RSS

Blog

domain .com Final Notice - Spam Warning !!!

domain .com Final Notice - Spam Warning !!!

This one is worth mentioning just because they spray it out to every domain owner on the planet and occassionally it looks mildyly convincing, as in this case:

 

 

Servicese

 

From:                                                       Domain Service <info@lopcholland.pw>

Sent:                                                         08 January 2019 13:06

To:                                                            Domains Team

Subject:                                                   domain.com Final Notice

 

 
 
 

 

 
 
 

 

 

 

 
 
 
 

Important notice


Notice#: 493898
Date: 01/06/2019

 

Expiration notice

Domain: domain.com
Expiration date: 04/14/2019

 

 

 

To: Owner, company

   

Address Line 1

   

Town

   

State/County, Zip/Postal Code COUNTRY

   

 

Domain Name:

 
Registration Period:

Amount:

Term:

domain.com

01/28/2019 to 01/28/2020

$86.00

1 Year

Secure Online Payment

 

Domain Name: domain.com

Attn: Domain Owner

This important expiration notification notifies you about the expiration notice of your domain registration for domain.com search engine optimization submission. The information in this expiration notification may contain legally privileged information from the notification processing department of the Domain Seo Service Registration to our search engine traffic generator. We do not register or renew domain names. We are selling traffic generator software tools. This information is intended for the use of the individual(s) named above.

If you fail to complete your domain name registration domain.com search engine optimization service by the expiration date, may the dismissal of this search engine optimization domain name notification notice.

Process

Secure Online Payment

to complete your payment.

 

Failure to complete your seo domain name registration domain.com search engine optimization service process may make it difficult for customers to find you on the web.

Process Payment for

domain.com
Secure Online Payment

Act immediately

This domain seo registration for domain.com search engine service optimization notification will expire 01/14/2019.

Instructions and Unlike Instructions from this Newsletter:
You have received this message because you elected to receive notification. If you no longer wish to receive our notifications, please unlike here. If you have multiple accounts with us, you must opt out for each one individually to unlike receiving notifications. We are a search engine optimization company. We do not directly register or renew domain names. This is not a bill. You are dont need to pay the amount unless you accept this notification. This message, which contains promotional material strictly along the guidelines of the Can-Spam act of 2003. We have clearly mentioned the source mail-id of this email, also clearly mentioned our subject lines and they are in no way misleading. Please do not reply to this email, as we are not able to respond to messages sent to this address.

The 'secure' online payment link actually points to: http://pc1231.lopcholland.pw/em/link.php which is actually an alias of http://www.webcomdot.org which is an unsecured credit card fraud site.

Please report both of these domains as fraudulent and report the email originator as a spam source.

 

01785 463 178 BT Fake Calls - you are going to be disconnected, press 1

01785 463 178 BT Fake Calls - you are going to be disconnected, press 1

We have been receiving reports of suspect phone calls, allegedly from BT stating that the service is about to be shut down and to please press 1 for details.

Now we have not taken the plunge of actually pressing 1 to speak to someone but can report that the 1471 lookup gives a number of 01785463178 which will not receive calls 'the number you have called is not recognised' which seems odd as it is the BT service that gives the number in the first place and so it should be correct.

These calls are being received by people who are on the BT 152 call protect privacy service which seems strange as you would think that the numbers would be protected.

Either way none of the customers of BT being contacted have had their service removed and so this is obviously a scam.

If we intercept a call we will try speaking to someone to find out what they are trying to extract from people and report back.

Urgent to all residents of the building - Spam Warning !!

Urgent to all residents of the building - Spam Warning !!

This email is interesting as it appears to be aimed at smaller companies sharing a large office building where staff may not know the name of the fire-safety officer or building administrator.

The email itself, however, is very simple and has no signature to impress authority on anyone:

 

 

 

From:                                                       Frances Moyer <mail@biganski.com>

Sent:                                                         11 December 2018 13:43

To:                                                            Support

Subject:                                                   Urgent to all residents of the building

 

Hi All,
Please find below the Up to date emergency exit map.

 

Emergency Exit Map.

 

Thanks,
Frances Moyer,
Estate Management

 
 
The link for 'Emergency Exit Map' is actually pointing at a Google Drive folder: https://docs.google.com/uc?id=1JPbpDcSLpHmb1fsAO4mJHNK7jDOpXAwK which is a link to an application to harm your computer.
 
We have reported this link to Google and it will hopefully be dropped today.
 
Report the originating email address as fraudulent and do not run any executables you download from the web under any circumstances.
 
 
PayPal Automatic Notification - Spam Warning!!

PayPal Automatic  Notification - Spam Warning!!

This email has been seen today in the UK:

 

 

 

From:                                                       PayPal Services <paypal@gladstonecare.com>

Sent:                                                         11 December 2018 18:47

To:                                                            Accounts Team

Subject:                                                   PayPal Automatic  Notification

 

 

 

 

 

Ag Promotion, here are your invoice details

 

 

 

 

 

 


PayPal

 

The following Invoice Notification is being sent to you personally by PayPal Inc.

 

 

Thank you so much for utilizing PayPal and here is your receipt.
Your PayPal Invoice has been paid and now accessible for download.

 Make sure you click the link previously mentioned to see in depth information.

 

 

PayPal

 

Help Fees   |  Shop

 

 

twitter

instagram

facebook

linkedin

 

 

Click the link to Unsubscribe

Make sure you don't respond to this email. We're unable to respond to requests sent to this email. For instant answers to your inquiries, visit our Help by simply clicking "Help" found on any PayPal page.

 

 

 

PayPal is Licensed as a Money Transmitter by the New York State Dept of Monetary Services. PayPal, NMLS #920537, Permit #FB2341, Ma Foreign Transaction Certificate. PayPal, Inc., Transmit Funds By Money Order By The Division of Banking, Commonwealth of Pennsylvania. PayPal, Rhode Island Licensed Money Transferor. PAYPAL, NHOS #910447, PERMIT #34967, IS REGISTERED THROUGH THE GA DEPT OF BANKING AND FINANCING. 

 

 

 

Copyright laws 2018 PayPal, Inc. All rights reserved. PayPal is placed at 2215 N. 1st Street., San Antonio, CA 96131.

 

 

 

 

 The link 'Get Receipt' is actually pointing at http://earthchangingmoment.net?32Ee24=[email identification string] where the =[String] will log your email address with the spammers.
 
The spammers have also kept all of the social networking links from a real PayPal email to feign authenticity.
 
There is no website to speak of at http://earthchangingmoment.net but do please report it as fraudulent anyway, at least until it is repaired.
You got notification from DocuSign Electronic Service - Spam Warning!!

You got notification from DocuSign Electronic Service - Spam Warning!!

 

This email, posing as a Docusign email, is actually from qualitybumper.com.

The email itself attempts to persuade you to open a link to 'review an invoice' from DocuSign:

 

 

 

From:                                                       DocuSign Signature  Service <docusign@qualitybumper.com>

Sent:                                                         10 December 2018 17:44

To:                                                            Accounts Team

Subject:                                                   You got notification from DocuSign Electronic Service

 

 

 

 

 

 

DocuSign

Review and sign an invoice.

 

Dear Receiver,

Please sign this invoice
This is an electronically generated notice.

 

This email holds a secure link to DocuSign. Do not share this link with others.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the code: 0E99A5B514

About DocuSign
Sign documents in just minutes. It is risk-free. No matter if you are in an office, at home or even across the globe -- Our service gives a trusted solution for Digital Operations .

Questions regarding an Invoice?
In case you need to modify the document or have concerns , reach out to the sender directly.

If you cannot sign an invoice, please visit the Help page on our support Center .
 

This message was sent to you by DocuSign Electronic Signature Service.

 

 

The link marked 'Review Invoice' actually points to: http://wfqaonline.com?32sE1=[string] where presumably the string is informing the website owner of your email address.
 
If we try and browse to the website itself, we find it to be an IIS server with no website, with or without a string following the equals sign and so the website does nto give a recognisable response but may just make a not of your email address for their database. If it does, it does so very fast.
 
Please mark the source email as a spam source and the website as dangerous so that the owner can take action.
Your Name - Our meeting today at 8:00 PM ... - SPAM!!!

Your Name  - Our meeting today at 8:00 PM ... - SPAM!!!

More from our fraudulent friends at 'Who's Dumb Enough to Think you can be a Bitcoin Millionaire'

This email is disingenuous from start to finish, as befits these people.

Of course there is no meeting and they have no idea of your name, they just extracted the text field from your email address, but let us have a look at the email and site anyway as these people do need to be publicly 'outed' or they will continue to prey on the weak and poor...

From: Arleen Weatherly <arleen.weatherly@r.meeting-online.ml>
Sent: 13 November 2018 16:15
To: Your Name
Subject: Your Name - Our meeting today at 8:00 PM ...

Hey,

I wanted to remind you of our today's meeting at 8:00 PM on this website:
http://r.meeting-online.ml/bL5j9gTqAx

At this meeting, I will explain in detail how you can effectively invest in the Bitcoin market and start
earning 1,293,186 pounds annually.

Yes, 1,293,186 pounds a year! Exactly that much I managed to earn in 2018by using this extremely
simple technique.

Watch the video and see how easy it is:
http://r.meeting-online.ml/bL5j9gTqAx

Register your free account and activate your trading account, and at 8:00 PM you will be able to
participate in our online meeting, where I will share my knowledge and investment techniques.

What is your dream? New home? A car? Or maybe a financial security?

Thanks to Bitcoin, tens of thousands of people have become millionaires. It is still possible - and I will
prove to you at the meeting tonigh!

Do not waste your time and register now:
http://r.meeting-online.ml/bL5j9gTqAx

Your personal Webinar access code:
0DQNBHZGMP4QRS

See you at the meeting!
Arleen Weatherly

Now we have no idea what the website meeting-online.ml is supposed to be but the owner is registered at:

Mali Dili B.V. 
Point ML administrator 
P.O. Box 11774 
1001 GT Amsterdam 

Which doesn't help much.

Either way the website doesn't seem to function at it's route - it just shows the apache hello message.

But at the link above, it shows our friends:

Bitcoin-System.me

 

Now I don't know who that person is or how they got this way so young but that definitely looks like their parents house to me, I wouldn't buy that lamp now, never mind at that age. 

As usual, if you try and leave you get a message saying:

https://en.bitcoinmillions.xyz/?a=6707&o=7613&s=181113mtuk

 

This page is reproduced across many domain names such as:

https://en.bitcoinmillions.xyz/?a=6707&o=7613&s=181113mtuk

As you can see from the EN part, they reproduce their scam in most european languages...

In fact they have:

DNS name=de.bitcoinmillions.xyz
DNS name=en.bitcoinmillions.xyz
DNS name=es.bitcoinmillions.xyz
DNS name=it.bitcoinmillions.xyz
DNS name=nl.bitcoinmillions.xyz
DNS name=pl.bitcoinmillions.xyz
DNS name=se.bitcoinmillions.xyz

So please report this domain as fraudulent to as many government bodies as you can.

You're A Winner - The National Lottery - Winning Notification Letter 2018-dispatched Spam

You're A Winner - The National Lottery - Winning Notification Letter 2018-dispatched Spam

Occassionally there is a spam email circulating that really makes you giggle, and here is a perfect example. Not only is this email sent to a generic email address - in this case a support@ address.

The message has only one piece of text and a PDF. The text reads:

'This message was sent to name@domain.local. If you are not the owner of this email and you receive this message. Please discard the letter.'

 

 

I don't know who William@icswiss.biz is, but I suspect he will not be receiving that many emails and the phone number appears to have been left off of the hook.

I'm really not sure what the purpose of this email is unless the phone number and email are just of someone that the originator doesn't like.

The best part by far though, is that the promotion director happens to be Annie Lennox acting in the role in her spare time.

Thie email has the feeling of someone playing a prank rather than trying to steal, and for that, it definitely received the 'Spam of the Month' award!

password (r9vrts4) for address@domain.suffix is compromised

The following email is very common at the moment:

From: address@domain.suffix
Sent: 22 October 2018 16:05
To: Recipient
Subject: password (r9vrts4) for address@domain.suffix is compromised

Hello!

I'm a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from address@domain.suffix on moment of hack: r9vrts4

Of course you can will change it, or already changed it.
But it doesn't matter, my malware updated it every time.

Do not try to contact me or find me, it is impossible, since I sent you an email from your account.

Through your email, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the
Internet resources.
Also I installed a Trojan on your device and long tome spying for you.

You are not my only victim, I usually lock computers and ask for a ransom.
But I was struck by the sites of intimate content that you often visit.

I am in shock of your fantasies! I've never seen anything like this!

So, when you had fun on piquant sites (you know what I mean!) I made screenshot with using my
program from your camera of yours device.
After that, I combined them to the content of the currently viewed site.

There will be laughter when I send these photos to your contacts!
BUT I'm sure you don't want it.

Therefore, I expect payment from you for my silence.
I think $883 is an acceptable price for it!

Pay with Bitcoin.
My BTC wallet: 1JTtwbvmM7ymByxPYCByVYCwasjH49J3Vj

If you do not know how to do this - enter into Google "how to transfer money to a bitcoin wallet". It is
not difficult.
After receiving the specified amount, all your data will be immediately destroyed automatically. My
virus will also remove itself from your operating system.

