sircles.net Computer Support The sircles.net IT support & solutions blog | Internet Security

Twitter Feed Popout byInfofru

The sircles.net IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

Metro Bank Spam Email - Your online accounts review notification

8. September 2017 15:59 by sirclesadmin in Internet Security, SPAM
Metro Bank Spam Email - Your online accounts review notification Watch out for this circling this we

Metro Bank Spam Email - Your online accounts review notification

Watch out for this circling this week: 

 

Barclays Online Banking - December Newsletter

From:                                         Metro Bank  <pirrung.derek@uwlax.edu>

Sent:                                           08 September 2017 15:56

To:                                               Recipients

Subject:                                     Your online accounts review notification

 

 

 

 

Metro Online

 

 

Dear valued customer,

Upon intensive reviews on your profile we notice that you need to resolve important security issues on your Metro Online banking account to prevent temporal deactivation .

It is therefore recommended that you complete this process your security is important to us

Please follow step 1 of 2 & 3 carefully to review your Metro Online accounts.


Log in to Metro Online

 

 

  

 

 



Iain Kirkpatrick
Commercial Banking



<![if !supportLineBreakNewLine]>
<![endif]>

Metro Bank PLC. Registered in England. Metro Bank PLC is authorised and regulated by the Financial Services Authority (FSA). Registered No 1026167.

 

 

Data Protection
Under the Data Protection Act you have a right of access to certain personal records. Should you wish to exercise this right please write to the Data Protection Team, Metro Bank PLC, Knutsford, Cheshire WA16 9EU, quoting ref. APP99. A fee will be charged for this service.

Personal Banking website
Internet communications are not guaranteed to be secure or virus-free. The Metro Bank PLC does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third-party, or from the transmission of any viruses. Replies to this email may be monitored by the Metro Bank PLC for operational or business reasons.

Confidentiality
This email and any attachments are confidential and intended solely for the addressee, and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments. Any opinion or other information in this email or its attachment, that does not relate to the business of the Metro Bank PLC, is personal to the sender and is not given or endorsed by the Metro Bank PLC.
<![if !supportLineBreakNewLine]>
<![endif]>

 

The shortcut entitled 'Log in to Metro Online' actually points at http://personal.metrobankonline.co.uk.metrobankretail.servletcontroller.myaccounts.internetbanking.estatement.boneinfoods.com/archive/login.php?&gsTI9r8r905sfeUCUkLTOvNtp8acZ6YfzRYIj6at6fVmuQZobKh0f5tFdDRcKQsjHr21xcuEsq0WgZks

Which seems to be a domain that gets compromised often. 

The site is a great mimic of the real site but do not enter any details obviously as it is an impostor:

 

 

49699367 - True Telecom Invoice for August 2017 Spam Email

5. September 2017 06:47 by sirclesadmin in Internet Security, SPAM
49699367 - True Telecom Invoice for August 2017 Spam Email &amp;nbsp;

49699367 - True Telecom Invoice for August 2017 Spam Email

This email has a randomly generated number at the beginning of the subject and is impersonating your telecom provider - a good bet as companies often have lots of different telephone and internet providers and this bill has a chance of getting through if you are not careful. It is always worth having a 'live supplier' file so that everyone knows who should be paid and who should not:

 

 

True-telecom.com are a genuine telephone company that have no connection to these emails and this email attempts associating their good name with this scam.

The email tries to get you to open a dangerous file in two ways - firstly by attaching the file with a .7z attachment which will require 7zip to open (this seems an odd tactic as most people won't have this software, and if they call the IT people to install it then they will most likely smell a rat) and by clicking the 'View your bill online' link which takes you to the same file, but as a download:

 

Telephone Bill

From:                                         billing@true-telecom.com

Sent:                                           04 September 2017 17:08

To:                                               Customer Services

Subject:                                     [SPAM] 49699367 - True Telecom Invoice for August 2017

Attachments:                          2017-08-49699367-Bill.7z

 

       

Dear Deborah Day

We have attached your latest True Telecom bill for August 2017.
View your bill online

To be able to read your invoice file you will require the Adobe Acrobat PDF viewer. You August already have this installed,
if not please visit the Adobe website and download their free viewer.

Payments made by direct debit will be collected 14 days from the date of the Bill.

If you wish to contact us, please do not hesitate to get in touch with one of our friendly customer services agents.

Telephone: 0800 840 40 60
Fax: 0844 779 2253
Email: customerservice@true-telecom.com

Please be advised that this is an unmonitored email address.

With Kind Regards,

The True Telecom Team

www.True-Telecom.com

 

 

True Telecom Ltd is registered in England and Wales No. 08225783.

Head Office address: Ground Floor,Lakeview West, Galleon Boulevard, Crossways Business Park, Dartford, Kent, DA2 6QE

 

This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and August contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. The Company only guarantees service in accordance with the service charter. The company accepts no liability for failure of hardware after the termination point. For the purposes of this E-Mail "the Company" is the trading name of True Telecom Ltd. True Telecom Ltd (Registered in England & Wales No. 08225783)

       

 

The red-dead.fr link has been disabled in the above. As we can see from the image below, the link takes you to a download of the same attachment that has been sent with the email:

 

 

We have seen variants with the following links that contain the same dangerous download:

  • ventadepajaros.es
  • studiotoscanosrl.it
  • rogames.ro
  • pack-lines.com
  • activ-conduite.eu
  • weekendjevliegen.nl

 

Under no circumstances open the attachment or open any of these links. If you are a customer of True Telecom then please be extra careful and contact them directly before opening any emails.

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links &amp;nbsp;

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

We have seen some fake purchase order emails today that have been modified in order to circumvent our latest advice on receiving bills by email. PDFs are the usual, preferred method but they can also be used to send links to potentially hazardous material and so, to clear up any confusion:

Do not open links from questionable senders in any format!

 

 

 

From:                                         De la Rosa, Samuel <samuel.delarosa@swissport.com>

Sent:                                           30 August 2017 00:57

Subject:                                     Purchase Order No_18081994

Attachments:                          Purchase Order No_18081994.pdf

 



Dear Sir/Madam,

We are pleased to place an order with you which you will find attached.Please confirm the receipt of this order by email and let us have your order acknowledgement.
Do not hesitate to contact us if there are any questions regarding this order.

Best regards,

De La Rosa,Samuel
Customer & Technical Service

 

The email contains a PDF:

 

 

Now the PDF includes a link to an external page:

 

 

There is no reason to send a PDF which contains this link - this is just to avoid detection of the link in the email. If you click on the link on a Windows PC using IE you receive a warning:

 

 


Firstly, remove the tick from this box - never trust any link from anything!!!

A PDF link can be as dangerous as any other link!!!

 

Now do we recognise this domain? http://roarr.org It is an .ORG domain in this case, but unless you recognise the domain, click BLOCK and send the email to JUNK

If you decide to open this particular link, you will receive:

 

 

This has been reported to Microsoft as a dangerous domain - DO NOT OPEN!!!

 

If we continue, against all advice, we can see that it is an impersonation of DocuSign:

 

 

Always check the domain in the address bar at the top against what you are seeing - this is obviously a spam site trying to get your email address and password CLOSE THIS PAGE AND DELETE THE EMAIL!!

 

Natwest Spam Emails with Microsoft Word Attachments

Natwest Spam Emails with Microsoft Word Attachments &amp;nbsp; You may receive the following: &amp;nbsp;

Natwest Spam Emails with Microsoft Word Attachments

 

You may receive the following:

 

 

 

From:                                         New post NatWest Bank <noreply@natwest94.ml>

Sent:                                           Monday, August 21, 2017 10:07 AM

To:                                               Support

Subject:                                     NatWest

Attachments:                          NatWest258345907_2243.doc

 

View Your August 2017 online

 

Financial Activity Statement Keep track of your account with your latest

Online Financial Activity Statement from NatWest Bank.

 

Please download and view Microsoft Word attachment

 

So check out your statement right away, or at your earliest convenience.

 

Thank you for managing your account online. Sincerely. NatWest Bank

 

 
These emails are simply to persuade you to open the attachment:
DO NOT CLICK 'ENABLE EDITING' as this will compromise your system!

Spam: SANTANDER ALERTS SERVICE UPDATE from 1412261101@jcom.home.ne.jp

v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VM

 

 

 

Watch out for the following email:

 

 

From:                                                       Santander UK <1412261101@jcom.home.ne.jp>

Sent:                                                         Tuesday, August 1, 2017 7:32 AM

To:                                                            Recipients

Subject:                                                   SANTANDER ALERTS SERVICE UPDATE

 

Valued Customer,

Please note that starting from August 01, 2017 we will be introducing new online banking authentication procedures in order to protect the private information of all online banking users.

You are required to confirm your online banking details with us as you will not be able to have access to your accounts until this has been done.

As you're already registered for online banking all you need to do is to confirm your online banking details.

Confirm your details

Once you've completed this you'll be able to manage your money whenever you want, giving you more control of your finances.

Regards
Customer Service
Santander Bank

 

More Leads and Better Discoverability, Submit domain.suffix to Search Engines

26. July 2017 09:34 by sirclesadmin in Domain Names, Internet Security
All domains that have been purchased are now subject to bombardment from criminals - as a result it

All domains that have been purchased are now subject to bombardment from criminals - as a result it is much more common to withhold your details from being read in connection with your domain by using a third party to mask your details.

 

 

This does mean that domain owners are less accountable for their actions as they are essentially untraceable. The simplicity of buying a domain creates a situation whereby novice domain owners are confronted with lies, lies and more lies regarding their domain.

 

A current favourite of which is the search engine submission email. Search Engines are automated agents searching the web for new and changing pages which is how they get their name. When a new domain is registered it is sent into a queue with the search engines to be 'crawled' and if they find content of anything other than a holding page, they record that data and index it in order for it to be available in search results to the general public. If the domain is simply a holding page with a reseller or an un-configured domain then the search engine spider-crawler discards the data as it is of no use other than to someone specifically browsing to that domain in order to purchase it etc.

 

As a result of all of this the old days of having to submit a domain to a search engine have passed but that does not stop people trying to take your money by offering a submission service which will get you nowhere but that they will be able to prove they performed a service in lieu of your payment, even though you could have done such yourself for free.

Regarding the email itself:

Most domain owners who fail to submit domains to search engines often experience poor site visibility and low rankings. Search engines are the number one source for customers looking for brands and if domains are not listed with major search engines, they might not be able to find your website. This could result in lost opportunities and can seriously harm your online business. This email serves as the final reminder to submit your domain domain.suffix to all major search engines and automatically expires on 25 - July - 2017. Domains listed with search engines have a much greater chance to be easily discovered compared to domains that have not been submitted. This makes it very important to act timely and register your domain for better visibility and conversion rates. A link for the pricing page has been included in this email for your convenience and provides more details about our competitively-priced domain submission packages.

http://macotool.com/domain/?domain=domain.suffix

Most domain owners who fail to submit domains to search engines often experience poor site visibility and low rankings. - this is true for almost every domain owner and so this stands up to scrutiny.

Search engines are the number one source for customers looking for brands and if domains are not listed with major search engines, they might not be able to find your website. This is also completely true, it just is not true that you need to independently submit your site.

This email serves as the final reminder to submit your domain domain.suffix to all major search engines and automatically expires on 25 - July - 2017. Nothing is going to expire - they just want to get your money before you have a chance to ask anyone who may be able to tell you these people are trying to extort money on false pretences.

Domains listed with search engines have a much greater chance to be easily discovered compared to domains that have not been submitted. This is sort of true, anything listed is more easily found, but you do not need to submit to search engines to become listed.

This makes it very important to act timely and register your domain for better visibility and conversion rates. This is nonsense

A link for the pricing page has been included in this email for your convenience and provides more details about our competitively-priced domain submission packages. Here we can clearly see that they only accept PayPal and Bitcoin and so do not have a payment gateway. PayPal will be able to refund your money though so if you have already paid then get onto PayPal and report this company to have them removed. they will start with a different website and PayPal account next week but report them anyway.

Below we can see the email as it appears to some domains:

 

 

We are the domain name registration service company in China. On July 24, 2017, we received an application from Jiarui Ltd

(Please forward this to your CEO, because this is urgent. Thanks) We are the domain name registratio

If you receive an email along the lines of the following:

 

(Please forward this to your CEO, because this is urgent. Thanks)

We are the domain name registration service company in China. On July 24, 2017, we received an application from Jiarui Ltd requested "winnershtriangle" as their internet keyword and China (CN) domain names (winnershtriangle.cn, winnershtriangle.com.cn, winnershtriangle.net.cn, winnershtriangle.org.cn). But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor in China?

 

Best Regards,

Peter Liu | Service & Operations Manager

China Registry (Head Office) | 6012, Xingdi Building, No. 1698 Yishan Road, Shanghai 201103, China

Tel: +86-02164193517 | Fax: +86-02161918697 | Mob: +86-13816428671

Email: peter@chinaregistry.net

Web: www.chinaregistry.net

 

This email contains privileged and confidential information intended for the addressee only. If you are not the intended recipient, please destroy this email and inform the sender immediately. We appreciate you respecting the confidentiality of this information by not disclosing or using the information in this email.

 

As we can see from the above, the email has no direct addressee and is just being sen to whichever email address the domain is registered with - this is a shame as it enables more and more companies to provide registration blocking services legitimately and so assist companies that are avoiding being held to account for their websites and other internet behaviour. 

Looking at the originating email address below we can see that the sender is simply using the free account chinaregistry1088@aliyun.com which is, of course, not affiliated with any reputable registry.

 

As we can see the suggested originating email address is peter@chinaregistry.net which is a fairly unlikely address for China. 

This email should be discarded and no action need be taken. This type of behaviour will end up with all domains having their registry withheld and no one being accountable for the contents of their website.

Lloyds Bank Scam emails originating from the University of Southern Mississippi - Watch out !!!!

Lloyds Bank scam emails originating from the University of Southern Mississippi -&amp;nbsp;Watch out !!!

Lloyds Bank scam emails originating from the University of Southern Mississippi - Watch out !!!!

The following email may arrive in your account:

 

Lloyds 0nline. <usmlloyds@usm.edu> is obviously a spam address - the zero (0) in 0nline is designed to stop the email being filtered out by spam filters checking for 'Lloyds Online' and so this message should instantly be deleted.

Any email from your bank explaining that urgent action needs to be taken is false - your bank would never rely on an action that does not guarantee reception for an urgent matter, they would always phone.

If we look at the language in general below:

 

  1. As we can see the 0nline zero is present
  2. USM.EDU is the email domain of the University of Southern Mississippi who most definitely do not send email on behalf of Lloyds Bank
  3. https://security.lloydsbαnk.co.uk/updates actually point to: https://www.smartideas.bg/sma.htm and if we hover over the link, we can see the true destination.

 

  1. Lloyds Bαnk is a Greek Alphabet character for αlpha which is another tactic to avoid being filtered, as you can see if you examine the a which has been replaced with α.
  2. If we reply to the email we receive:

 

========================================

Clicking the link:

 

The website that we are taken to when clicking the link certainly looks like Lloyds Bank:

 

But if we look at the address in the address bar:

 

We can see that the address is all wrong. If we click the 'How do I know that this site is secure?' link, then there is no satisfactory result. 

This is an effective impersonation of the Lloyds login page and has several verification rules for the input boxes.

This page will return with a different domain once the owners of smartideas.bg realise they have been hacked and they restore the correct website.

Keep an eye out for all emails from the bank - they never email you about security!!!!

As another set of domains names to watch with the same page as above:

http://ourbabyshower.co.za/LLOHDBU0/

http://darylconner.com/LLHSUUNDFY830/V6/ 

Both of the above are fake Lloyds related URLs.

How to be 100% sure you are not opening a dangerous attachment

&amp;nbsp; If you are in the market for some new employees then you may be receiving quite a few emails

How to be 100% sure you are not opening a dangerous attachment

 

If you are in the market for some new employees then you may be receiving quite a few emails daily on the subject, but here is one to avoid:

 

In this case the user is viewing email using Microsoft Outlook. If we have a closer look by clicking the attachment ONCE we can see that the document suggests us opening the document fully and enabling editing:

 

Anything that asks you to enable content or enable editing is likely containing trouble. Microsoft Office Word and other Office documents can contain code that can harm your computer and that should be avoided. The above is not a function of Microsoft Word it is simply the page they have created to try and persuade you to enable their code.

Let's go over a few quick checks that we can use to decide if we like this or not anyway:

1. Before even thinking about the attachment, look at the sender address: Karen Baltzley <Dempsey@crediblesons.com> These addresses do not make any sense, as the spammer has not thought to align the email address with the display name of the sender - this is spam. We can also see that the attachment author is someone called ojeawlbgnpbgmob which is unlikely to be a real name.

2. Look at the signing of the email - because these spammers send email by volume they do not want to enter any text by which your IT team can filter their messages out, and so they only want to use generic words. As a result they have not signed the email Karen Baltzley, they have just left it blank - this is spam.

3. Reply to the message instead of opening the attachment if you are in any doubt - this is a great way of being 100% sure. Spammers do not send email from proper addresses, this would open them to the risk of being traced or tracked down. So if they are a spammer, the email will just bounce back an error message. If you have any doubt at all reply to the email.

4. Lastly, the risk inherent in Microsoft Office documents, what with macros and other code, means that very few legitimate businesses send them unsolicited. Any invoice or quote in a Microsoft Office document format is questionable and you should reply to them asking for a PDF copy that cannot be so easily tampered with.

If you have satisfied yourself with all of the above then you can open an attachment feeling pretty safe, and believe me, it is worth the trouble. You do not want to find yourself buying Bitcoins in the middle of the night trying to decrypt yesterdays work before the boss gets back from their holiday.

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN The DrayTek Vigor router range are very straightforward

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

The DrayTek Vigor router range are very straightforward routers with which to configure a VPN and only get really complicated to work on when dealing with multiple firewall rules that may conflict or override each other. The Junipers are highly configurable in a a very ordered manner, but this does mean that there are extra considerations and stages to configuration when programming a VPN.

The Juniper needs to be told to allow traffic through a VPN and also needs a tunnel and an endpoint configured and so let us deal with that first.

We are assuming that you already have access to the Juniper via the web browser and can reach the configuration screens.

Go to the Network menu and select Interfaces and List.

Now with the drop down top right, choose Tunnel IF and then click New.

Set the Zone to be Untrust (trust-vr)

Check the bubble for Unumbered as this is a route-based VPN

Choose the interface to be the internet facing interface with the IP address that you will be pointing the DrayTek Vigor VPN at.

Now click the Tunnel link at the right of the links at the top of your configuration panel.

Once again the destination will be left as 0.0.0.0 as this is a route-based VPN and the Gateway we define in a minute will determine the endpoint for the VPN.

Now we have the tunnel configured we move on to configure the VPN:

Click Autokey IKE and then New:

Rather than configure a gateway in advance we will simply create one in this page. Click the bubble to Create a Simple Gateway and enter a name for the remote gateway. Leave IKE as ver.1 and choose Static IP and enter the Vigor WAN IP or hostname.

Now enter the pre-shared key which is a code that you will enter into the Vigor or share with the admin of the remote Vigor by some secure means. The Outgoing Interface will be the Juniper physical interface on which the WAN IP address resides to which you will be pointing the Vigor VPN.

Now click Advanced:

Here we are choosing the Phase 2 encryption proposal which is simply the encryption types - AES 256-bit in this case with DH Group 14 PFS (Perfect Forward Secrecy) and 3600 seconds time-out, but feel free to simply select a standard choice and simply make a note of the one you are choosing. Is it AES or 3DES or DES? What is the time-out, is it in seconds, minutes or hours? What is the PFS DH group? All of these should be noted as the Vigor must be configured to accept them.

Now enter the local and remote IP / Netmask where the local is the LAN address and teh subnet and the remote is the LAN which resides behind the Vigor which we are going to have remote access to once the VPN is established. In this case both subnets are set at /24 meaning 255.255.255.0 Class-C subnets but you must obviously enter your own details for each network.

Set service to Any which will allow all traffic to pass between the sites via our VPN.

Tick VPN Monitor, Optimised and Rekey  and leave the destination as default whilst choosing the external interface to which you will point the Vigor as the Source Interface.

Now click Return and OK. Now move on to configure the policies. The Gateway settings below are just for reference.

Here are the configurations for the Gateway but these two pages have been configured already when we configured the VPN but they are included as reference if you need to troubleshoot your Gateway settings:

 

Now click Advanced:

Now we must configure the policies to allow traffic between the sites. Go to Policy then Policies and at the top select from Trusted to Untrusted and click New.

Give the policy a name and enter the local subnet in the source and the remote subnet in the destination address boxes.

Choose the service type as Any and click OK. There is no need to configure advanced options in this instance.

Now at the top of the policy screen, select from Untrusted to Trusted and New and configure the settings as above but with the Vigor remote LAN subnet as the source and the local Juniper subnet as the destination with the service set as Any.

This completes the Juniper set-up and we can now configure the DrayTek Vigor 2860.

 Log into the admin web page of the DrayTek and go to the VPN and Remote Access section on the right-hand side. Click on LAN to LAN and then click an empty profile so that you can begin to populate the necessary information:

Name the VPN, indicating where it is connecting your local subnet to.

Tick to enable the profile.

Choose which WAN port/interface the VPN will be established through.

We are allowing NetBIOS naming packets as this will be for a Windows computer network and we may wish to enable inter-site computer browser functioning etc.

Multicast via VPN we will leave disabled.

Set the direction to be Both so that either site can initiate the connection.

Set the VPN type to be IPSec and enter the WAN IP or hostname of the Juniper we are connecting to.

Populate the bubble for Pre-Shared Key and click the IKE Pre-Shared Key button. Here you must enter the same key you entered into the Juniper and click OK.

Below that, choose the bubble for High(ESP) and set the dropdown box to be AES with Authentication. Then click the Advanced button:

Here we are selecting Main mode as we did on the Juniper and out phase 1 proposal as AES256_SHA1_G14

Our phase two proposal is set as AES256_SHA1

Timeouts are once again 28800 seconds and 3600 seconds for phase one and two respectively and the Perfect Forward Secret (PFS) is enabled. Now click OK.

Moving down the VPN LAN to LAN page we come to the Dial-In setings:

Tick IPSec Tunnel as the VPN type and untick the others.

Tick the box to Specify Remote VPN Gateway and enter the Juniper WAN IP once more.

Tick the box for the Pre-Share Key and enter it as before by pressing the appropriate button.

Tick the AES button for the IPSec Security Method.

Leave section 4 blank here as we are not using GRE in this example.

Finally section 5 we enter the Vigor WAN IP in My WAN IP. The Juniper WAN IP in Remote Gateway IP.

The Juniper LAN subnet in Remote Network IP such as 192.168.10.0 and the subnet mask below, in this case 255.255.255.0 rather than /24.

The local network IP is the LAN subnet being the Vigor such as 192.168.11.0 and the subnet for the Vigor below.

The RIP direction is set to both and the traversal method is set to Route.

Now click OK.

Go to VPN and Remote Access and Connection Management and see if the VPN is up: