Saturday, May 13, 2017

Notification de la dette (Phishing Banque de France)

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance,

Sacha Pierre
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : banque@banque-france.fr
NOTE : gvbev@fulda170.server4you.de
NOTE : client-ip=62.75.219.171;


NOTE : LINK : http://ascomnotizie.confcommerciocremona.it/edizioni/2013/Settembre/mp3/config/page5.html
NOTE : Download a virus "facture.zip" then redirect to the Banque de France.
NOTE : https://www.banque-france.fr/

The title of the phishing can also be "L\\\'avis de Banque de France sur facturation" with a different content :

Bonjour!

Vous avez reçu une nouvelle facture
La facture à payer peut être consultée sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Veuillez d\\\'agréer les salutations distinguées,

Patrice Salmon
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : infos@banque-france.fr
NOTE : www-data@vs186078.vserver.de
NOTE : Received : from www-data by vs186078.vserver.de


NOTE : LINK : http://deko-studio.ru/templates/jblank/html/com_contact/categories/content2.html
NOTE : Phishing is unresponsive.

The title of the phishing can also be "Notification du paiement" with a different content :

Cher client!

Nous vous informons sur la dette existante
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Meilleurs vœux,

Aubin Pascal
Spécialiste responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : apache@vps11617909.123-vps.co.uk
NOTE : Received : by vps11617909.123-vps.co.uk


NOTE : LINK : http://rolkatravel.ru/includes/Archive/content2.html
NOTE : Redirect to another phishing then Banque de France

The title of the phishing can also be "Rappel de dette" with a different content :

Vous avez reçu la facture de la société Banque de France
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler

Meilleurs vœux!

Samy Bouchet
Spécialiste principal responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : commercial@banque-france.fr
NOTE : webmaster@missdress.ru
NOTE : Received : from www-data by webs3.ru
NOTE : LINK : http://купить-дом-в-испании.рф/wp-admin/css/colors/blue/content2.html
NOTE : Phishing was removed.


The title of the phishing can also be "Vous avez les dettes" with a different content :

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance!

Salomon Legros
Chef
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : contact@banque-france.fr
NOTE : Received : by vps11617909.123-vps.co.uk


NOTE : LINK : http://smartfitness.com.ua/wp-content/themes/fitnesstheme/fontawesome/css/page6.html
NOTE : Redirect to the Banque de France.

Conclusion

Numerous phishing were removed, but I found one still active and I downloaded a virus called facture.zip

Open facture.zip

AegisLab : Troj.Script.Agent!c
Antiy-AVL : Trojan/Generic.ASVCS3S.3FA
Arcabit : JS:Trojan.Cryxos.725
Avast : Other:Malware-gen [Trj]
AVG : Script/Generic_c.NOE
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : JS:Trojan.Cryxos.725
Comodo : Heur.Dual.Extensions
Cyren : JS/Nemucod.EB1!Eldorado
DrWeb : Trojan.DownLoader24.57175
Emsisoft : JS:Trojan.Cryxos.725 (B)
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CXN
F-Prot : JS/Nemucod.EB1!Eldorado
F-Secure : JS:Trojan.Cryxos.725
Fortinet : JS/Nemucod.CXN!tr
GData : JS:Trojan.Cryxos.725
Ikarus : Trojan-Downloader.JS.Nemucod
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan.Script.Agent.gen
Microsoft : TrojanDownloader:JS/Nemucod
eScan : JS:Trojan.Cryxos.725
Rising : Downloader.Nemucod!8.34 (cloud:EJcAeQsE3jG)
Sophos : Mal/DrodZp-A
Symantec : Trojan.Gen.NPE
Tencent : Js.Trojan-downloader.Nemucod.Gbr
TrendMicro-HouseCall : Suspicious_GEN.F47V0510
ZoneAlarm by Check Point : HEUR:Trojan.Script.Agent.gen

Source code of the virus :

https://pastebin.com/raw/VaBZWADT

Need mnoey?Eaarn 50.000 per moonth.

###MAKE MONEY ON1|NE###
===EAARN 50.000 PER MONNTH===
1.You need 0nly email to regisster
2.Fluly automattic sytsem!NOTHING TO DO...
3.@bs0lutely passvie inc0me
http://www.wildstonesolution.com/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/5bc10d79da.html

The title of the scam can also be : Need mooney?Eran 50.000 per moonth. with a different content

###MAAKE MONNEY ONLLNE###
===EAARN 50.000 PER MONTH===
1.You neeed only emmail to reg|$ter
2.Fuliy automatic ssytem!NOTHING TO DO...
3.Absolute1y passive lnc0me
http://www.ieee-papers.com/wp-content/themes/twentyseventeen/2159b211e2.html

Email analysis :

NOTE : mhurdsj@excite.it
NOTE : gfgrimaud@tjb-barre.com
NOTE : 202.150.50.14


NOTE : 113.186.177.167


Phishing analysis :

CLICK : http://www.wildstonesolution.com/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/5bc10d79da.html
Result : Redirect to Google, the phishing was removed...

CLICK : http://www.ieee-papers.com/wp-content/themes/twentyseventeen/2159b211e2.html
RESULT : Redirect to Google, the phishing was removed

NOTE : Two wordpress websites were compromised to do this phishing.

Friday, May 12, 2017

Update Your Account Information Now !! (PayPal Phishing Attempt)

PayPal

Warning : Account Issue !
Your account is limited untill you update your information because some one requested acces to your account, here is the infos :
Location : Russia
IP adress : 176.96.80.140
Navigator : Mozilla Firefox 48.0 on Windows
The restore the access to your account please click on the link below :

Update My Account

This is an email sent automatically. Please do not reply to this letter, because the e-mail address is only configured to send but not to receive e-mails.
Copyright © 2017 All rights reserved.

Phishing screenshot :

PayPal Phishing Screenshot

Email analysis :

NOTE : morag@g-p-t.co.uk
NOTE : Received : from RDT.spectra.local (unknown [80.229.37.167])

IP 80.229.37.167

NOTE : by cust-smtp-auth2.fasthosts.net.uk (Postfix)
NOTE : client-ip=213.171.216.60;

IP 213.171.216.60

Phishing analysis :

CLICK : Update my Account
OPEN : http://sadagatismayilova.com/update-your-account-information-now/myaccount/
SCREENSHOT :

PayPal Phishing Attempt

NOTE : Phishing was removed.

(no subject)

السلام عليكم انا مدام نادية محمد اريد منك ان تساعدنى لاننى لدى مشروع اريد ان اعرضه اليك لذا ارجو منك التواصل معى على هذا الايميل

nadia55mohammed@gmail.com

Translation :

Salam alaikum. I am Madame Nadia Mohamed. I want you to help me because I have a project I want to introduce to you so I hope you can contact me on this email

Nadia55mohammed@gmail.com

Email analysis :

NOTE : nadia55mohammed@gmail.com
NOTE : ib@caucasus.net
NOTE : Received : from webmail.caucasus.net
NOTE : (unknown [213.157.215.234])

Scam from 213.157.215.234

NOTE : by mail.caucasus.net (Postfix)

Rich and Famous

JOIN THE GREAT ILLUMINATI BROTHER HOOD TODAY AND LIVE A BETTER AND HAPPY LIFE. WELCOME TO THE GREAT TEMPLE OF RICHES AND FAME. Are you a business, Man, politician, musical, student and you. want to be rich, powerful and be famous in life. You can achieve your dreams by being a member of the Great illuminati brother hood. With this all your dreams and heart desire can be fully accomplish, if you really want to be a member of the great illuminati brother hood, contact the Lord illuminati now, Note: newly recruited members are entitled with 100 thousand US Dollars , A Golden Ring, that will protect and guild you from enemies, and a free visa to United State Of America . Please will do not share blood. Do not miss this opportunity. Call Jack lord Now . ¡¡¡ +19066620480. Or email now on: illuminatitemple792@gmail.com

Email analysis :

NOTE : illuminatitemple792@gmail.com
NOTE : gcdash@nitrkl.ac.in
NOTE : X-Originating-Ip : [172.16.0.20]
NOTE : Received : from zmbox2.nitrkl.ac.in
NOTE : (zmbox2.nitrkl.ac.in [172.16.0.24])
NOTE : X-Mailer : Zimbra 8.6.0_GA_1194 (zclient/8.6.0_GA_1194)
NOTE : Received : from mailhost2.nitrkl.ac.in (saraswati.nitrkl.ac.in. [27.48.137.18]

Wednesday, May 10, 2017

Tammy Joorst (Email Leak)

Good day

how can you supply me?

Email analysis :

NOTE : 3563909@myuwc.ac.za
NOTE : 3556254@myuwc.ac.za
NOTE : regie44@outlook.com

Email leak :

Email leak from a scam.

