Post up and share your examples of spam phishing emails messages #scamaware

**sonic71** · 24th May 2014, 09:58:AM

Re: Post up and share your examples of spam phishing emails messages #scamaware

yes and if im ever in doubt about my paypal in particular i find the paypal saite via a google search but your right about the address as its an easy giveaway

**FlamingParrot** · 24th May 2014, 11:47:AM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Originally posted by sonic71 View Post

yes and if im ever in doubt about my paypal in particular i find the paypal saite via a google search but your right about the address as its an easy giveaway

If you want to manage your PayPal account, you should always go directly to their website and log in from there, rather than clicking on any links sent on an email, to be on the safe side. :thumb:

**Crazy council** · 24th May 2014, 12:07:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

i ALSO just got one of them notice to appear

Notice to Appear,

Enclosed please find the copy of the court notice for the case
mentioned above.

Truly yours,
Clerk to the Court.
Evie Tailor

DC_Court_Notice_UN_LS6361.zip (95 KB)

Archive Name: DC_Court_Notice_UN_LS6361.zip
Archive File Size: 71381 bytes
File Count: 1 file

Attributes Size Modified Date Method Ratio
--------------------------------------------------------------------------
Court_Notice... -A--- 110592 22-May-2014 09:33 Deflated 64.4%
--------------------------------------------------------------------------

the zip file come compleat with

3 trojans for known windows vulnerabilities
a few browsers redirectors for IE
blocking files for AV products.

here are the headders

Return-path: <support556@dwi-injury-lawyers.com>
Envelope-to: ######################
Delivery-date: Thu, 22 May 2014 14:21:23 +0100
Received: from [69.198.209.81] (port=2093 helo=dwi-injury-lawyers.com) ####### heres the info we need ####
by ultra10.extendnet.co.uk with smtp (Exim 4.82)
(envelope-from <support556@dwi-injury-lawyers.com>)
id 1WnSvu-0001S2-Lg
for #####################; Thu, 22 May 2014 14:21:20 +0100
Message-ID: <002f01cf75c0b313d2286600a8c0@Michael>
From: "Notice of Appearance" <support556@dwi-injury-lawyers.com>
To: <#######################>
Subject: Notice to appear
Date: Thu, 22 May 2014 09:21:11 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_002A_01CF759F.2BFFADA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: XimianEvolution1.4.6
X-MimeOLE: Produced By XimianEvolution1.4.6
X-eXtendnet-MailScanner-Information: Please contact the ISP for more information
X-eXtendnet-MailScanner-ID: 1WnSvu-0001S2-Lg
X-eXtendnet-MailScanner: Found to be clean
X-eXtendnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=0.343, required 5, BAYES_00 -1.90, HTML_MESSAGE 0.00,
RCVD_IN_BRBL_LASTEXT 1.45, RDNS_NONE 0.79)
X-eXtendnet-MailScanner-From: support556@dwi-injury-lawyers.com
X-eXtendnet-MailScanner-Watermark: 1401369680.25616@Rk7UNlP4LBtfLaw8J5DRBQ
X-Spam-Status: No

This is a multi-part message in MIME format.

------=_NextPart_000_002A_01CF759F.2BFFADA0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_002B_01CF759F.2BFFADA0"

------=_NextPart_001_002B_01CF759F.2BFFADA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Notice to Appear,

Enclosed please find the copy of the court notice for the case
mentioned above.

Truly yours,
Clerk to the Court.
Evie Tailor

------=_NextPart_001_002B_01CF759F.2BFFADA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<BODY>
Notice to Appear, 
 
Enclosed please find the copy of the court notice for the case mentioned above. 
 
Truly yours, 
Clerk to the Court. 
Evie Tailor 
</BODY>
</HTML>

------=_NextPart_001_002B_01CF759F.2BFFADA0--

------=_NextPart_000_002A_01CF759F.2BFFADA0
Content-Type: application/x-zip-compressed;
name="DC_Court_Notice_UN_LS6361.zip"

Content-Disposition: attachment;
filename="DC_Court_Notice_UN_LS6361.zip"

....... the rest is just the file......

and here is the site registrants details......

Domain Name: DWI-INJURY-LAWYERS.COM
Registry Domain ID: 1567114562_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2009-08-27 14:12:47
Creation Date: 2009-08-27 14:12:46
Registrar Registration Expiration Date: 2014-08-27 14:12:46
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Donald Kaufman ############## the following 3 lines are what we need########
Registrant Organization: Absolutely Write Inc.
Registrant Street: 3 Wilner Rd
Registrant City: Somers
Registrant State/Province: New York
Registrant Postal Code: 10589
Registrant Country: United States
Registrant Phone: +1.9142485101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domainsales@absolutelywrite.com
Registry Admin ID:
Admin Name: Donald Kaufman
Admin Organization: Absolutely Write Inc.
Admin Street: 3 Wilner Rd
Admin City: Somers
Admin State/Province: New York
Admin Postal Code: 10589
Admin Country: United States
Admin Phone: +1.9142485101
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domainsales@absolutelywrite.com
Registry Tech ID:
Tech Name: Donald Kaufman
Tech Organization: Absolutely Write Inc.
Tech Street: 3 Wilner Rd
Tech City: Somers
Tech State/Province: New York
Tech Postal Code: 10589
Tech Country: United States
Tech Phone: +1.9142485101
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domainsales@absolutelywrite.com
Name Server: NS09.DOMAINCONTROL.COM ################ we can do funny and intersting things with these details######
Name Server: NS10.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-5-24T12:00:00Z

So, Mr spammy Donnald thinks its ok to spam me with viruses............ mmmmmm... he he, i dont get mad i get even..... i think mr Spammy systems are about to get rather busy

**Tools** · 24th May 2014, 12:40:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

DDoS ?

**Nibbler** · 25th May 2014, 13:30:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

May be hijacking of an innocent 3rdy party with a spoofed sender/refereces to gain limited legitimacy, to get people to open the attachment and infect their system.

Whole thing is geared to that in the end. Which has likely nothing to do anything mentioned in the email.

**Crazy council** · 25th May 2014, 14:06:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

hi

DDoS ?

.

that just annoys people and only really any use on sites that take payments or have large amounts of visits, but was fun for the likes of playstation/paypal ect.

With scams like this, my friend ( cough cough ), tends to try and track down there email servers, then encrypt all there records. its the least illegal way to deal with these type people... I suppose what's more interesting for me is what type of trojans and browse hacks they are using, it sort of tells you how competent they are..... and wither they have just copied know exploits thatr are in the wild, or are buying unpublished ones......

**FlamingParrot** · 26th May 2014, 11:46:AM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Dear Customer,

Suspicious Debit Card Activity,
We have suspended your natwest debit card.Follow the link below to verify your account with us before your debit card can be re-opened for use.

Verify Your account immediately.
Thank You,

NatWest Security Department.

Linky removed by me but went to: romannoti.com/wp-content/themes/twentytwelve/inc/wp.htm. Obviously a subsidiary of NatWest!

msl:

msl:

Besides, my only association with NatWest would have been to have been working next to Tower42 until 2003!:rofl:

**Crazy council** · 26th May 2014, 19:07:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Apparently i have a voice mail,:tinysmile_aha_t: just need to unzip this dodgy file first. BUT I WENT DIGGING

You have a new Voice Message!Sender: +07768 101341
Date: 2014.05.24 15:24:17 UTC
ID: 2014.05.26_D244413DC

voice_message_2014.05.26_D244413DC.zip (101 KB)

Archive Name: voice_message_2014.05.26_D244413DC.zip
Archive File Size: 75647 bytes
File Count: 1 file

Attributes Size Modified Date Method Ratio
--------------------------------------------------------------------------
---- 119296 26-May-2014 15:24 Deflated 63.1%
--------------------------------------------------------------------------

The email source shows sender %%%%%@leandergroup.co.uk.spam.spam

But, the website looks legit, a building services co, name registered in 2005 and the whois looks legit........

mmmmm, me thinks, apart from very old virus in the ZIp, why would they point to a legit site.... Then i looked at the source code for the site...

<link href="style/patches/patch_sliding_door.css" rel="stylesheet" type="text/css" />
	<![endif]-->
	</head>
	<body>
	<p style="position:absolute; left:-2250px; top:-1150px;">We provide services in <a href="pamspamspam" title="replica handbags"><b>replica handbags</b></a>,We work closely with <a href=pamspamspam" title="rolex replica uk"><b>rolex replica uk</b></a>,We have the ability to offer <a href=pamspamspam" title="replica watches"><b>replica watches</b></a>,2014 new products come,please visit <a href=pamspamspam title="2014 new replica watches">replica watches</a>,Buy good exact Swiss <a title="replica watches" href=pamspamspam"><strong>replica watches</strong></a> ,uk replica watches online store,please visit <a href=pamspamspam>replica watches</a></p>
	<div id="page_margins">
	<div id="page">
	<div id="header">
	<div id="title" class="center">

Further down the page, there are about 20 other links like this

<a href=----deleted spam -->louis vuitton outlet</a>

And i bet the site owners dont know thats been injected in there....

am just having a look around the site because the source of the email has what looks like a hook in the return address, and am looking through the source of all site pages to find the trigger.......so i can follow it...... :doggieyes: am using a secure browser, i would not visit that site with IE, the exploit on the fist page is for IE browser only.....

Sorry for the long post but i just though some of you might be interested in how the mechanics of these scam emails actually work and how they are done.

The people that have done the above, have don it so all there traffic initially goes through a legitimate site, thus avoiding spam servers, and thats why such obvious scam mail like this dont get noticed by the servers as spam..... becuase there route is a known legit one

**Tools** · 26th May 2014, 19:25:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

They seem to hack a lot of vulnerable wp sites or just random sites with easy server access, the last zip file I safely unpacked even included a list of IP's which if detected went straight to a " **** You! " page, obviously they have a few Law enforcement Ip's stashed away too

**dogtired** · 26th May 2014, 19:46:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Had two in junk one of the "notice to appear" identical to one posted earlier.
The other an invite to invest in " a new oppertunity to invest in web design"
Sorry not worked out how to post or copy here.
Reported to e mail host and deleted

**Crazy council** · 26th May 2014, 20:07:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Wp is great but people dont update it regularly, and some of the widget get hijacked. Older versions of WP you can inject code to escalate privileges easily, and i can graft a google search to find 100s of vulnerable sites, run an injector against them ( i dont and would not do that ), then any pc that has IE uppached that visits it, is open to whatever i want to driveby-install..... thats the easyest way to build up a bot army ( i dont do that )....... Thats what i look through the scam mail for.... people trying to build botnets....so i can have a nose around...... :tinysmile_twink_t2:....

he last zip file I safely unpacked even included a list of IP's which if detected went straight to a " **** You! " page, obviously they have a few Law enforcement Ip's stashed away too

so funny, i have seen code with specific messages to law enforcement departments in america, taunting them... the more modern ones pull an IP avoid or attack lists from servers just prior to attack.. thus being impossible to understand what its trying to attack prior the attack starting, unless you can find the feeder server,

**FlamingParrot** · 26th May 2014, 20:08:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Originally posted by Tools View Post

They seem to hack a lot of vulnerable wp sites or just random sites with easy server access, the last zip file I safely unpacked even included a list of IP's which if detected went straight to a " **** You! " page, obviously they have a few Law enforcement Ip's stashed away too

Originally posted by Crazy council View Post

Sorry for the long post but i just though some of you might be interested in how the mechanics of these scam emails actually work and how they are done.

The people that have done the above, have don it so all there traffic initially goes through a legitimate site, thus avoiding spam servers, and thats why such obvious scam mail like this dont get noticed by the servers as spam..... becuase there route is a known legit one

One of the servers I use was hacked in November 2012, via Wordpress. I had some sites I'd set up just as demos that I wasn't really worried about so I'd left the login as 'admin'.

They went through one of them and injected code into several web pages, causing them to automatically redirect to spammy sites.

The hosting company contacted me, asking me to clean or remove certain files, only when I went through the cPanel file manager, there were no files there! :scared: It turns out they had removed permissions after receiving complaints about the sites, only they went too far and removed my permissions too. It was all sorted and they've not been hacked since, however, that particular hosting company disabled all WP logins on and off last year. :mad2:

The sites were hacked by international spammers, sites redirected mostly to Russian sites.

**FlamingParrot** · 26th May 2014, 20:10:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

I am Mr. Algoth Cyprian, an Accountant with Lloyds Bank, I am the personal Account Manager to Late Mr. Enevald Helmut.

On the 21st of April 2008, Mr. Enevald Helmut (Herein after shall be referred to as my client), his wife and their two children were involved in a car accident in London. Unfortunately they all lost their lives in the event of the accident, since then I have made several inquiries to locate any of my client's extended relatives, this has also proved unsuccessful. After these several Unsuccessful attempts, I decided to trace his relatives over the Internet, to locate any member of His family but of no avail, hence I contacted you to stand as his next of kin.

I contacted you to assist in repatriating the money in addition, property left behind by my client before they get Confiscated or declared unserviceable by the bank where this huge deposits were lodged. Particularly, Lloyds Tsb Bank Plc, where the deceased had an account valued at about Six hundred thousand Great British Pounds. Consequently, the bank issued me a notice to provide the Next of Kin or have the account confiscated within the next twenty official working days.

Since I have been unsuccessful in locating the relatives for over 2 years now I seek your consent to present you as the next of kin of the deceased based on the fact that you are a foreigner so that the proceeds of this account valued at about six hundred thousand Great British Pounds can be paid to you and then you and I can share the money. 50% to me and 40% to you, while 10% should be for expenses or tax as your government may require. An attorney will be contracted to help re-validate and notarize all the necessary legal documents that can be used to back up any claim we make. All I require is your honest cooperation to enable us sees this deal through. I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law.

To enable us discuss further, I would like you to send me the following information so I can open up a next of kin file on your behalf here in the bank.

1. Name in full:
2. Address:
3. Nationality:
4. Age/Sex:
5. Occupation:
6. Direct Phone number:

Best regards,
Mr. Algoth Cyprian
+44-703-196-3049

Being a 'foreigner' automatically makes me the deceased's next of kin!

msl:

msl:

I wonder how he found that out... :confused2: :noidea:

**Crazy council** · 27th May 2014, 15:19:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

Flaming porrot....... I am soooo tempted to contact them thats in yours..... I love 419ers.... I dont get sent them anymore..... 9*out of ten 419ers are traceable. Becuase
1. They all used hacked versions of windows ( could teach my dog to acsess remotely )
2. There are inherently stupid and are money drunk...
3. They generally have no idea how to secure there own systems... i love phone number on scam mails..

I watched a live hack on one of these last year and was side splittingly funny.... A call was made, a loaded email was sent to them, the fools opened the email, acess was gained to the camera on the laptop while the guy was on the phone., and acsess to the router that they were all connecting with.. :tinysmile_aha_t:

Shininigans was the order of the day... after a few days of playing with them,, and getting there data... we flashed an Mi5 notice across there screens, with there pictures, a google map of were they were, telling them that operatives were on route.... and watching there faces through there inbuilt webcams was making it hard to get air we was laughing so much.....

**Tools** · 27th May 2014, 16:59:PM

Re: Post up and share your examples of spam phishing emails messages #scamaware

You have send me a link to that one, pleeeease

Post up and share your examples of spam phishing emails messages #scamaware

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment