sircles.net Computer Support The sircles IT support & solutions blog | Internet Security

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Security alert for your linked account #28868 - Fake outlook.com account recovery messages

Security alert for your linked account #28868 - Fake outlook.com account recovery messages   Wa

Security alert for your linked account #28868 - Fake outlook.com account recovery messages

 

Watch out for these fake account recovery messages as they are finding their way into outlook.com and hotmail.com!

 

 

 

 
 
     

 

 

Your profile is listed as the recovery email for recipient@hotmail.com. Don't recognize this profile? click here.

 
     
 

Sign-in attempt was blocked for your linked account
recipient@hotmail.com

Someone just used your password to try to sign in to your profile.

 
     
 

You received this email to let you know about important changes to your profile and services.

© 2018 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

 

The actual links point to: http://wiki.1rwn.com/ctireaz/radiantlyb.html  from both ther check activity link and the click here link under 'recognize this profile'

The link is not dangerous - it just forwards you to a Canadian Pharmacy page - but do report the originator of the email and the website as neither will be very nice people.

We could not reset the password for your AppIe lD - Spam Warning

11. October 2018 16:08 by sirclesadmin in Internet Security, SPAM
We could not reset the password for your AppIe lD - Spam Warning   This rather weak spam email

We could not reset the password for your AppIe lD - Spam Warning

 

This rather weak spam email uses a PDF to try and hide it's dirty link to a fraudulent website.

The email itself:

Dear AppIe User.

We could not reset the password for your AppIe lD because there were too many failed attempts to answer your security questions.  

To read your secure message by opening the attachment(PDF).

You will be prompted to open(view)the file or save(download) it to your computer or device

For best results Save the file , then open it on a web browser.

Your account will be locked if we didn’t receive any response from you in more than twenty four hours

Sincerely,          

Apple Support  

 

Copyright © 2018 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.

All rights reserved.

 

The Unlock Apple ID link points to:

http://applie-id.veriby.coolambo.ca which is sketchy at best. The website itself is already marked as deceptive by Google and Microsoft and so shouldn't be making too many lives more miserable.

The Apple site impersonation is somewhat more impressive:

And after you type in any email address and password to the unsecured site, it then presents you with:

in which they actually have the audacity to ask for a card number as security.

Hopefully no one will fall for this nonsense, and they will have wasted their time.

Stay vigilant!

 

We could not reset the password for your AppIe lD - Spam Warning

11. October 2018 16:08 by sirclesadmin in Internet Security, SPAM
We could not reset the password for your AppIe lD - Spam Warning   This rather weak spam email

We could not reset the password for your AppIe lD - Spam Warning

 

This rather weak spam email uses a PDF to try and hide it's dirty link to a fraudulent website.

The email itself:

Dear AppIe User.

We could not reset the password for your AppIe lD because there were too many failed attempts to answer your security questions.  

To read your secure message by opening the attachment(PDF).

You will be prompted to open(view)the file or save(download) it to your computer or device

For best results Save the file , then open it on a web browser.

Your account will be locked if we didn’t receive any response from you in more than twenty four hours

Sincerely,          

Apple Support  

 

Copyright © 2018 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.

All rights reserved.

 

The Unlock Apple ID link points to:

http://applie-id.veriby.coolambo.ca which is sketchy at best. The website itself is already marked as deceptive by Google and Microsoft and so shouldn't be making too many lives more miserable.

The Apple site impersonation is somewhat more impressive:

And after you type in any email address and password to the unsecured site, it then presents you with:

in which they actually have the audacity to ask for a card number and bank account and sort code as security.

Hopefully no one will fall for this nonsense, and they will have wasted their time.

Stay vigilant!

 

We could not reset the password for your AppIe lD - Spam Warning

11. October 2018 16:08 by sirclesadmin in Internet Security, SPAM
We could not reset the password for your AppIe lD - Spam Warning   This rather weak spam email

We could not reset the password for your AppIe lD - Spam Warning

 

This rather weak spam email uses a PDF to try and hide it's dirty link to a fraudulent website.

The email itself:

Dear AppIe User.

We could not reset the password for your AppIe lD because there were too many failed attempts to answer your security questions.  

To read your secure message by opening the attachment(PDF).

You will be prompted to open(view)the file or save(download) it to your computer or device

For best results Save the file , then open it on a web browser.

Your account will be locked if we didn’t receive any response from you in more than twenty four hours

Sincerely,          

Apple Support  

 

Copyright © 2018 Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.

All rights reserved.

 

The Unlock Apple ID link points to:

http://applie-id.veriby.coolambo.ca which is sketchy at best. The website itself is already marked as deceptive by Google and Microsoft and so shouldn't be making too many lives more miserable.

The Apple site impersonation is somewhat more impressive:

And after you type in any email address and password to the unsecured site, it then presents you with:

in which they actually have the audacity to ask for a card number and bank account and sort code as security.

Hopefully no one will fall for this nonsense, and they will have wasted their time.

Stay vigilant!

 

You have received efax Message: Spam warning

2. October 2018 13:05 by sirclesadmin in Internet Security, Online Fraud
You have received efax Message: Spam warning   This email is impersonating eFax by using links

You have received efax Message: Spam warning

 

This email is impersonating eFax by using links back to the eFax images and website, but it is a very low-fi spam attempt. 'You have received fax message' sounds like someone did not quite know how to translate the sentence, when you would've thought that they would just use the text from a real eFax message.

The email in this case has arrived from efax@flumepsychiatry.com which is obviously a giveaway :

 

 

 

 

From:                                         eFax j2 Global <efax@flumepsychiatry.com>

Sent:                                           Monday, October 1, 2018 4:42 PM

To:                                               Recipient

Subject:                                     You have received efax Message

 

 

 

 

eFax_Faxing_Simplified

 

Fax Message Caller-ID: 8046 545 7372,

You've received a 3 page fax at 10-01-2018 03:24:57 GMT.

*Your reference # for this fax is dk7_dtd24-48654058334483-5433851-55.

Visit www.efax.com/efax-help-center if you have any questions regarding this notification.

 



eFax Crew

 

j2 footer
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
61526 Hollywood St, Los Angeles, CA 97426

*** This is an automatically generated message, please do not reply directly to this email address *** Privacy Policy.

 The 'get fax' link (rather an unfortunate phrase) actually points to: http://pitchbrooklyn.com?5j8ti=QIUBNYQASHUBQYUDP which is actually not working currently, probably because the spam is already a day old.

 

 

Spam Warning: Notice from UPS

Spam Warning: Notice from UPS &amp;nbsp; &amp;nbsp;

Spam Warning: Notice from UPS

 

This is a bit of a confusing one as they do not seem to know who they are, HelloFax or UPS.

Here is the message:

 

From:                                                       UPS Choice <ups@altoedge.com>

Sent:                                                         Wednesday, August 15, 2018 7:31 PM

To:                                                            Recipient

Subject:                                                   Notice from UPS

 

 

HelloFax

The best way to sign and send faxes online

Dear Customer,

You have received a HelloFax

Date/Time: 08/14/2018 09:55 AM
Number of pages: 4

Reference ID Number: TGH757358L.


We appreciate you going paper-less!
- The HelloFax Community

 

We believe the office can be paper less!
HelloFax Send Docs On-line
HelloSign Sign your Documents Online
HelloSign for Gmail Sign from Googlemail

503 Howard Street, Suite 341
San Francisco, CA

Add us to the list of contacts

 

The 'Download Fax Now' button actually points at: http://exumabonefishlodge.com?4eHJe=QIUBNYQASHUBQYUDP which already appears shut down as we just get a:

 

This site can’t be reached

exumabonefishlodge.com’s server IP address could not be found.

 

ERR_NAME_NOT_RESOLVED

 

 

Message on Chrome.

SO no immediate danger here, but this email will be circulating with a hundred different links on it so beware!! Report as spam and report the link to your browser provider.

 

One last point is that the 'add us to the contacts list' is actually a link to: https://dyn550zzd47ox.cloudfront.net/1.52.0/css/images/email/support.vcf

And although this is probably the correct shortcut, it actually downloads a vcf file to your PC from cloudflare...

 

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent &amp;nbsp; &amp;nbsp;

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.

 

From:                                                       Direct <theo-letran@glampiny.com>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

 

Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!

 

Billing Address:
Your Name 
Your Telephone Number Postcode 




Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

 
 
The hyperlink 'Your Order 50RM_84248 available here' actually links to: https://kocobanana.com/.orderdetails/50RM_84248-confirmation which is presumably a genuine website as it has a certificate but it simply forwards you to: https://support.office.com/office-training-center?wt.mc_id=AID573689_QSG_184686 which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
 
The contents of the zip file are as follows:
 
 
And when extracted, reveal:
 
 
The image just being a Google Pay image:
 
 
And the shortcut linking to:
 
 
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
 
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.

Spam Warning: You've received efax Notice

8. August 2018 07:58 by sirclesadmin in Internet Security, SPAM
Spam Warning: You&#39;ve received efax Notice &amp;nbsp; We have seen this email throughout this week: &amp;nbsp

Spam Warning: You've received efax Notice

 

We have seen this email throughout this week:

 

 

 

 

From:                                                       eFax j2 Global <efax@ramatmed.com>

Sent:                                                         Tuesday, August 7, 2018 7:52 PM

To:                                                            Recipient

Subject:                                                   You've received efax Notice

 

 

 

 

eFax_Faxing_Simplified

 

Fax Message; ID: 4734 745 7735,

You have got a 6 page(s) fax at 08-07-2018 08:34:55 GMT.

*Your reference number is ek4_pid02-88444959724931-3463741-40.

Visit www.efax.com/efax-help-center if you have any questions relating to this notification.



The eFax Team

 

j2 footer
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a trademark of j2 Global, Inc.
22592 Hollywood Blvd, Los Angeles, CA 98613

*** This is an automatic message, please do not reply directly to this email address *** Privacy Policy.

 The 'Get Fax Now' link actually points to: http://hvcrmls.info?82a6yp=QIUBNYQASHUBQYUDP Which appears to have already been removed but the site name is so bizarre, it makes you wonder if it ever existed. I am not going to invest time in looking it up but this email is spam and should be reported.
The sender efax@ramatmed.com has a domain of what appears to be a Los Angeles medial supplier but the website is very spartan.
 

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service&amp;nbsp; &amp;nbsp;

Spam Warning: You received notification from DocuSign Signature Service 

 

You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.

 

 

 

 

From:                                                       DocuSign Signature  Service <docusign@pehache.com>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service

 

 

 

 

 

 

DocuSign

Review and sign this document.

 

Dear Receiver,

Please review this invoice
It is an automatically generated invoice.

 

This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.

 

 

 The 'view invoice' link actually points at: http://keithharenda.com?6d50=QAUSY1CQVUFS1QXOBsGSJTHS which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: http://nashvillechildfamilywellness.com?20Yy5=QAUSY1CQVUFS1QXOBsGSJTH S being used by the same email.
The 'review invoice' link at the bottom points to: http://kphbuilds.com?7P62A=QAUSY1CQVUFS1QXOBsGSJTHS which also appears to have been shut down.
 
Report any senders of this email, the pehache.com domain does not seem to function either.

Internal Revenue Service - Spam Warning !

1. August 2018 13:29 by sirclesadmin in Internet Security, Online Fraud, SPAM
Internal Revenue Service - Spam Warning ! Watch out for more free money! This email has been receive

Internal Revenue Service - Spam Warning !

Watch out for more free money!

This email has been received this week:

 

 

From:                                                       Internal Revenue Service <irs@aubodyshop.com>

Sent:                                                         Tuesday, July 31, 2018 6:16 PM

To:                                                            Recipient

Subject:                                                   Internal Revenue Service

 

IRS.gov Banner

Internal Revenue Service

IRS services     Account Balance communication TP95

 

Final reminder: Notice of Intent to seize (levy) your current income tax refund.


 

promptly: $449.20

Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.


Download your payment Invoice 


You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.

 If you no more want to get warnings, please log in to your Internal revenue service account  to temporarily disable or completely delete these types of signals.

The following alert is sent to you automatically from the IRS services. Make sure you do not Write back.


Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.

If you have inquiries or problems with the service, be sure to contact www.paygov.us.
.



This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.

Powered by GovDelivery

 

 
As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
 
The link 'Download yoru Payment Invoice' points to: http://cliptrips.info?8yi2O=QAUSY1CQVUFS1QXOBsGSJTHS
 
Which has already been taken down - well done for spotting that whoever the owner is...
 
Anyway report this email as spam and stay vigilant!