saymorebc@hotmail.com, sayyashdesigns@yahoo.com, sazdesign67@yahoo.com.au, sbaladev_24@yahoo.com, sbasnyat@las-cruces.org, sbbwa.secretary@gmail.com, sbc@sbcinv.net, sbc4radio@yahoo.com, sbghosh@hotmail.com, SBIRRO1984@hotmail.com, sbrady@hotmail.com, sbryson@westernleisureservices.com.au, sbsbjulia@gmail.com, sbugan@ncpg.gov.za, sburdisso@hotmail.com, scampbell3523@gmail.com, scampher@gmail.com, scamwarners9@gmail.com, scanvps@hotmail.com, scardoso_1@yahoo.com.ar, scarfyw1@yahoo.com.au, scarletcourierupdate@yahoo.co.uk, scc.info@tsogosun.com, scchiou_43197@yahoo.com.tw, scentedcandlelady@gmail.com, schakrabarty@gmail.com, schalk.ltgroep@mailbox.co.za, scharvest@gmail.com, scheffer.luana@gmail.com, schewitzl@gmail.com, schickelizabeth@hotmail.com, schoa2014@gmail.com, schoeman.yolandy@gmail.com, schoemanattorneys@gmail.com, scholtzrg@gmail.com, School@yahoo.de, sclsis@hotmail.com, scmibs@hotmail.com, sconature@gmail.com, sconejumpclub@hotmail.com, scordony@hotmail.com, SCOssiya@hotmail.com, scott_lee2000@yahoo.com, scottadamslv@gmail.com, scottandersonelectrical@gmail.com, scottandersonelectrical@gmail.co, scottdishner@gmail.com, scottjohn06@hotmail.com

..£1million Donated To You##..

You have been selected to receive a whooping sum of £1million which the Davies family donated to you After scooping £61million - in one of Britain's biggest Lotto Euro Millions .My family and i decided to set up a foundation aimed at providing financial aids and assistance to reputable individuals around the world to help fight cancer, in their various community.

It's a great way to give back to the world after miraculously cheated death, Read more about me and my family on the News Link Below.



Kindly forward your Full name, age, Tel.No, Address
Sincerely,
Davies Family Charitable Trust

Email analysis :

NOTE : Davies Family Charitable Trust
NOTE : daviesctrust@cox.net
NOTE : Received : from [192.168.176.198] (71.41.196.26)
NOTE : X-Originating-Ip : [71.41.196.26]

Scammer with the IP 71.41.196.26

NOTE : by Exchange.ku.dk (172.28.3.173)

Richard Maxwell

We have deposited the check of your fund($25.400`000`00USD)through MONEY GRAM department after our final meeting regarding your fund, All you will do is to contact money gram director (479)3853899 He will give you direction on how you will be receiving the funds daily.Remember to send him your Full information to avoid wrong transfer such as,

Receiver's Name_______________
Address: ________________
Country: _____________
Phone Number: _____________

Though,Mr.Richard Maxwell sent $4000 in your name today so contact Mr.richardmaxwe or you call him as soon as you receive this email(richardmaxwell314@gmail.com) and tell him to give you the reference, sender name and question/answer to pick the $5000 Please let us know as soon as you received all your fund,

Best Regards.

MONEY GRAM AGENT

Email analysis :

NOTE : X-Originating-Ip : [185.56.137.11]

Scammer with IP 185.56.137.11

NOTE : Received : from mail.ochoa.com.do (mail.ochoa.com.do [172.17.1.231])
NOTE : servicedesk@ochoa.com.do
NOTE : richardmaxwell314@gmail.com

NOTICE OF ONGOING INVESTIGATION

Federal Bureau Of Investigations
Headquarters Washington Dc.
Building 935 Pennsylvania Ave.
NW WASHINGTON, D.C. 20535-0001
E-Mail: fbi.gov0012@usa.com

NOTICE OF ONGOING INVESTIGATION

Attn Recipient:

This is agent Josh, we were sent by the Director of Federal Bureau of Investigation (JAMES B.COMEY), we are currently in Africa as an FBI/ United States delegate that have been delegated to investigate these fraudsters who are in the business of swindling Foreigners that has transactions in Africa. Be informed that during our investigations we found out that there is a total amount of $2.5 Million that has been assigned in your name as the beneficiary and these fraudsters are busy swindling you without any hope of receiving your fund, these are the works of the fraudsters who needed to extort money from you in the name of this transfer, We have to inform you that we have arrested some men in respect of this delayed overdue fund. We have a very limited time to stay in Africa here so I advise you urgently respond to this message. These criminals will be caught unaware and we don't want them to know this new development to avoid jeopardizing our investigation, you need to conceal anything that has to do with this exercise to enable us get all the necessary information we required. I will be expecting your swift response as soon as you receive this email and notify us of any message or phone call you receive from those fraudsters for us to investigate on it before you make any contact with them.

In case if found this message in spam folder, it could be due to your Internet Service Provider, ISP. So kindly move to your inbox before replying.

Regards,
JACKSON JOSH
International Banking Unit
862 955-2836

Email analysis :

NOTE : X-Originating-Ip : [197.234.219.26]

Scammer with IP 197.234.219.26

NOTE : Received : from mzcstore262.ocn.ad.jp
NOTE : (mz-fcb262p.ocn.ad.jp [180.8.111.198])
NOTE : jackson.fbi@yahoo.com
NOTE : "WWW."@star.ocn.ne.jp