sircles.net Computer Support The sircles IT support & solutions blog | All posts tagged 'WeTransfer'

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment   Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment

 

Watch out for this email doing the rounds this week:

 

From:                                                       Tracy Turner <tturner@brealzeta.com>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs

 

 

Secured ShareFile Attachment

Expires July 20, 2018

Brealzeta.pdf

568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.

 

 

If you need any further assistance, then do not hesitate to contact me.

 

Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446

 

The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 

 

So be careful here - this is a fully secured SSL site with an SSL certificate:

 

 

The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:

 

 

Comodo for CPanel. 

 

From the look of the site: 

 

 

They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.

 

The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.

 

If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:

 

https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html

 

 

 

Which is again a convincing looking site using the same certificate.

 

The IP address gives this data:

% Information related to '89.36.218.0 - 89.36.218.255'

% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'

inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to '89.36.216.0/22AS200185'

route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE

 

We will email the abuse address to report these sites...