sircles.net Computer Support The sircles IT support & solutions blog | Fraud

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service   

Spam Warning: You received notification from DocuSign Signature Service 

 

You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.

 

 

 

 

From:                                                       DocuSign Signature  Service <docusign@pehache.com>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service

 

 

 

 

 

 

DocuSign

Review and sign this document.

 

Dear Receiver,

Please review this invoice
It is an automatically generated invoice.

 

This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.

 

 

 The 'view invoice' link actually points at: http://keithharenda.com?6d50=QAUSY1CQVUFS1QXOBsGSJTHS which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: http://nashvillechildfamilywellness.com?20Yy5=QAUSY1CQVUFS1QXOBsGSJTH S being used by the same email.
The 'review invoice' link at the bottom points to: http://kphbuilds.com?7P62A=QAUSY1CQVUFS1QXOBsGSJTHS which also appears to have been shut down.
 
Report any senders of this email, the pehache.com domain does not seem to function either.

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

 

This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <seminar@toitumosi.jp>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.

 

 

-

Taxes&Revenue have detected that you have paid too much tax in the past

 

* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.

Delivery-Information

Card Type:

VISA

Credit Card:

****-****-****-****

Amount:

670.25

Transaction Date:

01/08/2018

Transaction #:

419277

 

 

Total  

670.25   GB P

 

-

 
 
As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
 
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
 
The 'Claim Funds' link points to: http://mocosi.co.za/img/acgetopai/ which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
 
The actual site:
 
 
Once you choose your wishes they take you to:
 
 
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
 
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like sircles.net with nothing following it unless after a /
 
Report this email and report the website.
 
Be safe!!!

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment

 

Watch out for this email doing the rounds this week:

 

From:                                                       Tracy Turner <tturner@brealzeta.com>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs

 

 

Secured ShareFile Attachment

Expires July 20, 2018

Brealzeta.pdf

568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.

 

 

If you need any further assistance, then do not hesitate to contact me.

 

Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446

 

The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 

 

So be careful here - this is a fully secured SSL site with an SSL certificate:

 

 

The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:

 

 

Comodo for CPanel. 

 

From the look of the site: 

 

 

They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.

 

The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.

 

If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:

 

https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html

 

 

 

Which is again a convincing looking site using the same certificate.

 

The IP address gives this data:

% Information related to '89.36.218.0 - 89.36.218.255'

% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'

inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to '89.36.216.0/22AS200185'

route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE

 

We will email the abuse address to report these sites...

SECURITY ALERT - Tesco Bank Spam Scam

12. June 2018 07:33 by sirclesadmin in Fraud, Online Fraud, SPAM
SECURITY ALERT - Tesco Bank Spam Scam &amp;nbsp; Beware of these fake Tesco spam emails: &amp;nbsp; v\:*

SECURITY ALERT - Tesco Bank Spam Scam

 

Beware of these fake Tesco spam emails:

 

From:                                         TescoBankOnline@mail.net

Sent:                                           11 June 2018 16:24

To:                                               Recipient

Subject:                                     SECURITY ALERT

 

 

SECURITY ALERT  

You are receiving this email because we noticed an attempt to sign in to your account from an unrecognised device. Our system has blocked this sign in attempt as a security measure. 


In order to safeguard your account information we have temporarily restricted your access to certain features within our online banking system. To restore full access please click the link below to validate your account information.

Please note:
 Failure to restore full access can lead to permanent suspension of access to our online banking service.

==================================================
Get Started ⇨
==================================================

Best regards,


Tesco  Online Banking Team

 

The 'Get Started' link actually takes you to: https://newsforeveryone.top/tescoOnline/index.php

Cloud Flare have already labelled this site as phishing:

 

 

 

🤖 Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!!!

29. May 2018 15:36 by sirclesadmin in Fraud, Online Fraud
&#129302; Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!! &amp;nbsp; Beware of the latest brand

🤖 Cryptocurrency Auto Trading Robot Beta made Scage rich! SPAM!!!

 

Beware of the latest brand of spammers who bring together two elements of the modern financial world - Cryptocurrency and Artificial Intelligence.

They claim to have AI computers that deal in cryptocurrency on your behalf and so make you huge sums of money.

These supposed companies - invariably they are registered on an island in the Caribbean - offer to get these computers to deal on your behalf day and night in order to increase your capital.

Before you invest with anyone, get opinions from a finance professional so that you can be sure that you are not about to be ripped-off.

If we take a look at this con, we can see a few elements that are typical in their setup.

First they use email to entrap - 

 

 

As you can see the email arrives from: 

Cryptocurrency Robot Augustine <augustine_116@www.cryptotraderuk.cf>

And the email reads:

  

* Beta Test Invitation *

 Your invitation code: DFlgiYtv4216

 This amazing Cryptocurrency AUTO TRADING robot can make you rich!

 Do you know Bitcoin? Ethereum? Ever heard about Ripple? Cryptocurrencies is the future! While the market is growing fast, this is the best opportunity to take advantage and earn a million or two this year!

http://www.cryptotraderuk.cf/invite/cUk4WFG0bid1L

Auto Trading software utilizes special alghoritms and artificial intelligence to trade cryptocurrencies while you sleep!

Just imagine waking up every day and see 2-3k GBP on your account!

 First results are amazing - join us while registration is still open!

http://www.cryptotraderuk.cf/invite/cUk4WFG0bid1L

 Auto Trading is a way to get rich in 2018!

 Use the invitation code above to receive an extra 1,000 GBP after registration!

Click this link to start trading:

http://www.cryptotraderuk.cf/invite/cUk4WFG0bid1L

 

Don't wait before it's too late!

You will thank me later!

 

Cheers,

Augustine

 

---------------------------------------------------------------------------

--

This message has been sent automatically because scage@letsignit.com has requested us to send you this invitation.

Sender IP address: 51.185.158.173

 

The country code CF is for the Central African Republic and is not a likely source for someone recommending crypto-currency trading in the UK.

Now let's have a look at the site itself from http://www.cryptotraderuk.cf/invite/cUk4WFG0bid1L 

We appear to have been forwarded to https://cryptocode.online/ which is obviously a way of making you think you are still looking at a company in your own country.

If we run a Who.is to lookup who owns this site we see:

Registrant CountryCN
RegistrarERANET INTERNATIONAL LIMITED 
IANA ID: 1868 
URL: http://www.now.cn/ 
Whois Server: whois.todaynic.com 
 
(p) 
Registrar StatusserverTransferProhibited, clientTransferProhibited
Dates29 days old
Created on 2018-04-30
Expires on 2019-04-30
Updated on 2018-05-05
Name ServersANDY.NS.CLOUDFLARE.COM (has 7,758,752 domains)
ZITA.NS.CLOUDFLARE.COM (has 7,758,752 domains)
Tech Contact
IP Address77.87.77.124 - 4 other sites hosted on this server
IP LocationPoland - Lodzkie - Radomsko - Euronet S.c. Jacek Majak Aleksandra Kuc
ASNPoland AS197226 SPRINT-SDC, PL (registered Aug 17, 2010)
Website TitleNone given.
Server Typenginx
Whois Record ( last updated on 2018-05-29 )
 
Cloudflare do not officially host anything - they are an intermediary for data flow.
 
So here is the site:
 
 
 

 

 

So immediately we notice that this site has been thrown together using a simple template and they haven't even bothered changing most of the icons and photo before publishing. Whoever Derrick Simmons CEO is, his photo and name are undoubtedly a fake.

If we look further down the page:

 

 

This site is not affiliated in any way with Time Magazine, Forbes or CNN - be extremely careful of any site that you arrive at from email.

No one has just 'won' $4576 USD - this site is not even offering a lottery.

Notice it is a secured version of the site at: http://smartcryptocode.com 

Cryptocode.online is a secure site, so it is obviously an improvement of the above site...

If we enter our details in one of the endless pop-up requests for our email and name, we are taken to: https://www.365markets.com/ 

Now this is a website requesting money to be deposited which means that it is extremely dangerous and you should not enter any personal or banking details at any time. 

The company is registered in Bulgaria, at R.A. Hadzhi Dimitar bl., 113., en A., fl. 4, app 8, Sofia 1510, Bulgaria but their live chat is not functioning now - 5pm their time - in the working week.

There is a phone number in Bulgaria which I will not call but these are required to keep the website open under EU and Bulgarian law.

If we look at the security of this secured site - It is a Cloudflare SSL certificate with sni65230.cloudflaressl.com as it's actual name. Then the following sites are added as an alternative name:

 
*.365markets.com
*.4copas.com
*.aeoslibrary.tk
*.britishlibrary.cf
*.bulgarianbooks.ml
*.bulgarianbooks.tk
*.crazytech.eu.org
*.crypto-robot.com
*.crypto1.io
*.dutchbooks.ml
*.entireperformance.com
*.firststrategyltd.co
*.futurebpo.com
*.garycarmell.com
*.genhd.be
*.infinitrade.com
*.luckybooks.ml
*.maxcfd.com
*.mediatechland.com
*.naughty.eu.org
*.obelisklibrary.cf
*.oneplacetemplates.eu.org
*.oraclelibrary.ml
*.oriontraffic.com
*.pixicontech.com
*.primelibrary.cf
*.probelibrary.gq
*.probelibrary.tk
*.quantomcode-vip.com
*.rallyslot.es
*.randomtechco.com
*.rioabturbio.com
*.serbskiy.com
*.shewolfphotography.com
*.uniquebooks.cf
*.utorontolibrary.cf
*.valleylibrary.tk
*.vaticanlibrary.gq
*.vipgirl.club
*.viplounge.top
*.xenmarltd.com
365markets.com
4copas.com
aeoslibrary.tk
britishlibrary.cf
bulgarianbooks.ml
bulgarianbooks.tk
crazytech.eu.org
crypto-robot.com
crypto1.io
dutchbooks.ml
entireperformance.com
firststrategyltd.co
futurebpo.com
garycarmell.com
genhd.be
infinitrade.com
luckybooks.ml
maxcfd.com
mediatechland.com
naughty.eu.org
obelisklibrary.cf
oneplacetemplates.eu.org
oraclelibrary.ml
oriontraffic.com
pixicontech.com
primelibrary.cf
probelibrary.gq
probelibrary.tk
quantomcode-vip.com
rallyslot.es
randomtechco.com
rioabturbio.com
serbskiy.com
shewolfphotography.com
uniquebooks.cf
utorontolibrary.cf
valleylibrary.tk
vaticanlibrary.gq
vipgirl.club
viplounge.top
xenmarltd.com

All of these sites will reside on the same server in order to use the same certificate for security.
 
 

Reporting Fraudulent Websites with your Browser

17. May 2018 07:39 by sirclesadmin in Internet Security, Fraud, Phishing
Reporting Fraudulent Websites with your Browser &amp;nbsp;

Reporting Fraudulent Websites with your Browser

 

When you receive an email that has links to a fraudulent site, you should report that site, to your browser provider so that other users can be saved from falling into the intended trap.

When you are sent to a site that the email tells you is giving you something, and when you arrive you are asked to make a payment, that is a form of misrepresentation; which is phishing. You should report phishing sites to Google:

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

The advantage of reporting to Google is that they will adjust Google Chrome to warn people, and that is currently the most popular browser on Earth.

If the site you are sent to by a suspicious email tries to download a file to your computer (no matter what the file pertains to be) then it is most likely a malicious software site. These pages should be reported by pasting the URL in the browser address bar into the following Google page for malicious software sites:

https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en

You can also read about Google's preventative measures programme against harmful internet use here:

https://safebrowsing.google.com/

If you are using Microsoft Edge or Internet Explorer, you can also report fraudulent sites. 

You can open the old style Internet Explorer by pressing the Windows Button + R and entering iexplore and pressing OK.

From the Safety menu, point to SmartScreen Filter, then click Report Unsafe Website.

Select one or both of the following check boxes you feel to be appropriate:

  • I think this is a phishing website
  • I think this website contains malicious software

If you are using Firefox, or if you wish to report the site to Mozilla to help more people, you can report fraudulent sites to Mozilla here:

https://www.mozilla.org/en-US/about/legal/fraud-report/

Here you can choose from:

  • Domain name
  • Collecting personal information
  • Charging for software
  • Logo misuse (phishing)
  • Distributing modified Mozilla/Malware

And choose which products are affected.

In general it is always worth checking that the site is secured - by seeing if there is a padlock in the browser address bar or that the https has gone green etc. - and that the domain is correct. The domain must be the last item in the address bar before the first / (forward slash) as many fraudulent domains trick us by using facebook.com-uerjfnf0e837e3e0d0y.uzbxyn.com/webapp/ye.js or facebook.com.wifubd97fidn9.interstrartter.net/webapp/ku.js similar. Notice that the facebook.com is followed by a hyphen or a dot instead of the forward slash / that represents the end of the domain.

 

💸 Incoming BitCoin Transfer - You received 0.881110 BTC!

17. May 2018 07:24 by sirclesadmin in Internet Security, Fraud, SPAM, Phishing
&#128184; Incoming BitCoin Transfer - You received 0.881110 BTC! &amp;nbsp; The following email has been report

💸 Incoming BitCoin Transfer - You received 0.881110 BTC!

 

The following email has been reported as currently active:

 

Hello,

You just received 0.881110 BitCoin incoming transfer from Info.

Sender: info@sthildas.oldham.sch.uk

Receiver: recipient email

Amount: 0.881110 BTC

Deadline: 23-05-2018 13:19:28

Transfer has been made from account holder:

c23cb46b19164de4ea6667a27c7c95bab1a6509b76a9fae2856d7a8cf72b950e

Accept the transfer now:

http://www4.bitcoin-gb.tk/claim/uk4njQORyWgrV0hS

Only 7 days remaining to accept your BitCoin transfer! If you do not accept this transfer, the money will be returned to sender.

To claim your BitCoin please visit the link below:

http://www4.bitcoin-gb.tk/claim/uk4njQORyWgrV0hS

Best regards,

Roxana Rigby

Bitcoin Account Manager

The link forwards you to:

https://cryptocode.online/

Whenever there is a supposed quick way to increase capital, con-people quickly associate themselves with the name in the hope of riding the excitement in order to rip people off. Any crypto currency such as Bitcoin is a huge risk to invest in and should be treated with EXTREME caution. This website is not an investment site, but an attempt at taking money based on the reputation of Bitcoin - do not enter your name, report this site as fraudulent using your browser, and mark this email as spam and/or phishing.

The intent of this email is fraudulent, and so it is safe to assume that the website is fraudulent also. Any testimonials are contrived and should not be believed.

You can report fraudulent websites with the help of this page which tells you how to report fraudulent or malware websites.

Natwest Spam: Incomplete Security Information

Natwest Spam: Incomplete Security Information &amp;nbsp; &amp;nbsp;

Natwest Spam: Incomplete Security Information

 

You may receive the following message, purporting to be from Natwest:

 

From:                                                       NatWest <info@ipconnect.de>

Sent:                                                        Date

To:                                                            Recipient

Subject:                                                   Incomplete Security Information

 

 

 

 

 

 

 

 

Incomplete Security Information

 

 

 

 

 

Hello,


Information we use to determine the security of your account is missing we need you to confirm as soon as possible.

 

Details:
You are required to review and update missing information*

We have temporarily suspended your online access to prevent any loss to your balance until you securely submit missing information: Click below to continue

RESTORE MY ACCOUNT

 

 

Thank You,
The NatWest Accounts team

 

*The location is approximate and determined by the IP address it was coming from.

This email can't receive replies. For more information, visit the NatWest Accounts Help Center.

 

 

 

 

You received this mandatory email service announcement to update you about important changes to your NatWest product or account.

© 2018 NatWest Inc.,

 

 

  
 
The link in the message tries to take you to: http://www.betonruettler.at/statistik/nwolb/index.php
 
Please mark as spam - the website appears to have already been fixed and the bad content removed... :)
 
 
 
 

Disability Action Alliance - DAA Receipt#

Disability Action Alliance - DAA Receipt# &amp;nbsp;

Disability Action Alliance - DAA Receipt#

 

 

From:                                                        invoice@culqi.net on behalf of Disability Action Alliance – DAA <invoice@culqi.net>

Sent:                                                         Date

To:                                                             Recipent

Subject:                                                     Receipt # 8453985   Receipt # 9599113

 

 

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

Your payment has been received, please find attached your PDF invoice.

   

Spam: Receipt # 255247

Spam:&amp;nbsp;Receipt # 255247 &amp;nbsp; Beware of these fake receipts: Payment Receipt YOUR PAYMENT HAS B

Spam: Receipt # 255247

 

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.