Web Analytics Made Easy -
StatCounter
RSS

Blog

[email protected] Documents Received OneDrive Spam

[email protected] Documents Received OneDrive Spam

This email is an impersonation of Microsoft but has a homespun email address and so should be quite easily to spot.

 

 

From:                              Marissa Carnahan [[email protected]]

Sent:                               18 October 2018 17:49

To:                                   Recipient

Subject:                          [email protected] Document Received

 

ΟneDriυe

recipient, Yοu have new dοcuments sent tο yοu via ΟneDriνe

Receive # Document  #Fοr PΟ (DF70508900)

(ReνiewDοcs (DF70508900)  

Τhank Yοu

 

They have apparently respelt OneDrive in order to avoid detection which seems odd as you wouldn't really think that 'OneDrive' would make even a component of rejection rules on any system, as anyone could be using it in conversation with anyone.
 
The way they reformat the address to add the email name in the sentence is effective though, although they have not thought to check if the email is firstname.surname and just added the pre '@' string instead.
 
 
Which has already been marked as deceptive by Google Chrome and unsafe by Microsoft Edge so there should not be too many successful cons from this one. :)
Netflix Spam: Update Account Payment Information

Netflix Spam: Update Account Payment Information

This email has been seen this week:

 

 

Request

 

From:                                                       Netflix Team <[email protected]>

Sent:                                                         16 October 2018 01:59

To:                                                            Accounts Team

Subject:                                                   Update Account Payment Information

 

 

Image

 

 

Please Update Your Payment Method

Dear Valued Netflix User

Sorry for the interruption, but we are having trouble authorizi ng your Payment Method.
Please visit the account payment page at
https://www.netflix.com/YourAccountPayment to enter your payment information aga in or to use a different payment method.
When you have finished, we will try to verify your account agai n. To protect the information of our customers, our system has temporarily pla ced restrictions on your account until your information has been validated by our system.

You can validate your information by either clicking on the link above or b elow, this will only take a few minutes and your account functions will be fully restored.

If you have any questions, we are happy to help. Simply call us at 01800-91 7844.
-The Netflix Team

 

<![if !vml]>Rectangle: Rounded Corners: LOG ON <![endif]>

 

 

Netflix Inc. : Netflix Corporate Headquarters 100 Winchester Ci rcle Los Gatos, CA 95032.
You can un-subscribe to security alerts by configuring your online account.
We are sending this email to provide support for your personal online Netfl ix account.

 The actual 'log on' link points to; https://www.neftlix.su/accountbilling/index.php which has already been marked as hazardous by Google and Microsoft so no great worries here. Do be careful that you do not wander onto this site with an older browser as they have amazingly been granted a netflix domain on another suffix. The screen looks relatively convincing:

 

Fake netflix.su screen

 

If you go to the site and ignore any warnings you get a standard looking netflix login that accepts any password:

fake netflix logon

and then provides you with manufactured proof that other users have accessed your account:

Fake netflix android usage

 

Whether you respond or not you are sent through to screens requesting your name, address and card details:

 

Netflix.su enter details

 

it appears to have no validation so you can just leave them rude messages.

 

Fake netflix.su thank-you page

 

All in all a good web page visually but the idea that you need to enter your name after logging back in is a weak link and you should never enter card details into a site unless you have trple-checked teh URL in the address bar.

 

Stay safe!

Server Security Alert [email protected] Delete Request !!! Spam Warning

Server Security Alert [email protected] Delete Request !!! Spam Warning

This spam email has been received by some people this morning and earlier this week...

 

 

 

From:                              domain.com [[email protected]]

Sent:                               17 September 2018 21:02

To:                                   recipient

Subject:                          domain.com  Server Security Alert:  [email protected] Delete Request !!!

 

 

 

 

 

 

yourdomain.com

 

Dear recipient,

Our record indicates that you recently made a request to shutdown your email [email protected] and this request will be processed shortly today.

