MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
November
Sun Mon Tue Wed Thu Fri Sat
         
23
24 25 26 27 28 29 30
2024
Months
NovDec


Wed, Feb 22, 2017 11:10 pm

PhishMe Phishing Email

I received an email message today stating that all users of a system I use for work must update their security questions on a bi-yearly basis and that my account would be locked out in twenty four hours if my security questions were not updated within that time. Within the message was the Uniform Resource Locator (URL) for the relevant website. The message seemed suspicous, since I would expect to have received prior notices before one informing me I had only 24 hours left to update the questions and also I've not encountered instances of such sites requring security questions to be updated on a periodic basis, though it is common to require passwords to be updated periodically.

When I hovered my mouse pointer over the link in the message, I found that the first part of the name in the fully qualified domain name (FQDN) looked like something I would expect in a site name for my employer, but the ending of the domain name was securefileshares.com, which would not be a site I would go to to modify security questions for a work-related system. On my laptop, I use Outlook 2016 as my email; to view the email header for a message in Outlook 2016, you can take these steps, but most email clients provide a mechanism to view a message's header, which will show the originating system and other email servers a message has passed through. Viewing the header information, I saw the following lines:

Received-SPF: Temperror (SPF Temporary Error: DNS 'NoneType' object has no attri
bute 'header') identity=mailfrom; client-ip=52.1.96.230; helo=mail.nova.phishme.
com; envelope-from=postmaster@return--path.com; receiver=john.a.doe@example.com
<text snipped>
Received: from mail.nova.phishme.com (mail.nova.phishme.com [52.1.96.230])	by
<text snipped>
MIME-Version: 1.0
X-Priority: 3
X-PhishMe: Phishing_Training
X-PhishMeTracking: TjaVg7y+fe0Q/<text snipped>

The header lines showed it was a training exercise, since PhishMe is a company that helps organizations train their employees to avoid phishing attempts. But, if you have a question about whether a message you have received is legitimate or is a spoofed message that appears to come from a legitimate sender, such as your employer, bank, or some source you would trust, it is best to type in a link rather than click on one within an email, unless you observe the actual link very closely. It can also help to identify a message sent by someone spoofing a legitimate sender by examining message headers. It is trivially easy for a spammer, malware purveyor, or other malefactor to spoof a "From" address, so you should never assume that a "From" address is a reliable means of identifying a message's actual sender.

[/security/scams/phishing] permanent link

Tue, May 29, 2007 10:32 am

Commerce Bank Phishing Email

When I checked my email today, I found a phishing email that ostensibly pointed recipients to http://commerceconnections-session843435953.commercebank.com/ibank/cmserver/verify.cfm, but which actually pointed to a phishing webpage at http://commerceconnections-session843435953.commercebank.com.plosure.at/ibank/cmserver/verify.cfm/

I reported the spoofed site at the following phishing report wepbages:

OrganizationReporting Page
CastleCops Phishing Incident & Termination
Symantec Phish Report Network Report Suspected Phishing Sites

[/security/scams/phishing/commercebank] permanent link

Mon, Apr 23, 2007 9:00 pm

PayPal Phishing Page at Hong Kong University Removed

When I checked agin, I found the PayPal phishing page that was located on a webserver at the Hong Kong Polytechnic University this weekend was now gone.

[/security/scams/phishing/paypal] permanent link

Sun, Apr 22, 2007 2:59 pm

PayPal Phishing at Hong Kong Polytechnic University

When I checked to see if the spoofed PayPal webpages were still present at http://production.mic.polyu.edu.hk/pp/login.html, I found the pages were still accessible. Yesterday, someone forwarded a message to me which stated an email address had been added to his PayPal account. The message asked him to confirm the addition by going to a PayPal website, but the link in the message actually led to the server at the Media Innovation Centre in the School of Design at the Hong Kong Polytechnic University.

The recipient doesn't have a PayPal account. Whoever created the spam message probably sent it to thousands of people with no way of knowing how many of those recipients might have PayPal accounts.

I checked the online directory for the university today and sent another message regarding the spoofed site; this time I sent the message to the chair of the School of Design at the university plus email addresses for people who appeared to be IT people at the university, and some general contact addresses. Hopefully, one of them can get the spoofed webpages removed and take action that will result in the perpetrator being apprehended and disciplined.

[/security/scams/phishing/paypal] permanent link

Sat, Apr 21, 2007 8:15 pm

PayPal Phishing at a Hong Kong University

A user forwarded an email message to me today that attempts to lure gullible PayPal users to a website at a university in Hong Kong. The email message asked the recipient to verify the addition of an email address to his PayPal account by going to the PayPal website. But the link actually directed anyone who clicked on it to http://production.mic.polyu.edu.hk/pp/login.html. The "hk" at the end of the domain name indicates the site is in Hong Kong, since "hk" is the country code for Hong Kong. The "edu" before it indicates it is an educational institution.

