Monday, August 7, 2017

Payment Notification, (Western Union Scam)

Dear Western Union Customer,

You have been awarded with the sum of $360,000.00 USD. in the western
union money transfer program s one of our customers who use Western
Union in their daily business transaction,Please provide Mr.Dennis Woods
with the following details below so that your fund will be remitted to
you through Western Union Transfer.

(1)Names:
(2)Address:
(3)Phone Number:
(4)Sex:
(5)Age:
(6)Country:
(7)Occupation:

Mr.Dennis Woods
(Western Union Online coordinator)
E-mail: wu.moneytransfer_online1117@live.com
(Help Line: +254-7801-02173)

As soon as these details are received and verified, your
fund will be transferred to you. Thank you, for using
western union.

Email analysis :

NOTE : ECOLE MATERNELLE PUBLIQUE ROBERT DEBRE - SAINT-LOUIS
NOTE : ce.9740750X@ac-reunion.fr
NOTE : wu.moneytransfer_online11@msn.com
NOTE : Received : from [172.31.186.125] (Forwarded-For: 154.123.121.136)


NOTE : by store1.in.ac-reunion.fr (mshttpd);
NOTE : Received : from ac-reunion.fr (store1.ac-reunion.fr [172.31.186.61])


NOTE : by smtpout2.ac-reunion.fr (Postfix)
NOTE : client-ip=195.98.231.113;
NOTE : @educationfrance : Western Union Scam relayed from ce.9740750X / ac-reunion

Monday, July 31, 2017

FWD:RE (Phishing Société Générale)

En ce qui concerne les informations relatives à votre compte bancaire:
Cher client:

Notre systeme a detecte que vous n'avez pas active Pass securite (Societe Generale):

Decouvrez Le Pass Securite

Afin de prevenir l'utilisation frauduleuse des cartes bancaire sur Internet, Societe Generale est dotee d'un dispositif de controle des paiements. Ce service est entierement gratuit.

Cliquez ici Pour activez ce service

Merci pour choisire SOCIETE GENERALE!

Copyright ©2017 Societe Generale. Tous droits réservés.
Numéro d'immatriculation FSASociete Generale: 226056.

Mon compte
Téléphone
Facebook
Instagram
Twitter
Pinterest
Youtube
Magazine

MENTIONS LÉGALES
PROTECTION DES DONNÉES
CGV

SE DÉSINSCRIRE DE LA NEWSLETTER

Phishing screenshot :


Email analysis :

NOTE : kaizenqm@telus.net
NOTE : Cmm-Sender-Ip : 209.171.16.90


NOTE : X-Mailer : Zimbra 8.6.0_GA_1211 (zclient/8.6.0_GA_1211)
NOTE : Received : from mtlp000003.email.telus.net ([172.20.100.250])

Phishing analysis :

CLICK : Cliquez ici Pour activez ce service
OPEN : http://kombiringen.se/wp-content/theme/
REDIRECT : http://www.goingesten.se/wp-content/theme/
REDIRECT : http://www.goingesten.se/wp-content/theme/*/service.php?*


RESULT : Phishing Société Générale

Votre-Paiement-En ligne (Phishing attempt)

Bonjour,

Afin de prévenir l'utilisation frauduleuse des cartes bancaires Internet,

Votre Service Générale, est dotée d'un dispositif de controle des paiements.

Ce service est entierement gratuit Notre Systeme a detecte que vous n'avez pas active -Pass-Service-sécurite

Service sécurite

Banque-Générale

Nous vous remercions de votre Confiance.

Cordielement

Email analysis :

NOTE : INFO@news.promovacances.com
NOTE : Received : by footcenter.fr (Postfix, from userid 33)
NOTE : Received : from footcenter.fr ([165.227.79.193])
NOTE : X-Php-Originating-Script : 0:nel.php
NOTE : Message-Id : < *.*@footcenter.fr >
NOTE : Votre-Paiement-En ligne

Phishing screenshot :


Phishing analysis :

CLICK : Service sécurite
OPEN : http://sirlwad.gear.host/s52.html
SCREENSHOT :


RESULT : Phishing attempt.

Information about this phishing

SCRIPT : nel.php
HACKED RELAY : footcenter.fr
OPEN REDIRECT : sirlwad.gear.host
SPOOFED EMAIL : INFO@news.promovacances.com
PHISHING : Société Générale

Camelot

You have Won $680,000

Email analysis :

NOTE : camelot.group@gmx.co.uk
NOTE : Received : from [192.168.0.100] (unknown [43.240.7.1])


NOTE : by spamwall.quilmes.gov.ar (Postfix)
NOTE : Received : from spamwall.quilmes.gov.ar
NOTE : (spamwall.quilmes.gov.ar. [190.120.191.6])


NOTE : The quilmes.gov.ar server was hacked to relay this scam.
NOTE : @QuilmesMuni was contacted

Thursday, July 27, 2017

Urgent sunTrust Confirmation

We have updated your contact information

For details about what changed, sign on to Messages and Alerts. To view the updates, or make additional updates, sign on to update your contact information.

1. If you did not make this request online, by phone, or at a Suntrust store, please sign on immediately . We are available 24 hours a day, 7 days a week.

Please update and verify your information by clicking the link below:

To view the updates

If your account information is not updated within 72 hours then your ability to access your account will become restricted.

Fraud Prevention Unit
Legal Advisor
Suntrust Bank

Email analysis :

NOTE : spam@petofisopron.hu
NOTE : Received : from [205.209.150.138] (205.209.150.138)


NOTE : by psrv01.petofisopron.hu (192.168.0.3)

Phishing analysis :

CLICK : To view the updates
OPEN : http://deliaujica.com/css/images/sunTrust/sun/validation/
RESULT : Phishing was removed.

Wednesday, July 26, 2017

Agence ClientèIe SBE : RappeI (Phishing Bred)

Cher(e) Client(e),

Votre conseiller vous informe que vousiavezireçuiunimessageoimportant

conçernantivotreiE-Code.

tVotre accès en ligne

Cordialement
Votre Banque

ic

Email analysis :NOTE :

NOTE : laempresadelexito.com@emails.afm-telethon.fr
NOTE : laempresadelexito.com
NOTE : X-Php-Originating-Script : 0:tmsir.php
NOTE : Received : by emails.afm-telethon.fr (Postfix, from userid 33)
NOTE : Received : from emails.afm-telethon.fr ([165.227.14.87])
NOTE : emails.afm-telethon.fr@emails.afm-telethon.fr

Phishing screenshot :


Phishing analysis :

CLICK : tVotre accès en ligne
OPEN : http://laempresadelexito.com/BredEcode
REDIRECT : http://www.metaltripshop.com/metaltripshop/app/code/community/Mage/Sales/Model/Convert/Model/brlogin/brlogin/*/
SCREENSHOT :


VALIDATE : FORM
REDIRECT : http://www.metaltripshop.com/metaltripshop/app/code/community/Mage/Sales/Model/Convert/Model/brlogin/brlogin/*/phone.php?tok=*
VALIDATE : FORM
REDIRECT : http://www.metaltripshop.com/metaltripshop/app/code/community/Mage/Sales/Model/Convert/Model/brlogin/brlogin/*/sms.php?tok=*
VALIDATE : FORM
REDIRECT : http://www.metaltripshop.com/metaltripshop/app/code/community/Mage/Sales/Model/Convert/Model/brlogin/brlogin/*/done.php?tok=*
REDIRECT : https://www.bred.fr/index.html

Conclusion :

Victim : BRED
Spoofed service : emails.afm-telethon.fr
Location of the Open redirect : laempresadelexito.com
Location of the Phishing : metaltripshop.com