sircles.net Computer Support The sircles IT support & solutions blog | Internet Security

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

Netflix Spam - Your Netflix Membership is on hold - netflix-restrictions.com

9. November 2017 07:56 by sirclesadmin in Internet Security, SPAM
Netflix Spam - Your Netflix Membership is on hold - netflix-restrictions.com   This is a well t

Netflix Spam - Your Netflix Membership is on hold - netflix-restrictions.com

 

This is a well targeted spam, even if it appears to be caught by most antispam filters before first contact.

They have even bought a custom domain name but perhaps that was their first mistake...

 

 

 

Anyway the email arrives thus: 

 

From:                                         Netflix <contact@netflix.ssl.com>

Sent:                                           03 November 2017 10:26

Subject:                                     Your Netflix Membership is on hold

 

 

 



We recently failed to validate your payment information we hold on record for your account,
therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details.

Click here to verify your account

Failure to complete the validation process will result in a suspension of your netflix membership.

We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details.

This process will only take a couple of minutes
and will allow us to maintain our high standard of account security.


Netflix Support Team



This message was mailed automatically by Netflix during routine security checks. We are not completely satisfied with your account information and required you to update your account to continue using our services uniterrupted.

 

 

 

 

And beside misspelling uninterrupted, the email is fairly believable as this kind of thing happens all the time.

Hovering over the link reveals: webcmd.netflixusersupport.billingupdate.netflix-restrictions.com which is not a valid Netflix.com domain, but then PayPal use all sorts of paypal-notification.com type domains.

Either way the domain had been shut down by Netflix already and so no great worries here but bear in mind they will be targeting other pay per view services and will have a new website in no time so beware.

 

But still enjoy the internet and be safe!

PayPal Spam: Notice: Ticket Number PD-0BC-59C7-2EB4-7854FE0

23. October 2017 07:13 by sirclesadmin in Internet Security, SPAM
PayPal Spam: Notice: Ticket Number PD-0BC-59C7-2EB4-7854FE0 &amp;nbsp; Watch out for this one doing the

PayPal Spam: Notice: Ticket Number PD-0BC-59C7-2EB4-7854FE0

 

Watch out for this one doing the rounds at the moment....

 

 

From:                                         accountsupportuplode@mail-qf966.getresponse.com on behalf of account.support.uplode@resgateparacristo.com.br

 

Subject:                                     Notice: Ticket Number PD-0BC-59C7-2EB4-7854FE0

 

 

PayPal

This is an automated email, Please de not reply.

Hi there,

We Are Sorry To Inform You For That But Your Account Has Been Limited To continue using your account, you must make mandatory update your information.

1-  Click on "Confirm Your Account"

2- Log In Enter email and password

3- Verify Your Informations To Activate Your Account

 

Source: Security team

© 1999–2016. 1401 Walnut, Suite 500, Boulder, CO 80302 USA

 

Amala Building, Elavungal Road, 682025, Cochin, India

You may unsubscribe or change your contact details at any time.


 

As you can see the above has getresponse links in, which is a nice touch. The destination has already been deactivated regarding the 'confirm your account' button but this email should be reported as spam nonetheless just to dissuade further phishing blunders....

HM Revenue & Customs <taxrefund2017@hmrc.gsi.gov.uk> Spam Email

18. October 2017 11:42 by sirclesadmin in Internet Security, SPAM
HM Revenue &amp;amp; Customs &amp;lt;taxrefund2017@hmrc.gsi.gov.uk&amp;gt; Spam Email &amp;nbsp; Beware of these cir

HM Revenue & Customs <taxrefund2017@hmrc.gsi.gov.uk> Spam Email

 

Beware of these circulating today - they are just an HTML attachment but are pretty impressive...

 

 

 

From:                                                       HM Revenue & Customs <taxrefund2017@hmrc.gsi.gov.uk>

Sent:                                                         Wednesday, October 18, 2017 8:20 AM

Subject:                                                   REFUND: GBP 643.55

Attachments:                                         Form - ID 791827938.html

 

Refund Form - ID 791827938

Dear Customer,

After the last annual calculations of your fiscal activity we have discovered that you are eligible to receive a tax refund of GBP 643.55.

Kindly complete the tax refund request and allow 1-3 working days to process it.

Please download the form attached to this email and confirm your tax refund.

A refund can be delayed for a variety of reasons.

For example: Submitting invalid records or applying after the deadline.

 

Containing the attachment: 

HMRC - Online Tax Refund

  

Refund Form - ID 791827938

Please enter your Personal Information and a valid Credit / Debit Card where you want the refund to be made.
* indicates required information.











Please enter your Credit / Debit card where refunds will be made








For security reasons, we recommend that you close your browser after you have finished the refund process.

Santander Spam email - We recently reviewed your account

5. October 2017 09:43 by sirclesadmin in Internet Security, SPAM, Popular Sites
Santander Spam email - We recently reviewed your account Watch out for this spam email circulating a

Santander Spam email - We recently reviewed your account

Watch out for this spam email circulating at the moment:

This email is made up as follows:

 

 

 

From:                              Santander <chelsea.decarlo@unco.edu>

Sent:                               Wednesday, October 4, 2017 10:37 AM

To:                                   Recipients

Subject:                          We recently reviewed your account

 

If you cannot see this email, click here

 

security

IMPORTANT SECURITY NOTIFICATION

 

 

 


Dear Customer,

At Santander we know protecting your identity is important, that´s why we´re always looking at ways to guard you from identity theft and fraud. We´re also committed to help you use our online service securely.

As part of our ongoing commitment to customer security we are constantly looking for new and improved ways to protect you and your assets. Our Internet banking security notice that your account profile is currently locked and you cannot perform any transaction online.

Due to security of your internet banking account we recommend you to reactivate & verify your account details. Please note that if you hold any joint accounts, only your details will be updated.

Please use the REGISTER NOW below to update your account profile from Step 1 to 3.

NEXT


Regards,

Fraud Prevention Team

 

Terms and conditions

Santander UK plc. Registered Office: 2 Triton Square, Regent's Place, London NW1 3AN, United Kingdom. Registered Number 2294747. Registered in England. www.santander.co.uk Telephone 0870 607 6000. Calls may be recorded or monitored. Authorised and regulated by the Financial Services Authority except in respect of its Consumer credit products for which Santander UK plc is licensed and regulated by the Office of Fair Trading. FSA registration number 106054. Santander and the flame logo are registered trademarks.

Please do not reply to this email. It has been sent from an email address that does not accept incoming emails. Santander will never ask you to supply personal information such as passwords or other security information via email. As an additional security measure, every customer email will be addressed to you personally. If you receive an email from Santander which is not personally addressed to you, or an email requesting personal information, please report this to phishing@santander.co.uk.

We only send marketing messages if you have not objected to receiving them at present. If you would prefer not to receive marketing-based offers and information from us by email, please click here to unsubscribe. However, we will continue to inform you regarding important information about your account e.g. a rate change.

You can check the above authorisations with the Financial Services Authority on www.fsa.gov.uk or by calling them on 0845 606 1234.

OC146 JUN 11

 

As we can see, the originating email address is: Santander <chelsea.decarlo@unco.edu> which is obviously a stretch for a major bank. Whoever chelsea is, they are most certainly not authorised to send mass security emails on behalf of Santander.

We can also see that the links to the bank point to: 

retail.santander.co.uk.logsuk.ns.ens.btochanneldriver.ssobto.dse.operationname.logon.dse.processor.logon.dse.processor.logon.logon.ahujacaterer.com/retail/

Which is actually the domain: ahujacaterer.com which is quite often used as a spam virus repository. It is currently rgistered to:

Registrant Contact Information:
Name Pankaj Garg
Organization Software Company
 
 
Which really should have been locked down before due to the registration information omitted.
Information Updated: 2017-10-05 08:58:54

If we follow the link (and please do not do this yourself) we see that the account has already been suspended and so whomever is being subcontracted to send these spams is already wasting their time. Either way, another nasty virus or trojan would have been waiting to compromise your PC.

