sircles.net Computer Support The sircles IT support & solutions blog | Internet Security

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent    

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.

 

From:                                                       Direct <theo-letran@glampiny.com>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

 

Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!

 

Billing Address:
Your Name 
Your Telephone Number Postcode 




Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

 
 
The hyperlink 'Your Order 50RM_84248 available here' actually links to: https://kocobanana.com/.orderdetails/50RM_84248-confirmation which is presumably a genuine website as it has a certificate but it simply forwards you to: https://support.office.com/office-training-center?wt.mc_id=AID573689_QSG_184686 which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
 
The contents of the zip file are as follows:
 
 
And when extracted, reveal:
 
 
The image just being a Google Pay image:
 
 
And the shortcut linking to:
 
 
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
 
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.

Spam Warning: You've received efax Notice

8. August 2018 07:58 by sirclesadmin in Internet Security, SPAM
Spam Warning: You&#39;ve received efax Notice &amp;nbsp; We have seen this email throughout this week: &amp;nbsp

Spam Warning: You've received efax Notice

 

We have seen this email throughout this week:

 

 

 

 

From:                                                       eFax j2 Global <efax@ramatmed.com>

Sent:                                                         Tuesday, August 7, 2018 7:52 PM

To:                                                            Recipient

Subject:                                                   You've received efax Notice

 

 

 

 

eFax_Faxing_Simplified

 

Fax Message; ID: 4734 745 7735,

You have got a 6 page(s) fax at 08-07-2018 08:34:55 GMT.

*Your reference number is ek4_pid02-88444959724931-3463741-40.

Visit www.efax.com/efax-help-center if you have any questions relating to this notification.



The eFax Team

 

j2 footer
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a trademark of j2 Global, Inc.
22592 Hollywood Blvd, Los Angeles, CA 98613

*** This is an automatic message, please do not reply directly to this email address *** Privacy Policy.

 The 'Get Fax Now' link actually points to: http://hvcrmls.info?82a6yp=QIUBNYQASHUBQYUDP Which appears to have already been removed but the site name is so bizarre, it makes you wonder if it ever existed. I am not going to invest time in looking it up but this email is spam and should be reported.
The sender efax@ramatmed.com has a domain of what appears to be a Los Angeles medial supplier but the website is very spartan.
 

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service&amp;nbsp; &amp;nbsp;

Spam Warning: You received notification from DocuSign Signature Service 

 

You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.

 

 

 

 

From:                                                       DocuSign Signature  Service <docusign@pehache.com>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service

 

 

 

 

 

 

DocuSign

Review and sign this document.

 

Dear Receiver,

Please review this invoice
It is an automatically generated invoice.

 

This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.

 

 

 The 'view invoice' link actually points at: http://keithharenda.com?6d50=QAUSY1CQVUFS1QXOBsGSJTHS which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: http://nashvillechildfamilywellness.com?20Yy5=QAUSY1CQVUFS1QXOBsGSJTH S being used by the same email.
The 'review invoice' link at the bottom points to: http://kphbuilds.com?7P62A=QAUSY1CQVUFS1QXOBsGSJTHS which also appears to have been shut down.
 
Report any senders of this email, the pehache.com domain does not seem to function either.

Internal Revenue Service - Spam Warning !

1. August 2018 13:29 by sirclesadmin in Internet Security, Online Fraud, SPAM
Internal Revenue Service - Spam Warning ! Watch out for more free money! This email has been receive

Internal Revenue Service - Spam Warning !

Watch out for more free money!

This email has been received this week:

 

 

From:                                                       Internal Revenue Service <irs@aubodyshop.com>

Sent:                                                         Tuesday, July 31, 2018 6:16 PM

To:                                                            Recipient

Subject:                                                   Internal Revenue Service

 

IRS.gov Banner

Internal Revenue Service

IRS services     Account Balance communication TP95

 

Final reminder: Notice of Intent to seize (levy) your current income tax refund.


 

promptly: $449.20

Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.


Download your payment Invoice 


You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.

 If you no more want to get warnings, please log in to your Internal revenue service account  to temporarily disable or completely delete these types of signals.

The following alert is sent to you automatically from the IRS services. Make sure you do not Write back.


Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.

If you have inquiries or problems with the service, be sure to contact www.paygov.us.
.



This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.

Powered by GovDelivery

 

 
As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
 
The link 'Download yoru Payment Invoice' points to: http://cliptrips.info?8yi2O=QAUSY1CQVUFS1QXOBsGSJTHS
 
Which has already been taken down - well done for spotting that whoever the owner is...
 
Anyway report this email as spam and stay vigilant!
 

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

 

This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <seminar@toitumosi.jp>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.

 

 

-

Taxes&Revenue have detected that you have paid too much tax in the past

 

* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.