My Trojan have auto alert, after this email is read, I will be know it!

I give you 2 days (48 hours) to make a payment.
If this does not happen - all your contacts will get crazy shots from your dark secret life!
And so that you do not obstruct, your device will be blocked (also after 48 hours)

Do not be silly!
Police or friends won't help you for sure ...

p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites.

I hope for your prudence.
Farewell.

 

This email is particularly annoying because it is not actually an email at att - just a telnet session being run against the email server pretending to be an email from your own mailbox. It is bypassing SPF and spoofing detection in some cases but it does not mean that any passwords have been hacked in any way or that they have compromised your computer in any way.

It is fairly obvious from the quality of the email that this is just an email  sent out en masse in order to try and recover a few bit coin payments. The IP address can be found to show the originating IP in the email header and it is changing constantly perhaps suggesting that this is an email fired out by smtp viruses on various computers around the web.

The best action to take is to ensure that your own email address is not in yoru whitelist so that anti-spoofing and SPF measures block this email rather than letting it through.

Recipient@domain.suffix Documents Received OneDrive Spam

Recipient@domain.suffix Documents Received OneDrive Spam

This email is an impersonation of Microsoft but has a homespun email address and so should be quite easily to spot.

 

 

From:                              Marissa Carnahan [MCarnahan@gmarmol.com]

Sent:                               18 October 2018 17:49

To:                                   Recipient

Subject:                          recipient@domain.suffix Document Received

 

ΟneDriυe

recipient, Yοu have new dοcuments sent tο yοu via ΟneDriνe

Receive # Document  #Fοr PΟ (DF70508900)

(ReνiewDοcs (DF70508900)  

Τhank Yοu

 

They have apparently respelt OneDrive in order to avoid detection which seems odd as you wouldn't really think that 'OneDrive' would make even a component of rejection rules on any system, as anyone could be using it in conversation with anyone.
 
The way they reformat the address to add the email name in the sentence is effective though, although they have not thought to check if the email is firstname.surname and just added the pre '@' string instead.
 
 
Which has already been marked as deceptive by Google Chrome and unsafe by Microsoft Edge so there should not be too many successful cons from this one. :)
Netflix Spam: Update Account Payment Information

Netflix Spam: Update Account Payment Information

This email has been seen this week:

 

 

Request

 

From:                                                       Netflix Team <netflix@customersupport.com>

Sent:                                                         16 October 2018 01:59

To:                                                            Accounts Team

Subject:                                                   Update Account Payment Information

 

 

Image

 

 

Please Update Your Payment Method

Dear Valued Netflix User

Sorry for the interruption, but we are having trouble authorizi ng your Payment Method.
Please visit the account payment page at
https://www.netflix.com/YourAccountPayment to enter your payment information aga in or to use a different payment method.
When you have finished, we will try to verify your account agai n. To protect the information of our customers, our system has temporarily pla ced restrictions on your account until your information has been validated by our system.

You can validate your information by either clicking on the link above or b elow, this will only take a few minutes and your account functions will be fully restored.

If you have any questions, we are happy to help. Simply call us at 01800-91 7844.
-The Netflix Team

 

<![if !vml]> Rectangle: Rounded Corners: LOG ON <![endif]>

 

 

Netflix Inc. : Netflix Corporate Headquarters 100 Winchester Ci rcle Los Gatos, CA 95032.
You can un-subscribe to security alerts by configuring your online account.
We are sending this email to provide support for your personal online Netfl ix account.

 The actual 'log on' link points to; https://www.neftlix.su/accountbilling/index.php which has already been marked as hazardous by Google and Microsoft so no great worries here. Do be careful that you do not wander onto this site with an older browser as they have amazingly been granted a netflix domain on another suffix. The screen looks relatively convincing:

 

Fake netflix.su screen

 

If you go to the site and ignore any warnings you get a standard looking netflix login that accepts any password:

fake netflix logon

and then provides you with manufactured proof that other users have accessed your account:

Fake netflix android usage

 

Whether you respond or not you are sent through to screens requesting your name, address and card details:

 

Netflix.su enter details

 

it appears to have no validation so you can just leave them rude messages.

 

Fake netflix.su thank-you page

 

All in all a good web page visually but the idea that you need to enter your name after logging back in is a weak link and you should never enter card details into a site unless you have trple-checked teh URL in the address bar.

 

Stay safe!