 

Metro Bank Spam Email - Your online accounts review notification

8. September 2017 15:59 by sirclesadmin in Internet Security, SPAM
Metro Bank Spam Email - Your online accounts review notification Watch out for this circling this we

Metro Bank Spam Email - Your online accounts review notification

Watch out for this circling this week: 

 

Barclays Online Banking - December Newsletter

From:                                         Metro Bank  <pirrung.derek@uwlax.edu>

Sent:                                           08 September 2017 15:56

To:                                               Recipients

Subject:                                     Your online accounts review notification

 

 

 

 

Metro Online

 

 

Dear valued customer,

Upon intensive reviews on your profile we notice that you need to resolve important security issues on your Metro Online banking account to prevent temporal deactivation .

It is therefore recommended that you complete this process your security is important to us

Please follow step 1 of 2 & 3 carefully to review your Metro Online accounts.


Log in to Metro Online

 

 

  

 

 



Iain Kirkpatrick
Commercial Banking



<![if !supportLineBreakNewLine]>
<![endif]>

Metro Bank PLC. Registered in England. Metro Bank PLC is authorised and regulated by the Financial Services Authority (FSA). Registered No 1026167.

 

 

Data Protection
Under the Data Protection Act you have a right of access to certain personal records. Should you wish to exercise this right please write to the Data Protection Team, Metro Bank PLC, Knutsford, Cheshire WA16 9EU, quoting ref. APP99. A fee will be charged for this service.

Personal Banking website
Internet communications are not guaranteed to be secure or virus-free. The Metro Bank PLC does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third-party, or from the transmission of any viruses. Replies to this email may be monitored by the Metro Bank PLC for operational or business reasons.

Confidentiality
This email and any attachments are confidential and intended solely for the addressee, and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments. Any opinion or other information in this email or its attachment, that does not relate to the business of the Metro Bank PLC, is personal to the sender and is not given or endorsed by the Metro Bank PLC.
<![if !supportLineBreakNewLine]>
<![endif]>

 

The shortcut entitled 'Log in to Metro Online' actually points at http://personal.metrobankonline.co.uk.metrobankretail.servletcontroller.myaccounts.internetbanking.estatement.boneinfoods.com/archive/login.php?&gsTI9r8r905sfeUCUkLTOvNtp8acZ6YfzRYIj6at6fVmuQZobKh0f5tFdDRcKQsjHr21xcuEsq0WgZks

Which seems to be a domain that gets compromised often. 

The site is a great mimic of the real site but do not enter any details obviously as it is an impostor:

 

 

49699367 - True Telecom Invoice for August 2017 Spam Email

5. September 2017 06:47 by sirclesadmin in Internet Security, SPAM
49699367 - True Telecom Invoice for August 2017 Spam Email &amp;nbsp;

49699367 - True Telecom Invoice for August 2017 Spam Email

This email has a randomly generated number at the beginning of the subject and is impersonating your telecom provider - a good bet as companies often have lots of different telephone and internet providers and this bill has a chance of getting through if you are not careful. It is always worth having a 'live supplier' file so that everyone knows who should be paid and who should not:

 

 

True-telecom.com are a genuine telephone company that have no connection to these emails and this email attempts associating their good name with this scam.

The email tries to get you to open a dangerous file in two ways - firstly by attaching the file with a .7z attachment which will require 7zip to open (this seems an odd tactic as most people won't have this software, and if they call the IT people to install it then they will most likely smell a rat) and by clicking the 'View your bill online' link which takes you to the same file, but as a download:

 

Telephone Bill

From:                                         billing@true-telecom.com

Sent:                                           04 September 2017 17:08

To:                                               Customer Services

Subject:                                     [SPAM] 49699367 - True Telecom Invoice for August 2017

Attachments:                          2017-08-49699367-Bill.7z

 

       

Dear Deborah Day

We have attached your latest True Telecom bill for August 2017.
View your bill online

To be able to read your invoice file you will require the Adobe Acrobat PDF viewer. You August already have this installed,
if not please visit the Adobe website and download their free viewer.

Payments made by direct debit will be collected 14 days from the date of the Bill.

If you wish to contact us, please do not hesitate to get in touch with one of our friendly customer services agents.

Telephone: 0800 840 40 60
Fax: 0844 779 2253
Email: customerservice@true-telecom.com

Please be advised that this is an unmonitored email address.

With Kind Regards,

The True Telecom Team

www.True-Telecom.com

 

 

True Telecom Ltd is registered in England and Wales No. 08225783.

Head Office address: Ground Floor,Lakeview West, Galleon Boulevard, Crossways Business Park, Dartford, Kent, DA2 6QE

 

This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and August contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. The Company only guarantees service in accordance with the service charter. The company accepts no liability for failure of hardware after the termination point. For the purposes of this E-Mail "the Company" is the trading name of True Telecom Ltd. True Telecom Ltd (Registered in England & Wales No. 08225783)

       

 

The red-dead.fr link has been disabled in the above. As we can see from the image below, the link takes you to a download of the same attachment that has been sent with the email:

 

 

We have seen variants with the following links that contain the same dangerous download:

  • ventadepajaros.es
  • studiotoscanosrl.it
  • rogames.ro
  • pack-lines.com
  • activ-conduite.eu
  • weekendjevliegen.nl

 

Under no circumstances open the attachment or open any of these links. If you are a customer of True Telecom then please be extra careful and contact them directly before opening any emails.

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links &amp;nbsp;

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

We have seen some fake purchase order emails today that have been modified in order to circumvent our latest advice on receiving bills by email. PDFs are the usual, preferred method but they can also be used to send links to potentially hazardous material and so, to clear up any confusion:

Do not open links from questionable senders in any format!

 

 

 

From:                                         De la Rosa, Samuel <samuel.delarosa@swissport.com>

Sent:                                           30 August 2017 00:57

Subject:                                     Purchase Order No_18081994

Attachments:                          Purchase Order No_18081994.pdf

 



Dear Sir/Madam,

We are pleased to place an order with you which you will find attached.Please confirm the receipt of this order by email and let us have your order acknowledgement.
Do not hesitate to contact us if there are any questions regarding this order.

Best regards,

De La Rosa,Samuel
Customer & Technical Service

 

The email contains a PDF:

 

 

Now the PDF includes a link to an external page:

 

 

There is no reason to send a PDF which contains this link - this is just to avoid detection of the link in the email. If you click on the link on a Windows PC using IE you receive a warning:

 

 


Firstly, remove the tick from this box - never trust any link from anything!!!

A PDF link can be as dangerous as any other link!!!

 

Now do we recognise this domain? http://roarr.org It is an .ORG domain in this case, but unless you recognise the domain, click BLOCK and send the email to JUNK

If you decide to open this particular link, you will receive:

 

 

This has been reported to Microsoft as a dangerous domain - DO NOT OPEN!!!

 

If we continue, against all advice, we can see that it is an impersonation of DocuSign:

 

 

Always check the domain in the address bar at the top against what you are seeing - this is obviously a spam site trying to get your email address and password CLOSE THIS PAGE AND DELETE THE EMAIL!!

 

Natwest Spam Emails with Microsoft Word Attachments

Natwest Spam Emails with Microsoft Word Attachments &amp;nbsp; You may receive the following: &amp;nbsp;

Natwest Spam Emails with Microsoft Word Attachments

 

You may receive the following:

 

 

 

From:                                         New post NatWest Bank <noreply@natwest94.ml>

Sent:                                           Monday, August 21, 2017 10:07 AM

To:                                               Support

Subject:                                     NatWest

Attachments:                          NatWest258345907_2243.doc

 

View Your August 2017 online

 

Financial Activity Statement Keep track of your account with your latest

Online Financial Activity Statement from NatWest Bank.

 

Please download and view Microsoft Word attachment

 

So check out your statement right away, or at your earliest convenience.

 

Thank you for managing your account online. Sincerely. NatWest Bank

 

 
These emails are simply to persuade you to open the attachment:
DO NOT CLICK 'ENABLE EDITING' as this will compromise your system!

Spam: SANTANDER ALERTS SERVICE UPDATE from 1412261101@jcom.home.ne.jp

v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VM

 

 

 

Watch out for the following email:

 

 

From:                                                       Santander UK <1412261101@jcom.home.ne.jp>

Sent:                                                         Tuesday, August 1, 2017 7:32 AM

To:                                                            Recipients

Subject:                                                   SANTANDER ALERTS SERVICE UPDATE

 

Valued Customer,

Please note that starting from August 01, 2017 we will be introducing new online banking authentication procedures in order to protect the private information of all online banking users.

You are required to confirm your online banking details with us as you will not be able to have access to your accounts until this has been done.

As you're already registered for online banking all you need to do is to confirm your online banking details.

Confirm your details

Once you've completed this you'll be able to manage your money whenever you want, giving you more control of your finances.

Regards
Customer Service
Santander Bank

 

More Leads and Better Discoverability, Submit domain.suffix to Search Engines

26. July 2017 09:34 by sirclesadmin in Domain Names, Internet Security
All domains that have been purchased are now subject to bombardment from criminals - as a result it

All domains that have been purchased are now subject to bombardment from criminals - as a result it is much more common to withhold your details from being read in connection with your domain by using a third party to mask your details.

 

 

This does mean that domain owners are less accountable for their actions as they are essentially untraceable. The simplicity of buying a domain creates a situation whereby novice domain owners are confronted with lies, lies and more lies regarding their domain.

 

A current favourite of which is the search engine submission email. Search Engines are automated agents searching the web for new and changing pages which is how they get their name. When a new domain is registered it is sent into a queue with the search engines to be 'crawled' and if they find content of anything other than a holding page, they record that data and index it in order for it to be available in search results to the general public. If the domain is simply a holding page with a reseller or an un-configured domain then the search engine spider-crawler discards the data as it is of no use other than to someone specifically browsing to that domain in order to purchase it etc.

 

As a result of all of this the old days of having to submit a domain to a search engine have passed but that does not stop people trying to take your money by offering a submission service which will get you nowhere but that they will be able to prove they performed a service in lieu of your payment, even though you could have done such yourself for free.

Regarding the email itself:

Most domain owners who fail to submit domains to search engines often experience poor site visibility and low rankings. Search engines are the number one source for customers looking for brands and if domains are not listed with major search engines, they might not be able to find your website. This could result in lost opportunities and can seriously harm your online business. This email serves as the final reminder to submit your domain domain.suffix to all major search engines and automatically expires on 25 - July - 2017. Domains listed with search engines have a much greater chance to be easily discovered compared to domains that have not been submitted. This makes it very important to act timely and register your domain for better visibility and conversion rates. A link for the pricing page has been included in this email for your convenience and provides more details about our competitively-priced domain submission packages.

http://macotool.com/domain/?domain=domain.suffix

Most domain owners who fail to submit domains to search engines often experience poor site visibility and low rankings. - this is true for almost every domain owner and so this stands up to scrutiny.

Search engines are the number one source for customers looking for brands and if domains are not listed with major search engines, they might not be able to find your website. This is also completely true, it just is not true that you need to independently submit your site.

This email serves as the final reminder to submit your domain domain.suffix to all major search engines and automatically expires on 25 - July - 2017. Nothing is going to expire - they just want to get your money before you have a chance to ask anyone who may be able to tell you these people are trying to extort money on false pretences.

Domains listed with search engines have a much greater chance to be easily discovered compared to domains that have not been submitted. This is sort of true, anything listed is more easily found, but you do not need to submit to search engines to become listed.

This makes it very important to act timely and register your domain for better visibility and conversion rates. This is nonsense

A link for the pricing page has been included in this email for your convenience and provides more details about our competitively-priced domain submission packages. Here we can clearly see that they only accept PayPal and Bitcoin and so do not have a payment gateway. PayPal will be able to refund your money though so if you have already paid then get onto PayPal and report this company to have them removed. they will start with a different website and PayPal account next week but report them anyway.

Below we can see the email as it appears to some domains: