Wednesday, December 2, 2015

Online Account Notification (Paypal Phishing)

Dear User

By limiting the access to your account, our security team have blocked unusual charges to a credit-card linked to your account.

By providing some information in regards to your account, our Account Review Team will try to resolve the issue as soon as possible.

PayPal may limit your account as a security measure to protect you and your account. Access limitation is taken as a pre-caution.

PayPal have provided a form (see attachment) to verify your account. You may download and fill in the form.

Our security team will immediately review the information you have provided, and your account should be restored back to normal.

We would like to thank you for your attention to this matter.

Sincerely,
PayPal

form.html

File analysis :

OPEN : form.html
DETECT : Sophos (Mal/Phish-A)

File opening :

The file was encoded so the file was decoded... :

http://ddecode.com/hexdecoder/?results=66079ae734cbda3f7abffa23e3341be4

var _0x13632f = "7ef141717f6e9bc4ea6a159fc074bf7e.php";
var _0x17dd=["http://www.my-ads-network.net/"];


my-ads-network.net whois :

Tech Email: 8F0090A44FFA46A2B0CAA72F917439C7.PROTECT@WHOISGUARD.COM
Name Server: BLOCKEDDUETOPHISHING.PLEASECONTACTSUPPORT.COM
Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM

Email analysis :

NOTE : members@systems.com
NOTE : X-Terrace-Classid : Terrace Spam system

Rev Thomas Okafor

Dear friend,

How are you today and how is life over there in your country, am very happy to inform you about the successful transfer of that fund i told you that i will like to transfer into your bank account sometime ago but due to some circumstance you opted out of the deal. However i later found someone who helped me in the transfer,he is the CEO of RV PLATINUM SHIPPING SERVICE based in Venezuela in the person of Mr Antonio Elortegui. Meanwhile am on investment project in venezuela and i cannot forget your tireless effort then to help me succeeded in this transfer and i have decided to reward your kindness,i left a Bank Draft of (USD$2,000,000.00) Two Million Dollars under the care of my personal assistance Mr. Jubril Godwin Jr to send to you as soon as you contact him through his personal email address: (jubgodwin@gmail.com) Tell him i asked you to contact him regarding the bank Draft i issued on your behalf. In the main time am going to be away from my email and I will not be able to check my email box, as i will like to concentrate on my purpose of coming here to invest my money, if you so desire to speak with me you can reach me on phone with +58412575530. Let me know as soon as you receive your Bank Draft so that we can both share in this joy.

Thanks and have a nice day.
Regards,
Barrister Dr. Williams Eze.

jubgodwin@gmail.com

Email analysis :

NOTE : marina@localhost.com
NOTE : jubgodwin@gmail.com
NOTE : X-Originatingip : 41.71.178.118 (lawrence)
NOTE : Received : from www.senju.com.tw (localhost [127.0.0.1])
NOTE : by dns.senju.com.tw (8.13.8+Sun/8.13.8)
NOTE : X-Mailer : OpenWebMail 2.53

Rép : New order (Virus)

GoodDay,

Find the attached specifications in the purchase order for our company end of the year sales before sending your Proforma Invoice and do get back to me with your quotations asap. An Official order placement will follow as soon as possible. But note that we have restructured the order so the first order will not exceed 20-40feet containers.

Thanks & Best Regards,
Manager Purchasing Department
Shirley Lee

TMS Titanium

HEADQUARTERS

12215 Kirkham Rd., Suite 300
Poway, CA 92064

EMAIL: sales@tmstitanium.com

SALES AND CUSTOMER SERVICE

Toll Free: (888) 748-8510
Local: (858) 748-8510

FAX

(858) 748-8526

scanned purchase order.ace

File analysis :

NOTE : Open scanned purchase order.ace
NOTE : scanned purchase order.ace is a virus.

Virus analysis :

Avast : Win32:Malware-gen
ESET-NOD32 : a variant of Win32/Injector.CNFH
GData : Archive.Trojan.Agent.14JCQ5
Ikarus : Trojan.Win32.Injector
Kaspersky : Trojan.Win32.Scarsi.aaab
Panda : Generic Suspicious
Qihoo-360 : HEUR/QVM03.0.Malware.Gen
Sophos : Mal/DrodAce-A

Email analysis :

NOTE : sales@tmstitanium.com
NOTE : SUNSHINESLISA1@YAHOO.COM
NOTE : Received : from [67.227.193.36]
NOTE : (UnknownHost [67.227.193.36]) by mail2.postbulletin.com

RE: order cancellation (Virus)

My order was supposed to be delivered last week and it’s still not here.

Please refund my full amount as stated on the attached invoice I received
from [$DOMAIN].

Thanks,

Albert Trujillo

Manager of operations
2312 Montgomery St

invoice_323489.doc

File analysis :

NOTE : open invoice_323489.doc
NOTE : invoice_323489.doc is a virus.

Virus analysis :

ALYac : Trojan.Agent.BOQY
AVware : Trojan.Win32.Generic.pak!cobra
AhnLab-V3 : W97M/Agent
Arcabit : HEUR(high).VBA.Trojan
Avast : Win32:Trojan-gen
Avira : TR/Crypt.ZPACK.219008
BitDefender : Trojan.Agent.BOQY
Cyren : PWS.UKZL-52
DrWeb : Trojan.PWS.Stealer.4118
ESET-NOD32 : Win32/PSW.Fareit.A
Emsisoft : Trojan.Agent.BOQY (B)
F-Secure : Trojan.Agent.BOQY
Fortinet : WM/Agent!tr
GData : Trojan.Agent.BOQY
Ikarus : Trojan.Win32.PSW
Kaspersky : Trojan.VBS.Agent.xw
McAfee : W97M/Dropper.ah
McAfee-GW-Edition : Artemis!5E49FAB20EC4
Microsoft : TrojanDropper:O97M/Farheyt
NANO-Antivirus : Trojan.Win32.Stealer.dyyyhx
Sophos : Troj/Agent-APMP
Symantec : Trojan.Mdropper
Tencen : Win32.Trojan.Crypt.Dxnf
TrendMicro : W2KM_DRIDEX.YYSPF
TrendMicro-HouseCall : W2KM_DRIDEX.YYSPF
VIPRE : Trojan.Win32.Generic.pak!cobra
nProtect : Trojan.Agent.BOQY

Email analysis :

NOTE : accounting@michaelsav.com
NOTE : User-Agent : Mozilla/5.0 (Windows; U; Windows NT 6.1; sv-SE; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
NOTE : X-REMOTE : 4.28.11.153 ()

Seeking your MOU.

Dear Sir,

My name is Mr.Maurice Siedu and I work as chief director , Agricultural Services Ghana.

I am seeking your mutual assistance to move $21.5 million fertilizer -subsidy fund to your country for a private investment and of your benefits.

Please let me know the best time to call and I will explain more details about this business.

I will be looking forward to your response.

Thanks,

Mr.Maurice Seidu,

Chief Director,

Agricultural Services Ghana.

Email analysis :

NOTE : test@fengli.net
NOTE : mseidua@outlook.com
NOTE : Received : from User (197.211.53.3)
NOTE : by FengliMail.fengli.net (10.30.6.8)