A new case of MSN Identity Theft let-people-laugh

September 16, 2009

Redirection to my second blog:

http://evilcodecave.blogspot.com/2009/09/new-case-of-msn-identity-theft-let.html

Advertisements

PDF Reader 2009 – Fraud-Scam

May 24, 2009

Hi,

Scam over software mantains high its trend, this time the software used is PDF Reader 2009, the message is the following:

+———————————————————————————–

PDF Reader 2009 – New Version for Windows
The latest PDF Reader: Open, Edit & Create PDF Files

Activation Code: 9462
http://bulletinqrelease.com/re.php?lnk=1203489724

Included in this package:

OpenOffice Suite – Get things done more quickly and improve your work efficiency.

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

Activation Code: 9462
http://bulletinqrelease.com/re.php?lnk=1203489724

Download the complete Office solution today and also receive free updates and 24/7 customer support.

“Since the 90’s, PDF has become the standard file format for document exchange.” – Adobe

Activation Code: 9462
http://bulletinqrelease.com/re.php?lnk=1203489724

Thank you for choosing us, the worldwide leader in PDF Reader Solutions.

Best Regards,

Michael Daniels
PDF Reader 2009
You will not get anymore of our emails if you go here
http://bulletinqrelease.com/

or write to:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

+———————————————————————————–

The true PDF Reader 2009 can be free downloaded, in this case user is asked for an activation code and next prompted to a Special Offers page, where victim can chose some benefits at payment, money transaction is accoplished with Credit Card.

As usual in these frauds, money is stolen and no service is given.

Here some inspections about the domain:

ICANN Registrar: ENOM, INC.
Created: 2009-05-20
Expires: 2010-05-20
Updated: 2009-05-20

Server Data

IP Address: 67.209.131.18 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location United States – Nevada – Las Vegas – Acampana
Response Code: 200
Domain name: bulletinqrelease.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()


MSN Credentials Theft nustuff4u.com

December 6, 2008

Hi,

My MSN-honeypot catched in these moments another classical MSN Credentials theft.

The system used is the classical Offline Message sent by an already compromised contact.

Here the message:

___________________________

Xxx scrive:
Xxx check out these awesome pics from the awesome party LOL   http://Yyy.nustuff4u.com

__________________________

nustuff4u.com presents a classical form that asks for

MSN E-Mail

MSN Password

and as usual the already see (please refer to my previous MSN releated blog posts) a disclaimer..

Now let’s investigate a bit on this domain..

ICANN Registrar: ENOM, INC.
Created: 2008-12-04
Expires: 2009-12-04
Updated: 2008-12-04
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 151,962 domains)

IP Address: 202.64.61.208 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Ta_kung_pao

And finally we can see that is Whois Protected
Domain name: nustuff4u.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()


Posteitaliane Mail Fraud

October 26, 2008

Hi,

This classical form of scam is now sent to @hotmail.it accounts, here some detail on the e-mail:

Subject: Accredito temporaneamente bloccato‏

From: accrediti@posteitaliane.it

Content: Ultime da Poste Italiane:  Gentile Cliente,
Abbiamo ricevuto una segnalazione di accredito di Euro 100 da UFFICIO POSTALE ROMA 52. L’accredito e’ stato temporaneamente bloccato a causa dell’incongruenza dei suoi dati, potra’ ora verificare i suoi dati e successivamente sara’ accreditato sul suo conto postale
 

Victim will be prompted to

http://www.nouvelles-alternatives.be/wp-content/conf.php

that contains:

<HTML>
<HEAD>
<META HTTP-EQUIV=”REFRESH” CONTENT=”0; URL=http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/“>
</HEAD>
</HTML>

automaticalli redirected to osrever.es that contains another redirect:

<HEAD><!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<body>
</body>
<HTML><TITLE>POSTE</TITLE>
<meta http-equiv=”Refresh” content=”0; URL=index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=”>
</HEAD>
</HTML>

finally user lands here:

http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

As we can see from the Source Code there is a classical structure that ask to the user User and Password, these are the functions:

function ControllaPassword()
{
   var f = window.document.frmRegister

   if (f.password.value.length > 10 )
   {
      alert(“La Password non puo’ superare la lunghezza di 10 caratteri.”)
      f.password.focus()
      return false
   }
   return true
}

That verifies if the password haa a correct length, and

function ControlloValori()
{
    var f = window.document.frmRegister
    if (f.login.value==””)
    {
        alert(“Inserire il nome utente”)
        f.login.focus
        return false
    }

    if ( ControllaPassword() == false )
    {
        return false;
    }

    return true
}

that collects user and pwd

If credentials are correct user is directed here:

http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=

where is asked for CC, CCV2, Scad

Here some info about this Malicious Domain:

IP Address: 87.106.195.10













IP Location Spain
– Spain – Schlund + Partner Ag
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post.. 🙂


Other Fake Download Software with Credit Card Scam

October 24, 2008

Hi,

In the previous report I talked about OpenOffice Scam, some day after the first fraud mail
of this kind, in the Spam Box I detected other similar E-Mails for other products such as

  • PDF Reader/Writer 9.0
  • Firewall Protector
  • SpyBot 1.6.0
  • AVG Protection

Firewall Protector:


http://66.79.163.52/firewall/index.asp?aff=001&camp=firewall_espd&kbid=1578&sub=espd

PDF Reader/Writer 9.0:
http://instant-access.org/PDF09/index.asp?aff=001&camp=pdf_d&kbid=1580&sub=espd

SpyBot:

And the fake payment:


http://instant-access.org/spybot/2/index.asp?aff=001&camp=spybot_espd&kbid=1587&sub=spybot_espd

AVG Protection:
http://67.214.168.130/antivirus3/index.asp?aff=001&camp=avgesp&kbid=1587&sub=avgesp&pop=1

It’s intersting to notice that all mails are in the same style:

—-
AVG Security 2009
Protect your PC from Viruses

Download AVG Security Here

Here’s how to Download AVG Protection:

1. Go to: Download Page
2. Download AVG Security 2009
3. Receive access immediately

Protect your computer from virus attacks, Trojans, and other forms of Malware.
Included: Registry Repair, Firewall Pro, Spyware Remover

Thank you for choosing us, the worldwide leader in computer protection software.

For more information visit our website

Thank You,

David Matthews
PC Protection

If you want to stop receiving mail, please go to:
http://daily–email-products.info/

or you may contact us at the following address:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

—–

As usual User is asked to insert Credit Card Credentials and nothing happens..

See you to the next post!



Fake Download Open Office 2009 – Credit Card Fraud

October 12, 2008

Hi,

This morning I’ve discovered another funny Fraud attempt, based on a fake membership to Download Open Office 2009. This is the mail that I’ve received:

—————————————————————–

Open Office Suite 2009

Open, Create & Edit Your Files
Download Office Suite 2009??Here
Edit Word, Excel & Power Point files- 100% MS Office Compatible.

Office Solutions

Read and write PDF files just like Adobe.
Here’s how to download Open Office 2009:
1. Go to: Download Page
2. Download Open Office 2009
3. Receive access immediately
This software package is the best way to edit your documents.
Publish all of your documents online in the HTML format.
Thank you for choosing us, the worldwide leader in Open Office 2009.
For More Information Visit our Website
Thank You,

David Matthews

If you want to stop receiving mail, please go to:
http://daily–new-product.org/
or you may contact us at the following address:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

—————————————————————–

Republica de Panama? and OpenOffice?..that really strange you don’t !?!?

but let see this ‘great offer’..by clicking on the link reported into mail we are suddenly prompted to:

http://67.214.168.130/openoffice/index.asp?aff=001&camp=openoffice_espd&kbid=1587&sub=oo_espd&pop=1

and also this as you should understand sounds strange.. OpenOffice Website that is based upon an IP..

A classical well designed fake page, now let’s click on download, and as we can see we are asked for Membership, after filling email and Name/Surname fields appears the core of the Scam, the Membership to Be Activated needs a Credit Card Payment 😉

After accepting we are infront off a classical phishing form that contains:

  • Name
  • Surname
  • Location
  • PostalCode
  • E-Mail
  • Cc Number
  • CcV2
  • Scad

Here you can see the screenshot:

After clicking system “validates” you transaction and the fraud is successfully completed 🙂

Here some information about the used IP

IP Information for 67.214.168.130

IP Location: United States United States South Bend Colostore.com
IP Address: 67.214.168.130
Blacklist Status: Clear

Whois Record

OrgName:    Colostore.com
OrgID:      KCA-7
Address:    1805 South Michigan Street
City:       South Bend
StateProv:  IN
PostalCode: 46613
Country:    US

ReferralServer: rwhois://rwhois.colostore.com:4321/

NetRange:   67.214.160.0 – 67.214.191.255
CIDR:       67.214.160.0/19
OriginAS:   AS12260
NetName:    COLOSTORE-COM
NetHandle:  NET-67-214-160-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.COLOSTORE.COM
NameServer: NS2.COLOSTORE.COM
Comment:    http://www.colostore.com
RegDate:    2007-09-28
Updated:    2008-07-21

See you to the next post.. 🙂


Social Engineering E-Mail Fraud

May 19, 2008

Hello,

It’s funny how some old techniques Social Engineering Frauds are still in use..

Yesterday evening I’ve received an e-mail from Rev. Father Jones Harth

Subject: Peace Be With You / View the Attached Document

Content:

I am Rev. Father Jones Harth, from the United Kingdom and I wish to inform you that you are a blessed person, which your fund is ready to be paid to you once you have done all necessary paper works.

For more directives regards to this payment, kindly view a copy of the attached document and get back to me as soon as possible.

Regards,
Rev. Father Jones Harth

In attachment there was a doc let’s see it..

THE UNITED NATIONS ORGANISATION
IN CONJUNCTION WITH THE INTERNATIONAL MONETARY FUND
WORLD BANK FACT-FINDING & SPECIAL DUTIES OFFICE
LONDON, UNITED KINGDOM.
Email:

Greetings to you,

I am Rev. Rev. Father Jones Harth, a senior staff with the World Bank fact finding & special duties office. I am writing you this letter because cool penny is better than millions of dollars. It is better for one to live and die poor honest man than a rich dishonest one. I and the chief security officer (CSO) of this organization have arranged with an officer in computer section engineer Peter Cliff to bring out part of your total pending payment sum amounting to US$10 million. Why we did this is because according to information gathered from the banks/security computer, you have been waiting for a long time to receive your money without success. As I found out that you have almost met all the statutory requirements in respect of your pending payment, your problem is that of interest groups.

A lot of people are interested in your payment and those people are merely doing paper works with you and that explains why you receive fax and phone messages from different people everyday. Also we found out that some of the officials of the parastatals have been extorting a lot of money from you with the pretext of helping you receive your money. I can assure you that this may last for years yet nothing happens if you do not do away with those officers that you call your partners. And for security reasons do not tell anybody that you have your money until you receive cash at your door step.

The money is in a security-proof box weighing 75kg. Yesterday we went to four courier companies to make arrangements on how to ship them by courier to you. Dhl, Ems, FedEx, Ups all said that they must open the boxes for inspection by the customs before shipment. This is something we want to avoid because the box is padded with synthetic nylon and to open it, you have to cut the pad before you will meet the button that you will press to open the dial code-lock. There is no way you can open the box and be able to close it again because it was padded with machine. We told the courier services that the box contained film materials and when open will spoil the materials. We did not declare money because courier does not carry money. Today a friend of mine who is diplomat disclosed to me that there is a security courier service they use to send diplomatic materials and information from one country to another. It has diplomatic immunity and consignment cannot be checked by any customs anywhere in the world. I have met the officials of the security courier service and concluded shipping arrangement with them, which they will commence as soon as i have your go ahead order.

The diplomat will help me so we do not have any problem. We have concluded that you must donate Five Hundred Thousand United States dollars (US$500,000.00) to any charity organisation I designate as soon as you receive your money. To this effect, you will send us a promissory note for Five Hundred Thousand United States dollars (US$500,000.00) along with your address for sending the box by courier. Please maintain topmost secrecy as it may cause a lot of problems if found out that we are using this way to help you. Do not ever tell anybody about this until you have your money. I want to help you because something in me is telling me that you are an honest person. When you conclude this and you send our promise, we will help to ship the final part of your money to you.

God be with us as we wait for your reply on email address:

Yours faithfully,
Rev. Rev. Father Jones Harth

eheh a funny one eh? 🙂

So I replied with this little mail to see if someone replies:

Hi,

Yeah thanks, what I’ve to do?

Regards,
Giangreco Vafanculo Demente

..and “surprise” fast reply from Reverend…

GREETINGS TO YOU IN THE NAME OF GOD.

I THANK YOU FOR YOUR EMAIL RESPONSE AND UNDERSTANDING. I HAVE BEEN MAKING ALL NECESSARY ARRANGEMENT TO MAKE SURE THAT I OBTAIN THE CONSIGNMENT IMMUNITY DOCUMENTS IN YOUR FULL NAMES AND CONTACT ADDRESS WHICH I WANT YOU TO FURNISH THIS HONORABLE OFFICE.

THIS WILL PROVE BEYOND EVERY DOUBT THAT THE CONSIGNMENT BELONGS TO YOU AND ALSO PROTECT THE CONSIGNMENT FROM BEING VANDALIZED OR CHECKED BY CUSTOMS ANYWHERE IN THE WORLD.

I HAVE CONCLUDED THIS ARRANGEMENT WITH THE DIPLOMATIC COURIER COMPANY THAT IS RESPONSIBLE FOR THE SHIPMENT OF THE CONSIGNMENT TO YOUR ADDRESS WILL BE HERE TO EVACUATE THE CONSIGNMENT TO THEIR OFFICE FOR WEIGHING EXERCISE AND DIPLOMATIC PACKAGING.

THE SHIPMENT COMPANY REQUIRES YOU TO SEND CORRECTLY YOUR SAFE DELIVERY ADDRESS TO AVOID SHIPMENT TO A WRONG ADDRESS, SEND A COPY OF YOUR IDENTIFICATION (DRIVER’S LICENSE OR INTERNATIONAL PASSPORT) FOR IDENTIFICATION PURPOSE AT THE POINT OF DELIVERY AND PROVIDE YOUR PRIVATE TELEPHONE AND FAX NUMBER IF ANY.

PLEASE BEAR IN MIND THAT YOU ARE REQUIRED TO PROVIDE THE ABOVE AS QUICKLY AS POSSIBLE TO ENABLE THEM PREPARE THE AIRWAY BILL AND SHIPMENT SCHEDULE.

I PRAY THE ALMIGHTY GOD WILL GUIDE YOU ACCORDINGLY AS I AWAIT FOR YOUR RESPONSE. YOU CAN CALL ME ON MY DIRECT TELEPHONE NUMBER AT ANY TIME ROUND THE CLOCK ON {{CENSORED}}

I WILL BE EXPECTING YOUR CALL AS SOON AS YOU RECEIVE THIS EMAIL OR YOU CAN EMAIL ME BACK.

NB: NOTE THAT YOU HAVE TO SEND YOUR FULL NAMES, CONTACT ADDRESS AND TELEPHONE NUMBERS, WHICH I WILL TAKE IT TO THE SECURITY COURIER COMPANY IN ORDER TO USE IT TO STATE YOU AS THE OWNER OF THE BOX.
GOD BLESS YOU.
REV. Rev. Father Jones Harth
Laugh laugh laugh!!! 😀
See you to the next post.. 🙂