Going to http://mic.polyu.edu.hk/ instead, I found the following information for the site:

Multimedia Innovation Centre, HK

I reported the spoofed site to to the contact address listed for the Hong Kong Polytechnic University. The webserver being used to host the spoofed PayPal site apparently belongs to the Multimedia Innovation Centre School of Design at that university. I also reported this phishing attempt to PayPal via the PayPal Report Fake Site/Spoofwebpage. And I reported the spoofed site at the following phishing report wepbages:

OrganizationReporting Page
CastleCops Phishing Incident & Termination
Symantec Phish Report Network Report Suspected Phishing Sites

[/security/scams/phishing/paypal] permanent link

Thu, Feb 08, 2007 11:19 am

PayPal Phising Site at bourke.pcpro.net.au

Someone forwarded a phishing email message to me this morning that was an attempt to garner PayPal userids and passwords as well as personal information, including a credit card number from unsuspecting PayPal users.

The message attempted to trick PayPal users to going to a spoofed PayPal website to confirm the addition of an email address to a user's PayPal account. In reality, the link in the message would take the victim to http://sv1.melbhosting.com.au/%7Eforcast/index.html, which would redirect him to http://bourke.pcpro.net.au/icons/.pay/pal/index.html. There he would see a website mimicking the PayPal site where he would be prompted for his PayPal userid and password. If he entered a userid and password, he would see a form asking for personal information, including a credit card number.

I reported the spoofed site at 10:33 A.M. using PayPal's Contact Us - Protections/Privacy/Security - Report Fake Site/Spoof form. I also reported the site to the Phishing Incident Reporting and Termination (PIRT) Squad at 10:48 A.M. At 11:15 A.M. the webpage to which the link pointed, http://sv1.melbhosting.com.au/%7Eforcast/index.html was removed from the webserver on which it resided, resulting in a "HTTP 404 - File not found" message, but the spoofed PayPal site at bourke.pcpro.net.au was still accessible.

[/security/scams/phishing/paypal] permanent link

Sun, Aug 20, 2006 10:19 pm

Barclays Banking Scam Pointing to Russian Website

I received a message this evening purportedly from Barclays Bank, a bank in the U.K. The message is shown below:

Dear Sir/Madam,

As part of our security measures, we regularly screen activity in the
Barclays Online Bank system. we recently contacted you after noticing an
issue on your account. We requested information from you for the
following reason:

Our system requires further account verification.

Due to the recent update of the servers, you are requested to please
restore your account info at the following link.


https://update.barclays.co.uk/olb/p/LoginMember.do

*Important*
We have asked few additional information which is going to be the part of
secure login process. These additional information will be asked during
your future login security so, please provide all these info completely
and correctly otherwise due to security reasons we may have to close your
account temporarily.



J. S. Smith
Security Advisor
Barclays Bank PLC.



Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Barclays Online Bank account and choose the "Help" link on any page. Barclays Email ID # 1009

But the URL was clearly pointing to http://www.spain-soccer.net.ru//administrator/components/ibank.barclays.co.uk/olb/p/LoginMember.do/.

I don't reside in the U.K. nor do I have a Barclays bank account, but I went to the webpage and put in dummy information. There were several pages of questions to answer with questions about one's Barclay bank account, spouse's information,and credit card information. After submitting the information I was taken to a valid Barclays Bank webpage. Anyone foolishly completing the questionnaire with valid information would not only allow the scammer to access his Barclays Bank account, but also commit identity theft.

I forwarded the information to internetsecurity @ barclays.co.uk, the email address listed at Barclays Bank scam email page.

HTML version of Scam Email

[/security/scams/phishing/barclays] permanent link

Tue, May 16, 2006 11:26 am

Barclays Bank Customer Scam

I received a scam email message today, purportedly from the technical service department of Barclays Bank, a UK-based bank, asking that I confirm my membership details. I don't have a Barclays Bank account and the link in the message, which supposedly pointed to https://ibank.barclays.co.uk/olb/p/LoginMember.do/confirm, actually pointed to http://www.zoze.org/files/ibank.barclays.co.uk/olb/p/LoginMember.do/index.htm .

The website appeared to be out of service when I checked it and the scam webpage was inaccessible. I reported the scam anyway to doshelp@doshelp.com, which is an address associated with a site that tracks phishing scams, such as the one I received. The site lists examples of other Barclays Bank scams at Barclays Bank Fraud Websites. I also reported the scam to the abuse address at earth.nocserver.net and insidepool.com, since those domains were associated with the orgination point for the email message.

[/security/scams/phishing/barclays] permanent link

Wed, Apr 06, 2005 10:32 pm

PayPal Phising site at www.paypal.com.sdll.us Gone

I see that the website, www.paypal.com.sdll.us, that was being used on Monday for a PayPal scam (see PayPal Phishing Attempt at www.paypal.com.sdll.us) has been taken down. Hopefully, the person running the spoofed site has been identified.

[/security/scams/phishing/paypal] permanent link

Mon, Apr 04, 2005 10:32 pm

PayPal Phishing Attempt at www.paypal.com.sdll.us

I received three copies of an attempt to garner PayPal account information today. The spoofed PayPal site was at http://www.paypal.com.sdll.us/webscr/index.html. The phisher used a JavaScript technique for overlaying Internet Explorer's address bar with a URL pointing to the real PayPal site, making it appear that anyone clicking on a link in the message had gone to the real site, whereas they would actually be at the spoofed site.

[ More Info]

[/security/scams/phishing/paypal] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo