Your Order Has Been Placed (iTunes Store Phishing)

Apple: Order Number: 103993128

iTunes Store
Dear

Thank you for buying the following product on 18/01/2016

Product Name: F1-Pilot Premium(R)
Order Number: 103993128
Receipt Date: 18/01/2016
Order total: 14.02 EUR.

We hope that our tools and solutions have improved the way you do business this year.

If you did not authorize this purchase, please proceed with "Cancellation Form"

Cancel this Purchase

Phishing analysis :

CLICK : Cancel this Purchase
OPEN : https://directcabcall.com/dcc/cron/Update/login/
REDIRECT : http://https.paypatl.com.leodimiranda.com/nl/webapps/mf2f/home

Email analysis :

NOTE : Return-Path : < voveriukas@jml-group.lt >
NOTE : X-Php-Script : jml-group.lt/wp-content/files_mf/send.php for 105.108.42.181

NOTE : Received : from mail.ledinis.lt (mail.ledinis.lt. [109.235.64.119])

NOTE : Your Order Has Been Placed

Conclusion :

- iTunes Store phishing turning to Paypal phishing.

Hijacked websites :

directcabcall.com : owner : DIRECTCABCALL.COM@domainsbyproxy.com
leodimiranda.com : owner Irene Perrin / +61.386242485 / contact@myprivateregistration.com
jml-group.lt : UAB "Interneto vizija" / hostmaster@iv.lt
jml-group.lt : ress website / account voveriukas
ledinis.lt : UAB "Interneto vizija" / hostmaster@iv.lt

Phisher's origin :

IP : 105.108.42.181
Provider : Telecom Algeria
Country : Algeria
Latitude : 28
Longitude : 3

Order

Greetings,Hope you are in the office, I want to know whether you sell Scrambler. Simply let me know the available sizes/models you have, or easily email me a link to look through. Also want to know the types of payment you accept.Hope to hear back from you soon.

Best Regards,
Bill Newman

Email analysis :

NOTE : gregwillson55@gmail.com
NOTE : Bill Newman
NOTE : Received : from 41-218-214-148-adsl-dyn.4u.com.gh
NOTE : (41-218-214-148-adsl-dyn.4u.com.gh. [41.218.214.148])
NOTE : by smtp.gmail.com

Scammer's last position :

New order 1320

Dear supplier,

Please find the attached purchase order and acknowledge the receipt.

We await your response with details.

Thanks,

Monica Paquette
Purchasing Manager.
JUBAILI TRADE COMPANY.
32107 Bad Salzuflen

Germany

T: +49-5208-9102-7523
F: +49-5208-9102-9054
M: +49 151 616023605

Web: www.ararmaturen.net

PO_FY6667544pdf.ace

PO_FY6667544pdf.ace analysis :

PO_FY6667544pdf.ace is a virus.

Virus analysis :

AVG : MSIL9.XGT
Ad-Aware : Gen:Variant.Kazy.758648
Arcabit : Trojan.Kazy.DB9378
BitDefender : Gen:Variant.Kazy.758648
ESET-NOD32 : a variant of MSIL/Kryptik.DZP
Emsisoft : Gen:Variant.Kazy.758648 (B)
F-Secure : Gen:Variant.Kazy.758648
GData : Gen:Variant.Kazy.758648
Ikarus : Trojan.MSIL.Crypt
Kaspersky : Trojan.MSIL.Inject.dbmu
MicroWorld-eScan : Gen:Variant.Kazy.758648
Microsoft : Trojan:Win32/Dynamer!ac
Sophos : Mal/DrodAce-A
TrendMicro : TSPY_GOLROTED.CP
TrendMicro-HouseCall : TSPY_GOLROTED.CP

Email analysis :

NOTE : monica.p@tech-center.com
NOTE : Received : from 210.195.249.3 (klg-58-154.tm.net.my [202.188.58.154])

NOTE : by cactus4.qatar.net.qa (Oracle Communications Messaging Exchange Server)
NOTE : does not designate 82.148.101.71 as permitted sender

Your account expires in less than 48 hours .

Hello,

please, kindly quote your best prices for our attached order.Your company came higly recommeded for this order. For item No 1,4,6 & 7..give your best prices for we wish to make large order. Add me on Skype for detailed discussion

Awaiting your urgent confirmation

Thanks & Best Regards
NAZIR AHMED
PHONE: +92-222-633263, +92-222-617906,
FAX: +92-222-612877
Mobile : +92-300-3010717
EMAIL: info@almarryamint.com afintpk@yahoo.com
SKYPE: afintpk

subject...Order No. 1,4,6 & 7

ORDER.ace

File analysis :

ORDER.ace : virus.
ORDER.ace : Qihoo-360 : htm.faceliker.d.39

Email analysis :

NOTE : arabico2222@gmail.com
NOTE : Mime-Version : 1.0
NOTE : User-Agent : SquirrelMail/1.5.2 [SVN]
NOTE : Received : from march.alignhosting.com
NOTE : (march.alignhosting.com. [67.205.123.150])
NOTE : authenticated_id: info@stcotransport.com

Your order has been successfully processed

Hello,

Your order has been successfully processed and is Pending Setup.

*Click Here For Updates

Once setup is complete you will be automatically transferred to your new online system.

Thank you,

Payments Today

Scam analysis :

CLICK : Click Here For Updates
OPEN : http://www.optical-machinery.com/link.php?M=******&N=**&L=**&F=H
REDIRECT : http://www.damien-laurent.com/
SCREENSHOT :

Domain analysis :

Domain Name: damien-laurent.com
Registrar WHOIS Server: whois.regtons.com
Registrar URL: http://regtons.com
Creation Date: 2015-05-20T00:00:00Z
Registrar Registration Expiration Date: 2016-05-20T00:00:00Z
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Registrar IANA ID: 1505
Registrar Abuse Contact Email: abuse@regtons.com
Registrar Abuse Contact Phone: +420.734463373
Registry Registrant ID: G-807567
Registrant Name: Domain Administrations Limited Domain Administrations Limited
Registrant Street: 597 Sandringham Rd
Registrant City: Auckland
Registrant Postal Code: 1025
Registrant Country: NZ
Registrant Phone: +64.93742415
Registrant Email: info@trading-platform-online.com
Registry Admin ID: G-807567
Admin Name: Domain Administrations Limited Domain Administrations Limited
Admin Organization:
Admin Street: 597 Sandringham Rd
Admin City: Auckland
Admin Postal Code: 1025
Admin Country: NZ
Admin Phone: +64.93742415
Admin Email: info@trading-platform-online.com
Registry Tech ID: G-807567
Tech Name: Domain Administrations Limited Domain Administrations Limited
Tech Organization:
Tech Street: 597 Sandringham Rd
Tech City: Auckland
Tech Postal Code: 1025
Tech Country: NZ
Tech Phone: +64.93742415
Tech Email: info@trading-platform-online.com
Name Server: gina.ns.cloudflare.com
Name Server: seth.ns.cloudflare.com
DNSSEC: unsigned

Domain Name: optical-machinery.com
Registry Domain ID: 1916902279_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.regtons.com
Registrar URL: http://regtons.com
Updated Date: 2015-08-04T00:00:00Z
Creation Date: 2015-04-06T00:00:00Z
Registrar Registration Expiration Date: 2016-04-06T00:00:00Z
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Registrar IANA ID: 1505
Registrar Abuse Contact Email: abuse@regtons.com
Registrar Abuse Contact Phone: +420.734463373
Domain Status: ok
Registry Registrant ID: G-807567
Registrant Name: Domain Administrations Limited Domain Administrations Limited
Registrant Street: 597 Sandringham Rd
Registrant City: Auckland
Registrant Postal Code: 1025
Registrant Country: NZ
Registrant Phone: +64.93742415
Registrant Phone Ext: None
Registrant Email: info@trading-platform-online.com
Registry Admin ID: G-807567
Admin Name: Domain Administrations Limited Domain Administrations Limited
Admin Street: 597 Sandringham Rd
Admin City: Auckland
Admin State/Province:
Admin Postal Code: 1025
Admin Country: NZ
Admin Phone: +64.93742415
Admin Email: info@trading-platform-online.com
Registry Tech ID: G-807567
Tech Name: Domain Administrations Limited Domain Administrations Limited
Tech Organization:
Tech Street: 597 Sandringham Rd
Tech City: Auckland
Tech Postal Code: 1025
Tech Country: NZ
Tech Phone: +64.93742415
Tech Email: info@trading-platform-online.com
Name Server: ns.wedos.net
Name Server: ns.wedos.cz
Name Server: ns.wedos.eu
Name Server: ns.wedos.com
DNSSEC: unsigned

Email analysis :

NOTE : lucreuben@optical-machinery.com
NOTE : bounces@optical-machinery.com
NOTE : X-Php-Originating-Script : 0:email.php
NOTE : 37.157.193.32 (optical-machinery.com)
NOTE : Received : from vm16963 ([127.0.0.1]) by localhost
NOTE : (vm16963.wedos.net [127.0.0.1])

Rép : RFQ Confirmation (VIRUS)

Good day,

Pls find attached the Inquiry specification list, kindly send us quotation.

Thanks & Best Regards,
Sashi Ranjan Rath
osco Excellence
Tel 1 (i250) : 870 773210230
Tel 2 (FB250) : 870 773208568
Tel 3 (F-77) : 870 765 091 412
Tel 4 (F-77) : 870 765 091 411
Fax: 870 765091413
Sat C 1 (Tlx): 447703830
Sat C 2 (Tlx): 447703831
Email: ismaelcarrillo_zf@yahoo.com

Order 4223.zip

File analysis :

OPEN : Order 4223.zip
RESULT : File is a virus.

Virus analysis :

SHA256: 387b4893e924421f9e91f1ee2a938b9017fe30f3bfae07abbfbf0d1b121d98fa

Baidu-International : Adware.MSIL.iBryte.DFE
ESET-NOD32 : a variant of MSIL/Kryptik.DFE
Malwarebytes : Trojan.ZBAgent.RNDGen
Qihoo-360 : HEUR/QVM03.0.Malware.Gen
Rising : PE:Malware.Generic/QRS!1.9E2D[F1]
Sophos : Mal/Generic-S
Tencent : Win32.Trojan.Inject.Auto

Email analysis :

NOTE : stefano.sambucci@transpacific.com
NOTE : ismaelcarrillo_zf@yahoo.com
NOTE : Received : from so199-177.asiawhere.com (219.84.199.177)
NOTE : Received : from 41.190.2.39 ([41.190.2.39])
NOTE : by webmail.mimifund.com (Horde Framework)
NOTE : User-Agent : Internet Messaging Program (IMP) H3 (4.3.9)
NOTE : Return-Path : < stefano.sambucci@transpacific.com >
NOTE : X-No-Auth : unauthenticated sender

Our Order

Hello,

Please, kindly find here our attached Order.

Do quote urgently with your best price after FOB.

Thanks & Regards
M. Saleem Petreaus
Contact : +7-21-36361868
Email : kuzminov_m@mail.ru

DP-PO.zip

OPEN : DP-PO.ZIP
CHECK : This is a DOCX

Email analysis :

NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/mixed; boundary="=_***"
NOTE : Return-Path : < kuzminov_m@mail.ru >
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Received : from at1ce.de (s15446994.onlinehome-server.info. [87.106.216.247])

NOTE : Received : from 211.20.73.31 ([211.20.73.31])
NOTE : by webmail.chemos-group.com (Horde Framework)
NOTE : Message-Id : < *7@webmail.chemos-group.com >
NOTE : client-ip=87.106.216.247;

NOTE : User-Agent : Internet Messaging Program (IMP) H3 (4.3.11)
NOTE : Our Order

Order Confirmation

Good afternoon!

We have received your order and will be processing it shortly. The details of the order are below:

Order Number: 117098
Amount: $326.42 USD
------------------------------------------------------
Order Details is in the attachment. ------------------------------------------------------

You will receive an email from us shortly once your account has been setup. Please quote your order reference number if you wish to contact us about this order.

< Invoice 2.04.zip >