Friday, January 22, 2016

Your Order Has Been Placed (iTunes Store Phishing)

Apple: Order Number: 103993128

iTunes Store
Dear

Thank you for buying the following product on 18/01/2016

Product Name: F1-Pilot Premium(R)
Order Number: 103993128
Receipt Date: 18/01/2016
Order total: 14.02 EUR.

We hope that our tools and solutions have improved the way you do business this year.

If you did not authorize this purchase, please proceed with "Cancellation Form"

Cancel this Purchase

Phishing analysis :

CLICK : Cancel this Purchase
OPEN : https://directcabcall.com/dcc/cron/Update/login/
REDIRECT : http://https.paypatl.com.leodimiranda.com/nl/webapps/mf2f/home


Email analysis :

NOTE : Return-Path : < voveriukas@jml-group.lt >
NOTE : X-Php-Script : jml-group.lt/wp-content/files_mf/send.php for 105.108.42.181


NOTE : Received : from mail.ledinis.lt (mail.ledinis.lt. [109.235.64.119])


NOTE : Your Order Has Been Placed

Conclusion :

- iTunes Store phishing turning to Paypal phishing.

Hijacked websites :

directcabcall.com : owner : DIRECTCABCALL.COM@domainsbyproxy.com
leodimiranda.com : owner Irene Perrin / +61.386242485 / contact@myprivateregistration.com
jml-group.lt : UAB "Interneto vizija" / hostmaster@iv.lt
jml-group.lt : ress website / account voveriukas
ledinis.lt : UAB "Interneto vizija" / hostmaster@iv.lt

Phisher's origin :


IP : 105.108.42.181
Provider : Telecom Algeria
Country : Algeria
Latitude : 28
Longitude : 3