fqdn.server):
------------------------------------------------ CUT -----------------------------------------------------
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from WIN-5D8CTVHD5GU (unknown [78.129.222.148])
by removed.fqdn.server (Postfix) with ESMTP id 199E035425C
for <[email protected]>; Sat, 16 Jul 2011 12:50:33 -0500 (CDT)
Received: from User ([127.0.0.1]) by WIN-5D8CTVHD5GU with Microsoft SMTPSVC(7.5.7600.16385);
Sat, 16 Jul 2011 18:50:06 +0200
Reply-To: <[email protected]>
From: "[email protected]"<[email protected]>
Subject: Notification de conexion a votre compte PayPal .
Date: Sat, 16 Jul 2011 18:50:06 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 16 Jul 2011 16:50:06.0179 (UTC) FILETIME=[6A44C330:01CC43D8]
To: undisclosed-recipients:;
------------------------------------------------ CUT -----------------------------------------------------
This first (before seing the message sound spammy and fishy to me cause of return-path and reply-to fields.
here's the screenshot of the message now:
Also there's the source of the html email mesage:
------------------------------------------------ CUT -----------------------------------------------------
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
http://www.w3.org/1999/xhtml">
------------------------------------------------ CUT -----------------------------------------------------
As you can see the scam image and the form once you click the link are hosted (It's a guess but I'm sure at 99%) on a hacked website.
The 2 url are:
hxxp://esroros.net/url/url
and
hxxp://playaussierules.com/wp-admin/images/form.png
They use the area shape trick to fake a real link from paypal but once you click it it redirect to their fake form to steal you paypal credentials.
Just want to warn people here who aren't familiar with that type of messages to never ever complete it.
Paypal / Visa / MasterCard / Your Bank, anything which is relative to keeping safe your money won't ever send you message asking you your password and login informations.
If you have doubt when receiving this kinda email, Always verify with the genuine website in order to be sure that nobody want to phish you.
If you have questions it will be a pleasure to answer them here.
EDIT: I'll shortly send email to owner of esroros.net and playaussierules.com in order to let them know that their websites have been hacked.
Jump to: