Tuesday, July 3, 2018

Refer to this following Invoice#******* (Dropbox Phishing)


View the Document i attached to you via Dropbox. Sent on 21/02/2018.

View document

Kind Regards.
Cindy Whitfield
Rich Rags
Designer Wearable Art
My cell Phone number is 530-520-5540

Email analysis :

NOTE : dirkschulzegronover@t-online.de

Phishing analysis :

CLICK : View document
OPEN : http://huzaifamarble.com/redirect/ch.html
REDIRECT : http://www.bashtv.com.au//telekomlomel/drp/page.php?id=*
NOTE : http://www.bashtv.com.au//telekomlomel/drp/page.php

Tuesday, September 12, 2017

Please verify your email address *

The Dropbox logo

Hi *,

We just need to verify your email address before your sign up is complete!

Verify your email

Happy Dropboxing!

Email analysis :

NOTE : Received : from customer-PUE-207-103.megared.net.mx (unknown [])

NOTE : verify@dropbox.com
LINK : http://floraisdobrasil.com.br/dropbox.html

NOTE : Received : from (unknown [])

NOTE : verify@dropbox.com
LINK : http://basedow-bilder.de/dropbox.html

Phishing analysis :

CLICK : Verify your email
OPEN : http://floraisdobrasil.com.br/dropbox.html

CLICK : Verify your email
OPEN : http://basedow-bilder.de/dropbox.html

REDIRECT : http://wittinhohemmo.net/drop.php

OPEN : http://wittinhohemmo.net/drop.php
RESULT : Dropbox-MSGCODE-*.js is a virus

Virus analysis :

Arcabit HEUR.JS.Trojan.ba
Avira HTML/ExpKit.Gen2
Baidu JS.Trojan-Downloader.Nemucod.yo
Cyren JS/Agent.AAO1!Eldorado
F-Prot JS/Agent.AAO1!Eldorado
Qihoo-360 virus.js.qexvmc.1075
Rising Malware.Undefined!8.C (cloud:CVrV9ZfawJI)
Symantec JS.Downloader.D
TrendMicro Possible_Cerber-JS03b1
TrendMicro-HouseCall Possible_Cerber-JS03b1
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

Conclusion :

Virus stored for analysis...

Saturday, September 2, 2017

Please verify your email address (Dropbox Phishing Attempt)

The Dropbox logo

Hi *,

We just need to verify your email address before your sign up is complete!

Verify your email

Happy Dropboxing!

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : Received : from [] (unknown [])

NOTE : Received : from ip-161-245.vnt.net.id (unknown [])

NOTE : Received : from unitel.com.la (unknown [])

Phishing analyis :

CLICK : Verify your email
OPEN : http://jaysonmorrison.com/dropbox.html

CLICK : click here
OPEN : http://dippydado.net/json.php
RESULT : website broken...
OPEN : Another dropbox phishing with the same content
CLICK : Verify your email
OPEN : http://dar-alataa.com/dropbox.html

CLICK : click here
RESULT : same result...
OPEN : Another Dropbox phishing with the same content
CLICK : Verify your email
OPEN : http://potamitis.gr/dropbox.html

CLICK : click here
RESULT : same result...

Monday, December 19, 2016

Your account will be blocked!!! (Dropbox Phishing)

Dear User,

Your Mail Storage Limit has exceeded you might not be able to send or receive new messages; Click or Copy the link below onto your browser to verify your email and increase storage limit.


Note: Failure to heed strictly to this notification will lead to Email Account deletion thereby causing lost of files.

Thank you for using our mail system

Mail Administrator

Email analysis :

NOTE : hr@mail.com
NOTE : Received : from User (unknown [])
NOTE : (Authenticated sender: admin) by mail.vps.com (Postfix)

Phishing analysis :

CLICK : http://www.powerline.or.kr/zboard/data/dpbx/index.php
OPEN : http://www.powerline.or.kr/zboard/data/dpbx/index.php

RESULT : Dropbox phishing
CLICK : Other Emails

CLICK : Submit
REDIRECT : https://www.dropbox.com/

Wednesday, June 15, 2016

DocuSign Document (Dropbox Phishing)

You have a new file shared with you via Dropbox secure file transfer

Click here to view

Dropbox Pro also comes with
powerful sharing and security features:
scan.28373.pdfPièce jointe.png

Sign in to access shared file

If you prefer not to receive Dropbox newsletters, please go here.
Dropbox, Inc., PO Box 77767, San Francisco, CA 94107 © 2016 Dropbox

Email screenshot :

Email analysis :

NOTE : Temitjcob@mrapesinol.com
NOTE : X-Organization : ykyrhqaxljfo129498
NOTE : staymoola09@maymostfavour.com
NOTE : X-Originating-Ip : []

Phishing analysis :

CLICK : Click here to view
OPEN : http://bit.do/b69KJ
RESULT : Phishing was removed...

Sunday, May 15, 2016

Download your pending document via Dropbox 13-53-09 (Dropbox Phishing)

Hello *@*

You have a pending incoming document shared with you via Dropbox

Dropbox makes it easy to create, store and share online documents, spreadsheets and presentations.

lClick here to view shared docs.

- The Dropbox Team
© 2016 Dropbox

Phishing analysis :

CLICK : lClick here to view shared docs.
OPEN : http://bit.ly/1Y7zmlo
REDIRECT http://www.wmh11.conticom.pl/media/mailto/load_content.php
ADRESS BAR : Change to base64 (data:text/html;charset=utf-8;base64)

FORM (HTML) : http://homedecoration.pw/mickyrosay/finish.php
CLICK : Sign In

CLICK : Validate
REDIRECT : https://www.dropbox.com/business?_camp=email_basic&oref=e&_tk=email&_ad=39078

Email analysis :

NOTE : dm3@customerserviceprovider.onmicrosoft.com
NOTE : antcear960@gmail.com
NOTE : X-Organization : yksvextavevak21954
NOTE : X-Author : yksvextavevak21955
NOTE : X-Originating-Ip : []

Wednesday, April 27, 2016

You Have (1) New Document - Shared Via Dropbox


Phishing analysis :

OPEN : http://www.pet-house.com.gr/wp-agretj/red/
RESULT : page unresponsive...

Email analysis :

NOTE : ahsinger@wesleyan.edu
NOTE : client-ip=2607:f8b0:4001:c06::243;
NOTE : Account : ashinger

Saturday, April 2, 2016

Please Confirm (Dropbox Phishing)

Please confirm

Attached PO and TT copy, check on dropbox. Our agent will contact you soon for Carton design.

UhlSport Gmbh


Phishing analysis :

CLICK : http://www.diabeez.in/cgisys/dropboxx/downloadPO-D1956-1.htm?

REDIRECT : https://www.dropbox.com/s/paic7kvmg1lqnsg/PO%201026240.pdf?dl=0

Email analysis :

NOTE : mldminn@outlook.com
NOTE : as permitted sender
NOTE : X-Ms-Exchange-Crosstenant-Originalarrivaltime : 01 Apr 2016 08:47:01.9167 (UTC)
NOTE : X-Originatororg : outlook.com
NOTE : X-Ms-Exchange-Transport-Crosstenantheadersstamped : VE1EUR01HT230
NOTE : X-Forefront-Antispam-Report : CIP:;IPV:NLI;CTRY:GB;EFV:NLI;SFV:NSPM;SFS:(10019020)
NOTE : Authentication-Results : spf=softfail (sender IP is
NOTE : X-Ms-Exchange-Crosstenant-Fromentityheader : Internet
NOTE : Accept-Language : en-US
NOTE : Content-Language : en-US
NOTE : Mime-Version : 1.0
NOTE : Please Confirm

Notes from Scam.cz :

  • servers were used to relay this phishing.
  • = UK Ministry of Defence
  • https://www.gov.uk/government/organisations/ministry-of-defence
  • Inside the UK ministry of defence, there is a station relaying dropbox phishing.

Sunday, January 17, 2016

You have a dropbox message (Dropbox phishing)

Greetings from Dropbox Team!

You have a new document shared with you via dropbox
Click to open: Secure Message

Happy Dropboxing!
- The Dropbox Team

P.S. To get even more space, invite your friends or upgrade your Dropbox.
© 2016 Dropbox

Phishing analysis :

CLICK : Secure Message
OPEN : http://siliconleaf.com/js/drop/TT/Dropbox.html

NOTE : Phishing was removed.

Email analysis :NOTE :

NOTE : Mime-Version : 1.0
NOTE : lizann50@suddenlink.net designates as permitted sender)
NOTE : smtp.mailfrom=lizann50@suddenlink.net
NOTE : Return-Path : < lizann50@suddenlink.net >
NOTE : Received : from dalofep02.suddenlink.net (txofep02.suddenlink.net. [])
NOTE : Received : from [] (really [])

NOTE : by dalofep02.suddenlink.net (InterMail vM.
NOTE : client-ip=;

NOTE : You have a dropbox message

siliconleaf.com whois :

Registry Domain ID: 1735949442_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2015-07-26T15:27:00Z
Creation Date: 2012-07-27T06:08:40Z
Registrar Registration Expiration Date: 2016-07-27T06:08:40Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Registrant Name: Rushabh Parikh
Registrant Organization: Silikonleaf
Registrant Street: 402, Chandanvan-1, Majuragate
Registrant City: Surat
Registrant State/Province: Gujarat
Registrant Postal Code: 395002
Registrant Country: IN
Registrant Phone: +91-902-445-6484
Registrant Email: russ1990@gmail.com
Admin Name: Rushabh Parikh
Admin Organization: Silikonleaf
Admin Street: 402, Chandanvan-1, Majuragate
Admin City: Surat
Admin State/Province: Gujarat
Admin Postal Code: 395002
Admin Country: IN
Admin Phone: +91-902-445-6484
Admin Email: russ1990@gmail.com
Tech Name: Rushabh Parikh
Tech Organization: Silikonleaf
Tech Street: 402, Chandanvan-1, Majuragate
Tech City: Surat
Tech State/Province: Gujarat
Tech Postal Code: 395002
Tech Country: IN
Tech Phone: +91-902-445-6484
Tech Email: russ1990@gmail.com
Name Server: DNS.SITE5.COM
Name Server: DNS2.SITE5.COM
DNSSEC: unsigned

Tuesday, June 9, 2015

Frank has sent you a document (Dropbox Phishing)

Frank has shared a document (JuneApproval.doc) with you.

View Document Now

Thank you!
- The Drop box Team
c 2015 Drop box

Email analysis :

NOTE : frank.mail.dropbox@dropboxwiki.com

Phishing analysis :

NOTE : CLICK View Document Now
NOTE : CLICK http://valiti.net/img/secure/dropbox/login/

NOTE : REDIRECT : https://www.dropbox.com/

valiti.net whois :

Domain Name: VALITI.NET Registry Domain ID: 1843539257_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.retailstudio.com Registrar URL: http://www.netissime.com Updated Date: 2015-01-22T17:11:40Z Creation Date: 2014-01-20T12:55:03Z Registrar Registration Expiration Date: 2017-01-20T12:55:03Z Registrar: ELB Group, Inc. Registrar IANA ID: 820 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Registrant Name: Trejo Barrio Manuel Registrant Organization: N/A Registrant Street: Rekalde, 30 bajo Registrant City: Soraluze Registrant State/Province: not applicable Registrant Postal Code: 20590 Registrant Country: ES Registrant Phone: +34.340000000 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: limpiezastrejo@limpiezastrejo.com Registry Admin ID: Admin Name: Trejo Barrio Manuel Admin Organization: N/A Admin Street: Rekalde, 30 bajo Admin City: Soraluze Admin State/Province: not applicable Admin Postal Code: 20590 Admin Country: ES Admin Phone: +34.340000000 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: limpiezastrejo@limpiezastrejo.com Registry Tech ID: Tech Name: Trejo Barrio Manuel Tech Organization: N/A Tech Street: Rekalde, 30 bajo Tech City: Soraluze Tech State/Province: not applicable Tech Postal Code: 20590 Tech Country: ES Tech Phone: +34.340000000 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: limpiezastrejo@limpiezastrejo.com Name Server: ns2.comalis.net Name Server: vps10037-cloud.comalis.net DNSSEC:Unsigned Registrar Abuse Contact Email: abuse@netissime.com Registrar Abuse Contact Phone: +33.0974763926 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>>Last update of WHOIS database: 2015-06-09T09:13:56+0000Z For more information on Whois status codes, please visit https://icann.org/epp Registration Service Provided By: COMALIS The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is", and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The Registrar of record is ELB Group, Inc.. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms.