Confirmation (PayPal Phishing)

Phishing analysis :

CLICK : ACTIVATE ACCOUNT
OPEN : http://stupendorecords.com/tmp/
NOTE : Phishing was removed.

Email analysis :

NOTE : Content-Type : text/html
NOTE : Mime-Version : 1.0
NOTE : X-Sender : p215080
NOTE : Return-Path : < info@storytellingmasterclass.de >
NOTE : Received : from emita.mittwald.de (emita.mittwald.de. [188.94.250.251])

NOTE : Received : from ovm4870 (ovm4870.internal [172.16.36.177])
NOTE : by emita.mittwald.de (Postfix)
NOTE : client-ip=188.94.250.251;
NOTE : smtp.mailfrom=info@storytellingmasterclass.de
NOTE : Confirmation

Hijacked websites :

stupendorecords.com : David Lopez Gausa / david@davidgausa.com / +34.34943894304
mittwald.de : Mittwald Hostmaster / +49.5772293100

[Alert] Confirm Your PayPal Account

Your PayPaI account has been Iimited because we've noticed significant changes in your account activity. As your payment processor, we need to understand these changes better.

This account Iimitation will affect your ability to:

send or receive money
withdraw money
Also, you won't be able to:

remove any bank accounts
remove credit cards
close your account
What to do next

Please log in to your PayPaI account and provide the requested information before January 30, 2016 through the Account Review. If we don't receive the information before this deadline or we notice additional significant changes in your account activity, your account access may be further Iimited.

Log In Now

Thank you for your understanding and cooperation. If you need further assistance, please click Contact at the bottom of any PayPaI page.

Sincerely,

PayPaI

Copyright © 1999-2016 PayPaI. All rights reserved. PayPaI (Europe) S.à r.l. et Cie, S.C.A., Société en Commandite par Actions. Registered office: 22-24 Boulevard Royal, L-2449, Luxembourg, R.C.S. Luxembourg B 118 349.

PayPaI PPC000264:34ab11782e4b2

Phishing analysis :

CLICK : Log In Now
OPEN : http://bit.ly/1mwq0SS
REDIRECT : http://www.incaltaminte-mopiel.ro/redi.php
REDIRECT : http://2016.paypal.com.login.innovandosistemas.com.mx/home//
NOTE : Phishing was removed but the bit.ly is still alive.

Whois innovandosistemas.com.mx :

Name: Amanda Patricia Sabino Castro
City: Mexico
DNS: ns143.neubox.net
DNS: ns144.neubox.net

Whois incaltaminte-mopiel.ro :

NAME : incaltaminte-mopiel.ro
DATE : 2005-06-27 00:00:00
DNS : ns1.incaltaminte-mopiel.ro
DNS : ns2.incaltaminte-mopiel.ro
REGISTRANT : S.C. Mopiel S. R. L.
ADDRESS : Str. Victoriei, Bl. A2, Et. 8, Ap. 32
ADDRESS : Rm. Sarat, Buzau
CITY : Sarat
POSTAL : 125300
COUNTRY : ROMANIA
PHONE : +40-238-406342
EMAIL : mopielincaltaminte@gmail.com

Email analysis :

NOTE : info.pay@email.com
NOTE : Received : from [104.255.69.132]
NOTE : (port=63861 helo=[192.168.1.31])
NOTE : by srv.incaltaminte-mopiel.ro

Scammer's last position :

Online Account Notification (Paypal Phishing)

Dear User

By limiting the access to your account, our security team have blocked unusual charges to a credit-card linked to your account.

By providing some information in regards to your account, our Account Review Team will try to resolve the issue as soon as possible.

PayPal may limit your account as a security measure to protect you and your account. Access limitation is taken as a pre-caution.

PayPal have provided a form (see attachment) to verify your account. You may download and fill in the form.

Our security team will immediately review the information you have provided, and your account should be restored back to normal.

We would like to thank you for your attention to this matter.

Sincerely,
PayPal

form.html

File analysis :

OPEN : form.html
DETECT : Sophos (Mal/Phish-A)

File opening :

The file was encoded so the file was decoded... :

http://ddecode.com/hexdecoder/?results=66079ae734cbda3f7abffa23e3341be4

var _0x13632f = "7ef141717f6e9bc4ea6a159fc074bf7e.php";
var _0x17dd=["http://www.my-ads-network.net/"];

my-ads-network.net whois :

Tech Email: 8F0090A44FFA46A2B0CAA72F917439C7.PROTECT@WHOISGUARD.COM
Name Server: BLOCKEDDUETOPHISHING.PLEASECONTACTSUPPORT.COM
Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM

Email analysis :

NOTE : members@systems.com
NOTE : X-Terrace-Classid : Terrace Spam system

attention! Votre compte PayPal a ete limite !

paypal

Nous avons restreint l'accés a votre compte paypal

Bonjour,

Dans le cadre de nos mésures de sécurite, Nous vérifions regulierement l'activité de l'ecran paypal. Nous avons demande des informations a vous pour la raison suivante:

Veuillez procédez comme suit pour résoudre le probléme. (Dossier nPP-916-493-345)

C'est le dernier rappel pour vous connecter a paypal, Une fois que vous serez connecter paypal vous fournira des mésures pour rétablir l'accés a votre compte.

une fois connecte, suivez les étapes pour activer votre compte Nous vous remercions de votre comprehension pendant que nous travaillons a assurer la sécurité compte.

La procédure est très simple :

Cliquez sur le lien ci-dessous pour ouvrir une fenêtre de navigateur sécurisée.
C0nfirmez que vous êtes bien le titulaire du compte et suivez les instructions.

Accéder A Votre Compte

Une fois connecte, suivez les etapes pour activer votre compte.

Cordialement,
paypal

Aide|Espace Sécurité
Copyright © 2015 paypal. Tous droits réservés.

Phishing analysis :

CLICK : Accéder A Votre Compte
OPEN : http://horticultureweb.net/modules/fr/PayPal.fr/
RESULT : Was removed...

Email analysis :

NOTE : paypal@intI.service.fr
NOTE : Received : from eenamail by seven.edukahosting.be with local (Exim 4.80)
NOTE : (envelope-from < eenamail@seven.edukahosting.be >)
NOTE : Received : from seven.edukahosting.be (95.211.2.10)
NOTE : Return-Path : < eenamail@seven.edukahosting.be >
NOTE : Sender Address Domain - seven.edukahosting.be

Account Review (Paypal Phishing)

Dеаг Vаluеd ΜеmЬег,

Wе аѕκ fοг уοuг tіmе tο сагеfullу геаd thіѕ nοtіfісаtіοn ѕеnt Ьу οuг Αссοunt Rеνіеw Τеаm.

Оuг ѕесuгіtу ѕуѕtеm hаѕ Ьlοсκеd unuѕuаl сhагgеѕ tο а сгеdіt сагd lіnκеd tο уοuг ассοunt.

Αn іntгuѕіοn іntο уοuг ассοunt hаѕ Ьееn dеtесtеd whісh ѕhοwѕ thаt ѕοmеοnе tгіеd tο ассеѕѕ уοuг ΡауΡаl ассοunt wіthοut уοuг ρегmіѕѕіοn. wе hаνе lіmіtеd ассеѕѕ tο уοuг ассοunt duе tο thіѕ ρгοЬlеm. Μοгеονег, wе hаνе ѕеnt уοu аn аttасhmеnt whісh сοntаіnѕ аll thе nесеѕѕагу ѕtеρѕ іn οгdег tο геѕtοге уοuг ассοunt ассеѕѕ. Ρlеаѕе dοwnlοаd аnd ορеn іt іn уοuг Ьгοwѕег.

Ρlеаѕе dο undегѕtаnd thаt thіѕ іѕ а ѕесuгіtу mеаѕuге tаκеn wіth іntеntіοn tο ρгοtесt уοu аnd уοuг ассοunt. Wе аροlοgіzе fοг аnу іnсοnνеnіеnсе.

Ѕіnсегеlу,
ΡауΡаl Αссοunt Rеνіеw Τеаm

Email analysis :

NOTE : accounts@paypp.com
NOTE : Received : from 217.130.138.81
NOTE : ([61.145.165.120]) by avanza.vsf.es
NOTE : accounts@payal.com
NOTE : Received : from 191.237.3.86
NOTE : ([203.158.140.84]) by lanteria.com

Open file :

NOTE : Open file called pp_verifcation.html
NOTE : Obtain a link http://www.linksec.su/s.php
NOTE : Obtain an image http://linku/~ultraele/system/btn_main_1x50.gif

Whois linksec.su :

domain: LINKSEC.SU nserver: ns1.colaburgerdns.com. nserver: ns2.colaburgerdns.com. nserver: ns3.colaburgerdns.com. nserver: ns4.colaburgerdns.com. state: REGISTERED, DELEGATED person: Private Person e-mail: rawixidawax@hotmail.com registrar: R01-REG-FID created: 2015.03.23 paid-till: 2016.03.23 free-date: 2016.04.25 source: TCI Last updated on 2015.05.18 07:16:31 MSK

rawixidawax@hotmail.com analysis :

DOMAIN : 3Dfilms.su
DOMAIN : fe-cc.su
DOMAIN : fe-cc-market.su
DOMAIN : fe-ccshop.su
DOMAIN : fedumps.su
DOMAIN : javaupdater-server23.su
DOMAIN : kontokontrolle.su
DOMAIN : oxjefy.su
DOMAIN : shadowdrops.su