If this request was made accidentally and you have no knowledge of it, you are advised to upgrade to cancel the request now

 

 

However, if you DO NOT cancel this request, your account will be shutdown and all your email data on the yourdomain.com server will be lost permanently.

Regards.
yourdomain.com Email Administrator®

 


This message is auto-generated from E-mail security server.
This email is meant for: [email protected] 

 

 

 

The actual 'cancel server deactivation' link points to: https://www.enwise.com.au/wp-content/plugins/solve/modify/[email protected] which is a live site with a valid security certificate.

The webpage looks real enough:

 

server security alert delete request

The spammer page appears to just keep asking you for the password - I think it actually tries to verify thr login against your email whilst you wait - so be very careful with this site.

This is another wordpress compromised by a certain Bangladeshi hacker looking to retrieve passwords and subsequently blackmail people or steal from them. He leaves his name on the wordpress site after hacking:

 

Sid Gifari Bangladeshi Wordpress Hacker

 

Report this website as phishing.

Report the orignating email address as a spam source.

Stay Safe!!

Separating public WiFi from your terrestrial LAN with a DrayTek Router and Netgear Switch

Separating public WiFi from your terrestrial LAN with a DrayTek Router and Netgear Switch

In this example we are going to use an older Netgear switch as it is the one in place but this method will work equally as well for the GS752 or XS series, although the interface has been updated somewhat.

Fist of all it is important to not that the default DrayTek setup for ports is an untagged VLAN ID 10 and for Netgear it is a default untagged VLAN of ID 1

What this means is that by default, all the ports on the Netgear assume they are in VLAN1 if the data traffic packets are not 'tagged' with a number. So if you plug in your DrayTek AP910 and use the default VLAN of 10 then your WLAN will not reach your router. In this case we are not going to change any untagged port settings as we are onyl making a single 'tagged' VLAN so there will be no confusion. The important thing to note here is that each port can only have a single VLAN for 'untagged' becuase if there is no tag (no label to tell the device which VLAN to send the traffic to) then there can only be one default failback choice. There can only be one default for anything after all.

So bearing that in mind we are going to take the following action:

  1. We will make a VLAN on the DrayTek 3900 called sirclesPUB VLAN ID: 3
  2. To this VLAN we will tag the LAN port connected to the Netgear switch so that th e traffic labelled with VLAN ID:3 knows it should go to the Netgear switch.
  3. We will make a subnet associated with this LAN on the DrayTek with a different subnet to our usual 192.168.1.0/24 network
  4. We will use the inbuilt DHCP server onm the DrayTek and assign the ISPs DNS servers to the DHCP clients as they will not have access to the local Microsoft AD/DNS
  5. We will make an associated VLAN on the Netgear with VLAN ID: 3
  6. We will tag the ports connected to the DrayTek 3900 and the DrayTek AP-910 with this VLAN ID so tha the traffic know where to be routed
  7. We will associate the public WLAN with the VLAN ID so that the traffic that is tagged by the WLAN as VLAN ID: 3 remains separate and can be routed straight back to the router without interraction with the untagged default private LAN.

 

So let's get started, we login to the DrayTek 3900 and open up the LAN > General Set-up section.

 

Click Add to add a new LAN Profile, in this example we will use a Class B Subnet of 172.16.0.1/16:

 

DrayTek Vigor 3900 add LAN

 

The VLAN ID is set to 3

Our mode is NAT

Our router IP will be 172.16.0.1

We are choosing a /16 subnet

We enable DHCP server

We have chosen a huge range in this case but the WLAN is restricted to 64 clients at once by the defaul of the AP-910

We add the ISP DNS server addresses

Everything else can be left at default in this example as it is only a public Wi-Fi

Click Apply

 

In our example we see that the LAN has been successfully created:

 

DrayTek Vigor 3900 new LAN set-up

 

Now we move on to LAN > Switch section:

Under the 801.1Q VLAN section we click the Add button to add the new VLAN:

 

DrayTek Vigor 3900 new VLAN

 

We are making the SFP (fibre module) the tagged member in this case (DrayTek just call it a member rather than tagged) and we do not touch the untagged settings as we could lock ourselves out of the router if we do! In this set-up the DrayTek connects to the Netgear via SFP but you may well be selecting LAN_Port_1 in your example.

Click Apply to create the VLAN.

Now we have a separate network on a separate IP range with a tagged VLAN ID of 3, we must tell the Netgear switch to expect this tagged information on certain data packets and tell it what to do with them.

 

Open up the Netgear interface on your switch by browsing to the IP address.

Open up switching > VLAN

Create a new VLAN: 

Netgear GS748 add VLAN

 

We have given it a name to show what it is for but the name is just a label and only the VLAN ID: 3 is important

 

We now go to the member ship of the VLAN to choose the ports under Advanced:

 

Netgear GS748 VLAN Advanced

 

We choose the VLAN ID at the top to be our chosen new VLAN ID of 3

in this case the switch is describing itself as unit 1 and so we click the text to reveal all the ports:

 

Netgear GS748 VLAN Membership

We are tagging the ports and so they need to be populated with a T for Tagged

Port 5 is where our DrayTek AP910 is plugges in (there must be no other switches in between or you will have to configure them for the VLAN also)

Port 45 is our SFP for the fibre

Now we click Apply and we are ready to configure our public Wi-Fi:

I am using the central AP management feature of the DrayTek 3900 and so I browse to the WLAN profiles and select the SSID of the public network:

 

DrayTek central AP management public Wifi VLAN

 

As you can see we have set the VLAN ID to be 3 and the security as Disabled

 

Using a mobile device I connect to sirclesPub wifi:

 

 Public Wi-Fi Mobile IP Address confirmation

 

As we can see under the information section in the Wi-Fi settings  the system has been assigned the correct IP range and cannot communicate with the private LAN.

Spam Warning: Automated Intuit Notification

Spam Warning: Automated Intuit  Notification

 

This email has been spotted this week:

 

 

 

From:                                                       Intuit Inc. <quickbooks@busek.com>

Sent:                                                         Tuesday, July 17, 2018 3:28 PM

To:                                                            Recipient

Subject:                                                   Automated Intuit  Notification

 

 

Stop waiting weeks for checks to arrive.

 

Intuit QuickBooks

 

Dear customer,

 This message has been sent to you by Intuit Inc. Make sure you click on the web link listed below to view Invoice details.

Your Invoice ID: INV15725381 has been settled and available below.

See your receipt

We appreciate your business with us and thank you for working with Intuit.

 

Need help?.

Call 800-267-3519

Talk to a Pro

 

Facebook

Twitter

Youtube

LinkedIn

Download the QuickBooks App for iOS on the App store

Get the QuickBooks App for Android on Google Play

 

 

 

 

Intuit and ProConnect are brand marks of Intuit.

Terms and conditions, pricing and service options are subject to change without the need of notification.

Personal privacy.

2008-2018 Intuit Services Inc..  All rights reserved..
1600 W. Commerce Center Place, Tucson, AZ 85506

 

TrustE Verified

                                                           

The originating email is obviously wrong - Busek.com

 

The 'See you receipt' link takes you to: http://njdiscrim.com?3Xf80q=QAUSY1CQVUFS1QXOBsGSJTHS

 

Which is obviously not an Intuit Quickbooks link, they have not bothered with a certificate or any other measures to fein authenticity.

 

The offending website has already been removed so no immediate danger.

 

Most of the Intuit company links are as they would have been originally.

Spam Warning: Apple Alert Regarding Your Recent Purchase

Spam Warning: Apple Alert Regarding Your Recent Purchase

 

This email has been seen by a number of people this week - it is not a particularly convincing one, but it deserves to be mentioned in case it may cauase any damage...

The email appears as:

 

 

 

From:                                                       Apple Inc <[email protected]>

Sent:                                                         Thursday, July 12, 2018 7:22 PM

To:                                                            Recipient

Subject:                                                   Apple Alert Regarding Your Recent Purchase

 

 

 

 

 

 

 

Apple

Recent Order

 

 

    

 

Your Apple ID was just used to purchase from Apple Online store on a device that hadn't previously been related with your ID. You may be getting this e-mail if you reset your password since your previous order.
If you placed this order, you can disregard this e mail. It was only sent notify to you in case you didn't make the purchase yourself.

See Details Here

In case you did not make this purchase, we highly recommend that you go to  to modify your security password, then see Apple ID: Security and your Apple ID for additional assistance

All the best,
Apple Team

 

 

 

Apple

 

 

 

Apple ID Summary     Terms of Sale     Privacy Policy

 

 

 

Copyright 2018 Apple Inc.,

 

 

 

The email addres obviously doesn't stack as it is from [email protected] and not Apple and the link described as see details here is pointing to http://dryerventwizarduniversity.mobi?3I=QIUBNYQASHUBQYUDP which again isn't a very convincing domain as it doesn't even have Apple in it.

If you do click the link you are taken to a non-existant website and so the email can do no harm:

No such site

Either way this email shoudl be marked as spam and the address marked as a spam source.

The IdealOfficeInc.com has no SPF record: 

No SPF for domain

 

and so this may well be why it was chosen. SPF (Sender Policy Framework) is a simple way of informing other email servers of which IP addresses your emails are likely to originate from and not having one means that poeple are more likely to spoof your address as we see in this case.

At sircles we would always advise having a full SPF and DKIM/DMARC set of records to stop spammers impersonating you.

Spam Warning: OnlineInvoices Automated Service Notice

Spam Warning: OnlineInvoices Automated Service Notice

 

This email has been seen both this week and last week, and is obviously a phishing attack.

The email itself looks fairly harmless,but there is a real company by this name that sends out invoices and so customers could easily be duped.

 OnlineInvoices Spam

 

The HTML version is as follows:

 

 

 

From:                                                       OnlineInvoices Inc All Rights Reserved. <[email protected]>

Sent:                                                         Thursday, June 28, 2018 7:15 PM

To:                                                            Receipent

Subject:                                                   OnlineInvoices Automated Service Notice

 

 

 

Online Invoices

 

Invoice Notice

 

 

 


Greetings,

The following payment notification is sent to you by OnlineInvoices Inc from Alliance One. Please click the link below to see an invoice

 





$1,260.00
Number:44065537933

 

 

 

 

2012-2018 OnlineInvoices. All rights reserved
Izam Inc. , 2851 Centerville Ave., Suite 300, Wilmington, DE 19805

 

 

 

 

Now the link 'See Invoice' actually points to: http://itzzs.net?7l=QAUSY1CQVUFS1QXOBsGSJTHS which is sort of dangerous as the original company was started by Izzam group which sort of resembles this link, but if you are being careful you will notice that this link is bogus before proceeding too much further.


We can also see that the originating email address is: [email protected] which is obviously incorrect.

If we attempt to visit the site, we can see that it has already been shut down:

Itzzs.net site shut down

 

And so no longer poses a threrat.

Please do report these emails as spam as well as this site if you get the chance.

You can see how here: https://blog.sircles.net/post/2018/05/17/reporting-fraudulent-websites-with-your-browser

 

Spam Warning - New Order.11405
Spam Warning - New Order.11405 We have been seeing this email today which does have quite a good fake Office 365 document download page. There is a spate of these emails now that are just trying to get your Office365 password - you will never have to type your Office365 password in to another site - in fact your browser will usually remember your password for the correct sites ans so you should never have to type it in again at all. If you have typed your Office365 password into a site to recover a document that turned out to be missing, you should log into office.com and change your password now.
The Fitness Finder App - GTme - Find your Fitness Freedom
Find your fitness freedom with GTme No contracts or subscriptions Register on the app Find the class you wish to attend on the app map Reserve your place in the class Pay for your exercise session Go along!
americanmotorhome.com This domain is now for sale

With an estibot value of $2900 this is a sought after domain

We are interested in getting £1000 GBP so this is a short-term money maker for anyone interested...