Friday, November 17, 2017

Account status has been changed (invoice 02574) (PayPal Phishing)

Dear PayPal Customer ,

We detected something unusual about a recent sign-in for the PayPal account . For example, you might be signing in from a new location, device, or app.

To help keep you safe, we've blocked access to your PayPal account , Billing Info, and calendar for that sign-in. Please review your recent activity and we'll help you take corrective action. To regain access, you'll need to confirm that the recent activity was yours.

Review recent activity

Thanks,
The PayPal account team

Copyright© 1996-2017 PayPal.com, Inc. All right reserved

Email analysis :

NOTE : support@vweb12.nitrado.net
NOTE : Received : by vweb12.nitrado.net

Phishing screenshot :


Phishing analysis :

CLICK : Review recent activity
OPEN : www.update-service.clanonzj.beget.tech/
REDIRECT : http://www.update-service.clanonzj.beget.tech/*/login.php?cmd=_account-details&session=*
SCREENSHOT :


NOTE : FILL FAKE INFO
REDIRECT : http://www.update-service.clanonzj.beget.tech/*/Billing.php?cmd=_account-details&session=*&dispatch=*
SCREENSHOT :


NOTE : PayPal Phishing

Thursday, November 16, 2017

Promocao Netflix 2 Meses Gratuitos (78091) (Netflix Phishing)

Prezado Cliente: Email Cadastrado - Caso nao esteja visualizando a imagem .
Exibir Imagens

Email analysis :

NOTE : ip-160-153-231-135.ip.secureserver.net
NOTE : www-data@ip-160-153-231-135.ip.secureserver.net
NOTE : Received : from ip-160-153-231-135.ip.secureserver.net
NOTE : (ip-160-153-231-135.ip.secureserver.net [160.153.231.135])

Phishing analysis :

CLICK : Exibir Imagens
OPEN : https://graficagibin.com.br/VELHO/beta/images/content/02/?
REDIRECT : https://graficagibin.com.br/loja/downloader/lib/Mage/Autoload/netflix/index.php
SCREENSHOT :


VALIDATE FORM WITH WRONG EMAIL
REDIRECT : https://graficagibin.com.br/loja/downloader/lib/Mage/Autoload/netflix/payment.php?form=*.scr
SCREENSHOT :


CLICK : VISA
SCREENSHOT :


FILL : FAKE DATA
REDIRECT : https://graficagibin.com.br/loja/downloader/lib/Mage/Autoload/netflix/terminor.php?form=*.scr
SCREENSHOT :


REDIRECT : https://www.netflix.com/getstarted?locale=pt-BR&action=startAction

Friday, November 3, 2017

DHL Shipment Notification (Phishing)

Dear customers,

A package is coming your way through DHL Express, shipment is on transit and ready for tracking. You can request for tracking details .
Sender Account ending-> *****04291
For full tracking information please click here and follow the process.
Kindly keep the downloaded documents safe, we will need you to provide them
for confirmation before delivering your parcel.
For complaints or further support kindly contact our 24/7 support team .
With kind regards,
2017 © DHL International GmbH. All rights reserved.
DHL Worldwide Delivery ©

htytytytolop

Phishing screenshot :

Email analysis :

NOTE : pjatania@atulauto.co.in
NOTE : Received : from mail.atulauto.co.in ([27.54.160.78])


NOTE : Received : from atulauto.co.in (unknown [192.95.20.146])


NOTE : by mail.atulauto.co.in

Phishing analysis :

CLICK : click here
OPEN : http://workingin-visas.com.au/track/dhl/index.php?email=0
REDIRECT : http://workingin-visas.com.au/track/dhl/tracking.php?l=_JeHFUq_VJOXK0QWHtoGYDw_Product-UserID&userid=0
SCREENSHOT :

Tuesday, October 24, 2017

Hi User, you have 2 important invitations on your LinkedIn network

LinkedIn

These invitations are expiring this month.
Remember, each connection extends the reach of your network.

Dale Christel
CEO, Perm Mold Alum Castings and Machining at Watry Ind. 920-457-4886
Invitation expires: November 14
Yes, connect

Scott Fraser SIOR, CCIM
Senior Vice President at Kidder Mathews
Invitation expires: November 9
Yes, connect

See all invitations

Unsubscribe | Help
You are receiving Invitation emails.
This email was intended for LinkedIn user. Learn why we included this.
LinkedIn
© 2017 LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085. LinkedIn and the LinkedIn logo are registered trademarks of LinkedIn.

Email analysis :

NOTE : chair-e.business@meu.edu.jo
NOTE : X-Originating-Ip : [105.112.16.129]


Phishing screenshot :


Phishing analysis :

CLICK : Yes, connect
OPEN : https://pt-ipm.co.id/imcp2/wp-admin/includes/lm/js/i.php
REDIRECT : https://tachimitatape.co.id/xc/www.linkedin/53f12518b4dce443ab52eb662098f8cf/
SCREENSHOT :

please add me on your LinkedIn network (LinkedIn Phishing)

LinkedIn

Hi ,

Debbie Wilkes want to add you to their network

Debbie Wilkes
CEO,at Rio trade Business Group
USA:5,640 connection

Accept
View Profile

© 2017 LinkedIn Ireland Limited. LinkedIn, the LinkedIn logo, and InMail are registered trademarks of LinkedIn Corporation in the United States and/or other countries. All rights reserved.

You are receiving Invitation emails. Unsubscribe
This email was intended for you. Learn why we included this.

LinkedIn is a registered business name of LinkedIn Ireland Limited.
Registered in Ireland as a private limited company, Company Number 477441
Registered Office: 70 Sir John Roberson's Quay, Dublin 2

Email analysis :

NOTE : service-member@linkedln.com
NOTE : User-Agent : Roundcube Webmail/1.2.4
NOTE : X-Sender : LinkedInCorporation2017@service.net

Phishing screenshot :


Phishing analysis :

CLICK : View Profile
OPEN : http://yb82.myjino.ru/tt/linkedln/www.linkedin/Linkedin1/
SCREENSHOT :

Wednesday, October 18, 2017

New transaction (MyEtherWallet Phishing)

You have a new transaction on your Ethereum Wallet.

Login to check your balance:

https://mymyetherwallet.com/#view-wallet-info

Phishing screenshot :


Email analysis :

NOTE : vebj@striker.ottawa.on.ca
NOTE : Received : from static-186-121-254-194.acelerate.net
NOTE : (static-186-121-254-194.acelerate.net [186.121.254.194])


NOTE : allero@striker.ottawa.on.ca
NOTE : Received : from b1ebd3e6.virtua.com.br (unknown [177.235.211.230])


Phishing analysis :

CLICK : https://mymyetherwallet.com/#view-wallet-info
OPEN : https://mymyetherwallet.com/#view-wallet-info

Friday, October 13, 2017

Vous avez un nouveau message (Phishing Société Générale)

Bonjour,

Vous avez (1) nouveaux messages sur votre messagerie.
Consulter votre Messagerie en cliquant sur le lien ci-dessous :

(Consultezhici)

Nousivousiremercionsideivotreiconfiance.

Email analysis :

NOTE : info@societegenerale.fr
NOTE : Return-Path : < apache@admiral.anchor.net.au >
NOTE : X-Remote : 202.4.239.210 (admiral.anchor.net.au)


NOTE : Mime-Version : 1.0
NOTE : Received : from admiral.anchor.net.au (admiral.anchor.net.au [202.4.239.210])
NOTE : Received : by admiral.anchor.net.au (Postfix, from userid 48)
NOTE : Vous avez un nouveau message

Phishing screenshot :


Phishing analysis :

CLICK : (Consultezhici)
OPEN : starrdental.com/html/websms/index.htm
RESULT : Unresponsive
RESULT : Phishing attempt.

Thursday, October 12, 2017

Richard Gross's invitation is waiting for your response (LinkedIn Phishing)

LinkedIn
Richard Gross invited you to connect 3 days ago.

Accept

View Invitation

Richard Gross
CEO at HOC Trading LLC
More people who want to connect with you

Frank White
CONTRACTOR

View Message Here

Unsubscribe | Help
You are receiving LinkedIn notification emails.
This email was intended for User. Learn why we included this.
LinkedIn
© LinkedIn. Mailing address: Room 817, 18F, Building 18, #1 DiSheng Bei Road, Bejing Yizhuang Development Area, China. LinkedIn and the LinkedIn logo are registered trademarks of LinkedIn.

