Friday, November 18, 2016

*.* (Facebook Likes Scam)

Ciao,

Io vi contatterà dopo aver visitato la pagina *.* .

Siamo in grado di aumentare il numero di calibro sulla tua pagina, per migliorare la vostra immagine e la fiducia dei vostri ospiti o clienti. La maggior parte degli utenti di Internet si sentono più sicuri e avere un quadro più preciso di un sito che visualizza un gran numero di calibro sulla sua pagina. È possibile ordinare i fan pack Facebook a un prezzo speciale sul webmaster nostro sito. Non esitate a contattarci per richiedere ulteriori informazioni

Cordiali saluti,
Benedetto Barattino

Hello,

I will contact you after visiting the *.* page.

We can increase the number of likes on your page, to improve your image and confidence of your visitors or customers. The majority of Internet users feel more confident and have a more accurate picture of a site that displays a large number of likes on his page. You can sort your Facebook fans pack at a special price on our website webmaster. Do not hesitate to contact us for more information

Best regards,
Benedict Barattino

Email analysis :

NOTE : mail@fbmarketingf.us
NOTE : 178.170.83.252


FSA-ReN0GFI

FROM THE DESK OF LORD ADAIR TURNER,
Chairman, Financial Services Authority (FSA),
Direct Telephone:(44)7031952253

ATTEN: BENEFICIARY

Previously I have sent this notification which you are yet to respond. With reference to the recall of your funds, it has come to our notice via our central monitoring computer that a huge fund has been credited in your name for transfer with a London Bank. Under the stipulated enabling Law of the Government of Great Britain and Wales and other Commonwealth States, any huge fund that has been found in our computer system waiting to be transferred without claims for a period of 6 months or less, shall be confiscated and forfeited to the Government of Great Britain and Wales.

We do hereby ask you to contact this office immediately for ratification within 3 days of this notice or consider your fund confiscated.

We appreciate your urgent co-operation.

LORD ADAIR TURNER, CHAIRMAN,
FINANCIAL SERVICES AUTHORITY (FSA).
LONDON, UNITED KINGDOM

Email analysis :

NOTE : info@nevajans.com
NOTE : mgguzman@difnl.gob.mx
NOTE : Content-Type : text/plain; charset="iso-8859-1"
NOTE : Mime-Version : 1.0
NOTE : Received : from email.difnl.gob.mx (email.difnl.gob.mx. [189.213.106.19])


NOTE : Received : from [100.101.158.18] ([106.198.255.21])


NOTE : (authenticated bits=0) by email.difnl.gob.mx
NOTE : client-ip=189.213.106.19;


NOTE : Content-Description : Mail message body
NOTE : FSA-ReN0GFI

ATM

Your ATM CARD of USD2.5.is with us with registration code of (Shipment Code 11684990)contact us with your delivery information such as, Your Name, Your Address and Your Telephone Number:Contact:(kikioffice6@gmail.com)

Email analysis :

NOTE : kikioffice6@gmail.com
NOTE : x@x.com
NOTE : luisgonzalezjr@cantv.net
NOTE : Received : from 41.138.89.214 ([41.138.89.214])


NOTE : by webmail-02.datacenter.cha.cantv.net (Cantv Webmail) with HTTP;

I will not fail to compersate you

Hello My Dear Beloved I'm happy to inform you about my getting those funds transferred under the co operation of a new business partner from Paraguay. I'm in Paraguay for treatment and investment but meanwhile, I didn't forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how, but without the your last name I would have not gotten the fund so I have left your compensation fund in a VISA ATM Card with my Secretary in Benin Republic. contact my secretary in Benin his name is Mr Edwin Onuga Hounn, Email: (edwinonunga22@yahoo.com) Ask him to send you the VISA ATM Card containing the total of 800.000.00 Euro which I kept for your compensation for all your past efforts and attempts to assist me in this matter. I appreciated your efforts at that time very much. so get in touch with my secretary Mr Fre Houn and instruct him where to send the VISA ATM Card containing the total of 800.000.00 Euro to you without any delay, Remember that I had forwarded instruction to Him on your behalf. My Best Regards, Writing from Paraguay

Email analysis :

NOTE : Return-Path : < craig.car@outlook.com >
NOTE : 181.196.51.229 ()


NOTE : Mime-Version : 1.0
NOTE : amavisd-new at tena.gob.ec


NOTE : Received : from mail.tena.gob.ec ([127.0.0.1])
NOTE : by localhost (mail.tena.gob.ec [127.0.0.1])
NOTE : Received : from [141.105.71.26] (unknown [141.105.71.26])


NOTE : by mail.tena.gob.ec (Postfix)
NOTE : I will not fail to compersate you

Shipment Code awb 33xzs (Email leak)


I have registered your ATM CARD of $8.5 with DHL Courier Company with registration code of ( Shipment Code awb 33xzs,ATM Card Registered Code No xgt442.Security Code sctc/2001dhx/567/;Transaction Code 233/cstc/101/33028/;Certificate Deposit code; sctc/bun/xxiv/-78/01). please Contact with your delivery information such as, Your Name, Your Address and Your Telephone Number:Courier Office: DHL

Name of Dir:Dr.Clarck Robert,
E-mail:(mr.johndavidson@outlook.com)
Tel:+229-98643209

I have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number and ask Him how much is their Security fee so that you can pay it.

Best Regards,
Mrs.Anne Dinma

Email leak :

vcorningstone78@gmail.com, m.litoris224@gmail.com, marjac.1993@gmail.com, marjac.1995@gmail.com, oldmichaelhunt@gmail.com, hughjarce333@gmail.com, acaster247@gmail.com, marja.c1993@gmail.com, marjac1995@gmail.com, miakriskoff@gmail.com, pschlacter400@gmail.com, jennatulls27@gmail.com, gbreezy820@gmail.com, dr.richard.poke@gmail.com, sperks548@gmail.com, rich.dude.swag@gmail.com, rob.karhu@gmail.com, cartoonherodude@gmail.com, reverendtomjones@gmail.com, whiter958@gmail.com, jw508328@gmail.com, meandcecilia@gmail.com, marjac1997@gmail.com, jessicapierce318@gmail.com, webinis123@gmail.com, cj96050@gmail.com, taylorhelen66@gmail.com, harrold.fiducious@gmail.com, bofasaur@gmail.com, lucy04anderson@gmail.com, rhejean16@gmail.com, cruise19allyson@gmail.com, cherrybree289@gmail.com, chelleanderson12@gmail.com, jasminedelancey@gmail.com, hector.rowles@gmail.com, hugoferreiracamargo@gmail.com, mizra9062@gmail.com, hugo35mm@gmail.com, gary.roaster@gmail.com, jennyblack7272@gmail.com, saveourunionflag@gmail.com, buraktorun7@gmail.com, np.eccomiqua@gmail.com, madgekz3bonner@gmail.com, robinsavage447@gmail.com, kenneth.turse@gmail.com, bigmann768@gmail.com, stvesmthson33@gmail.com, ahdrianmallari14@gmail.com, mr04248@gmail.com, sessavivi@gmail.com, zuckuss1212@gmail.com, irvinggoldstein5@gmail.com, yanyanwong2005@gmail.com, troyllovell@gmail.com, bobjjmcgrath@gmail.com, theleroymister@gmail.com, tfuhlery@gmail.com, langitz@gmail.com, louellaalmeida@gmail.com, pastormax7777@gmail.com, hannahsilverson62@gmail.com, tonyraabit@gmail.com, springtimejeremy@gmail.com, clwabbit@gmail.com, wallbounce@gmail.com, hballsich@gmail.com, catharinestrauss@gmail.com, arturosear@gmail.com, nakulannanthakumar97@gmail.com, john.heissenberg@gmail.com, garylongmont135@gmail.com, jtrackster87@gmail.com, robin211985@gmail.com, rad.lad1156@gmail.com, nicolelsmith82@gmail.com, johnliu8513@gmail.com, diderdaniels@gmail.com, eylamao@gmail.com, templargoldencircle@gmail.com, lhbbooks@gmail.com, alwaysbeagiver@gmail.com, julietlovesbobmarley@gmail.com, dhoffman813@gmail.com, e.olsen.nimbus@gmail.com, spamus.det@gmail.com, bigtamedwards@gmail.com, edgar.broughton@gmail.com, fatheramp@gmail.com, pastor.ramen@gmail.com, shonimuronga@gmail.com, kableerm@gmail.com, quickcat8899@gmail.com, candimun@gmail.com, paul.treece.associates@gmail.com, marjac1999@gmail.com, cbradiochatapp@gmail.com, mr.johndavidson@outlook.com

Email analysis :

NOTE : X-Matched-Lists : []
NOTE : Return-Path : < andreiniesta@cantv.net >
NOTE : X-Originating-Ip : [197.234.219.95]


NOTE : Mime-Version : 1.0
NOTE : X-Virus-Scanned : amavisd-new at cantv.net
NOTE : Content-Transfer-Encoding : 7bit
NOTE : X-Mailer : Cantv Webmail
NOTE : Content-Type : text/plain; charset=UTF-8
NOTE : Received : from webmail-02.datacenter.cha.cantv.net (webmail-02.datacenter.cha.cantv.net [200.11.153.85])
NOTE : (authenticated bits=0) by 10ibl21ser04.datacenter.cha.cantv.net (8.14.3/8.14.3/3.0)
NOTE : Received : from 197.234.219.95 ([197.234.219.95]) by webmail-02.datacenter.cha.cantv.net
NOTE : (Cantv Webmail) with HTTP; Mon, 7 Nov 2016 05:47:37 -0400 (VET)
NOTE : Shipment Code awb 33xzs

RE: shipping done

We shipped your crap.
Here s the tracking invoice :
https://www.ups.com/?tracking_invoice=219371293129312& action=download

Let us know when it arrives.
Thanks

Phishing analysis :

CLICK : https://www.ups.com/?tracking_invoice=219371293129312& action=download
OPEN : http://invoice-portal.com/invoices/get.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
RESULT : Download a file called : inv11172016.doc

File analysis :

ESET-NOD32 : VBA/Kryptik.T
F-Secure : Trojan:W97M/Nastjencro.A
Fortinet : WM/Agent.5110!tr
Kaspersky : HEUR:Trojan.Script.Agent.gen
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
NANO-Antivirus : Trojan.Ole2.Vbs-heuristic.druvzi
Panda : O97M/Downloader 20161117
Qihoo-360 : virus.office.gen.75
Symantec : W97M.Downloader
TrendMicro : W2KM_HANCITOR.YYSXC
TrendMicro-HouseCall : W2KM_HANCITOR.YYSXC

inv11172016.doc is a virus.

Email analysis :

NOTE : Return-Path : < rm@restaurantcocotte.com >
NOTE : 162.252.121.130 ()
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : X-Mailer : iPad Mail (11D169)
NOTE : Message-Id : < *@restaurantcocotte.com >
NOTE : Content-Type : text/html; charset="utf-8"
NOTE : Received : from unknown (HELO restaurantcocotte.com) (162.252.121.130)


NOTE : RE: shipping done