Email analysis :

NOTE : chair-curricula@meu.edu.jo
NOTE : X-Originating-Ip : [105.112.23.133]


Phishing screenshot :



Phishing analysis :

CLICK : ACCEPT
OPEN : https://maralspa.cl/LNKD/i.php
REDIRECT : https://lincoln-institute.com.ar/img/logos/www.linkedin/5e48c0aef72e80880ea2117442efdb31/
SCREENSHOT :


VALIDATE : FORM
REDIRECT : https://lincoln-institute.com.ar/img/logos/www.linkedin/5e48c0aef72e80880ea2117442efdb31/index2.html
SCREENSHOT :


VALIDATE : FORM
REDIRECT : https://www.linkedin.com/start
SCREENSHOT :

Tuesday, October 10, 2017

Lors votre dernier achats (Phishing Société Générale)

Adhésion : Faite votre demande en ligne en cliquant-ici

Email analysis :

NOTE : Received : from 5.62.57.67 (IP may be forged by CGI script)
NOTE : by infong73.kundenserver.de
NOTE : Return-Path : < noreply@nrj.fr >
NOTE : noreply@nrj.fr
NOTE : X-Mailer : PHPMailer [version 1.73]

Phishing screenshot :


Phishing analysis :

CLICK : Faite votre demande en ligne en cliquant-ici
OPEN : http://hinsorn.ac.th/obeclms/osita/
REDIRECT : http://seraylv3.beget.tech/near/sg/ce18c0b32e0328aa61d8c9d10b1f34c6/
SCREENSHOT :


SPOOFED EMAIL : noreply@nrj.fr

Hi User, I sent you message on your LinkedIn network (LinkedIn Phishing)

Information from scam.cz :

- The linkedIn phishing has other formulas.
- Same phishing link as in this phishing.


Email analysis :

NOTE : dir-finance@meu.edu.jo
NOTE : X-Originating-Ip : [105.112.16.77]

Hi User, Ahmed Kinawy invitation is awaiting your response. (LinkedIn Phishing)

LinkedIn
Ahmed Kinawy wants to add you to their network

mahmoud ahmed
Ahmed Kinawy
CEO at RIOTRADE BUSINESS GROUP
Dubai:· 5,640 connections
Accept Ahmed's invitation

LinkedIn is a social network and online platform for professionals. Learn More
Unsubscribe | Help

You are receiving Invitation emails. LinkedIn will use your email address to make suggestions to our members in features like People You May Know.
This email was sent to you.
LinkedIn

© 2017 LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2. LinkedIn is a registered business name of LinkedIn Ireland Unlimited Company. LinkedIn and the LinkedIn logo are registered trademarks of LinkedIn.

Email analysis :

NOTE : hsmuisem@meu.edu.jo
NOTE : Received : from [172.20.10.3] (105.112.24.147)


Phishing screenshot :


Phishing analysis :

CLICK :
OPEN : https://florenciaeventos.com.ar/jkk/i.php
REDIRECT : https://florenciaeventos.com.ar/Lin/www.linkedin/c393e7e29942131cf98a4f0aecb5c2a2/
SCREENSHOT :


FILL : FORM
REDIRECT : https://florenciaeventos.com.ar/Lin/www.linkedin/c393e7e29942131cf98a4f0aecb5c2a2/index2.html
SCREENSHOT :

Thursday, October 5, 2017

Your Apple ID: Access from new web or mobile device (Apple ID Phishing)

Dear Apple Customer,

This email was generated because of a login attempt from a web or mobile device located at 88.190.229.170 (FR). The login attempt included your correct Apple ID and password. The Apple ID Guard is required to complete the login. No one can access your account without also accessing this email. You are unable to access your account. Please use this account specific recovery link for assistance recovering your account.

Recovering my account

Thanks,
The Apple Team
https://support.apple.com

TM and copyright © 2017 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID

Email analysis :

NOTE : Return-Path : < f@node02.facesharedasia1.com >
NOTE : Return-Path : f@node02.facesharedasia1.com
NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/alternative; boundary="===============1462413996=="
NOTE : Received-Spf : client-ip=216.127.151.37;
NOTE : Received : from WIN-6Q15KS5IKGJ ([216.127.151.37])


NOTE : Received : from [38.121.232.25]


NOTE : Your Apple ID: Access from new web or mobile device

Phishing analysis :

CLICK : Recovering my account
OPEN : https://pmb.stiemmamuju.ac.id/index1.html
REDIRECT : http://inboxaus.com/apple/627f3b5930cd81c983453025ffe207da/login.php?ip=*
SCREENSHOT :


VALIDATE : FORM
REDIRECT : http://inboxaus.com/apple/627f3b5930cd81c983453025ffe207da/suspended.php?ip=*
SCREENSHOT :


CLICK : Confirm My Account
REDIRECT : http://inboxaus.com/apple/627f3b5930cd81c983453025ffe207da/personal.php?ip=*

Tuesday, September 19, 2017

Add me on Linkedln (LinkedIn Phishing Attempt)

LinkedIn
Ahmed Kinawy wants to add you to their network

mahmoud ahmed
Ahmed Kinawy
CEO at LAKHRAIM BUSINESS GROUP
Dubai:· 5,640 connections
Accept Ahmed's invitation

LinkedIn is a social network and online platform for professionals. Learn More
Unsubscribe | Help

You are receiving Invitation emails. LinkedIn will use your email address to make suggestions to our members in features like People You May Know.
This email was sent to you.
LinkedIn

© 2017 LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2. LinkedIn is a registered business name of LinkedIn Ireland Unlimited Company. LinkedIn and the LinkedIn logo are registered trademarks of LinkedIn.

Email analysis :

NOTE : Jnsour@meu.edu.jo
NOTE : client-ip=104.47.0.219;


Phishing analysis :


CLICK : Accept Ahmed's invitation
OPEN : http://www.bristolflying.co.uk/wp-includes/js/wp-admin/Linkedln/
NOTE : ERROR.
NOTE : Phishing attempt.

please add me on your LinkedIn network (LinkedIn Phishing)

Hi, Mohamed El Wahab sent message on your LinkedIn network

Mohamed El Wahab

CHIEF EXECUTIVE at LLC TRADING IMP & EXP TRADE CO.,LTD
Dubai, UAE.
Connected in August 2017

View Message Here

2017 LinkedIn Ireland Limited. LinkedIn, the LinkedIn logo, and InMail are registered trademarks of LinkedIn Corporation in the United States and/or other countries. All rights reserved.

You are receiving Activity You Missed emails. Unsubscribe
This email was intended for you (owner). Learn why we included this.

LinkedIn is a registered business name of LinkedIn Ireland Limited.
Registered in Ireland as a private limited company, Company Number 477441
Registered Office: Wilton Plaza, Wilton Place, Dublin 2, Ireland

Email analysis :

NOTE : LinkedInCorporation2017@service.net
NOTE : linkedin-service@noreply.com
NOTE : User-Agent : Roundcube Webmail/1.2.4
NOTE : Received : from localhost (HELO webmail.sai.org.in)

Phishing analysis :


CLICK : View Message Here
OPEN : http://ramonbmejia.myjino.ru/mejia/linnkedin/www.linkedin/Linkedin1/


VALIDATE : FORM
SCREENSHOT :


VALIDATE : FORM
REDIRECT : https://www.linkedin.com/start
SCREENSHOT :

Tuesday, September 12, 2017

Please verify your email address *

The Dropbox logo

Hi *,

We just need to verify your email address before your sign up is complete!

Verify your email

Happy Dropboxing!

Email analysis :

NOTE : Received : from customer-PUE-207-103.megared.net.mx (unknown [177.245.207.103])


NOTE : verify@dropbox.com
LINK : http://floraisdobrasil.com.br/dropbox.html

NOTE : Received : from 189.89.7.60.telesa.com.br (unknown [189.89.7.60])


NOTE : verify@dropbox.com
LINK : http://basedow-bilder.de/dropbox.html

Phishing analysis :

CLICK : Verify your email
OPEN : http://floraisdobrasil.com.br/dropbox.html
SCREENSHOT :


CLICK : Verify your email
OPEN : http://basedow-bilder.de/dropbox.html
SCREENSHOT :


REDIRECT : http://wittinhohemmo.net/drop.php

OPEN : http://wittinhohemmo.net/drop.php
DOWNLOAD : Dropbox-MSGCODE-*.js
RESULT : Dropbox-MSGCODE-*.js is a virus

Virus analysis :

Arcabit HEUR.JS.Trojan.ba
Avira HTML/ExpKit.Gen2
Baidu JS.Trojan-Downloader.Nemucod.yo
Cyren JS/Agent.AAO1!Eldorado
F-Prot JS/Agent.AAO1!Eldorado
Qihoo-360 virus.js.qexvmc.1075
Rising Malware.Undefined!8.C (cloud:CVrV9ZfawJI)
Symantec JS.Downloader.D
TrendMicro Possible_Cerber-JS03b1
TrendMicro-HouseCall Possible_Cerber-JS03b1
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

Conclusion :

Virus stored for analysis...