Delivery-Information

Card Type:

VISA

Credit Card:

****-****-****-****

Amount:

670.25

Transaction Date:

01/08/2018

Transaction #:

419277

 

 

Total  

670.25   GB P

 

-

 
 
As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
 
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
 
The 'Claim Funds' link points to: http://mocosi.co.za/img/acgetopai/ which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
 
The actual site:
 
 
Once you choose your wishes they take you to:
 
 
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
 
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like sircles.net with nothing following it unless after a /
 
Report this email and report the website.
 
Be safe!!!

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment

 

Watch out for this email doing the rounds this week:

 

From:                                                       Tracy Turner <tturner@brealzeta.com>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs

 

 

Secured ShareFile Attachment

Expires July 20, 2018

Brealzeta.pdf

568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.

 

 

If you need any further assistance, then do not hesitate to contact me.

 

Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446

 

The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 

 

So be careful here - this is a fully secured SSL site with an SSL certificate:

 

 

The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:

 

 

Comodo for CPanel. 

 

From the look of the site: 

 

 

They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.

 

The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.

 

If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:

 

https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html

 

 

 

Which is again a convincing looking site using the same certificate.

 

The IP address gives this data:

% Information related to '89.36.218.0 - 89.36.218.255'

% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'

inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to '89.36.216.0/22AS200185'

route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE

 

We will email the abuse address to report these sites...

Spam warning - HelloFax, Someone Sent You a Fax

10. July 2018 08:12 by sirclesadmin in Internet Security, SPAM
Spam warning - HelloFax, Someone Sent You a Fax &amp;nbsp; This email has been received in the last coup

Spam warning - HelloFax, Someone Sent You a Fax

 

This email has been received in the last couple of days:

 

From:                                                       HelloFax <hellofax@abramscpa.com>

Sent:                                                         Monday, July 9, 2018 3:22 PM

To:                                                            Recipient

Subject:                                                   HelloFax, Someone Sent You a Fax

 

 

HelloFax

The best way to sign and send faxes on-line

Dear Customer,

Here is Your HelloFax

Date and Time: 07/09/2018 08:10 AM
Number of pages: 9

Reference number: TGD656358K.


Thank you for going paperless!
- HelloFax Team

 

We think your workplace can be paperless!
HelloFax Send Documents Online
HelloSign Sign Documents Online
HelloSign for Gmail Sign with Gmail

504 Howard Street, Suite 350
San Diego , CA

Add us to your address book

 
 
The 'Get Your Fax' link points to http://wegetthelintout.ca?7v7Rh=QAUSY1CQVUFS1QXOBsGSJTHS  which no longer seems to respond, so the owners must have disabled it until the fraudulent pages have been removed.
Please report this message as spam anyway to get the source address blacklisted.

Amazon Spam Warning - Authorization of Account Details

27. June 2018 13:59 by sirclesadmin in Internet Security, Online Fraud
Amazon Spam Warning - Authorization of Account Details &amp;nbsp; We have seen this email passing&amp;nbsp;t

Amazon Spam Warning - Authorization of Account Details

 

We have seen this email passing through htomail and outlook defences:

 

From:                                                       Αmаzоn.соm <notifications@biIling-amazon.com>

Sent:                                                         Saturday, June 23, 2018 1:58 AM

To:                                                            recipient email address

Subject:                                                   Authorization of Account Details

 

 
 

 

Authorization of Account Details

 
 

CASE ID
70C4L12278

CASE DESCRIPTION

Validation of billing details in your account

DATE
June 22, 2018

Dear recipient

We need to validate your billing information you entered, which may not match with your Credit card's issuing bank. Please get these to us before June 29, 2018 to ensure that the services related to your account will not be suspended. We may contact you for additional information as part of the verification process.

 

You can start your verification process by clicking on Here

 

We hope to see you again soon.

 

Amazon.com

 

 
 
 
 

<![if !vml]>Image result for Amazon Logo Icon<![endif]>

 
 
 

 Privacy Policy

 
 

Copyright © 2018 Amazon.com
All rights reserved

 

This email sent to recipient email address

Email ID: 122744Px690808054Fw90f4v6nJK9o408488ef019626

 
 
The link points to a site which has already been dismantled and Google Chrome already listed the site as fraudulent so we will not post it here..
 
Do mark this email as spam though as it is breaking through email defenses...
 
 

About a internship! Fake Resume or CV SPAM!

About a internship! SPAM! &amp;nbsp; Microsoft Office documents are a dangerous source of macros and oth

About a internship! Fake Resume or CV SPAM!

 

Microsoft Office documents are a dangerous source of macros and other types of malware. Typically a dangerous document will be disabled by later versions of Microsoft Office in order to protect the user and as a result the modern spam malware office docs have a front page explaining that they need to be unlocked.

Let's have a quick look at one:

Here is a message containing a resume we have received today...

Hello there! I hope you are well!

I am absolutely interested in a internship.
Find my attached resume and reply ASAP.

The password for the file is 123123

Looking forward to hearing back from you!
Dayna

If we double-click the attachment containing 'Danya's Resume' we see the password request in Microsoft Word 2016.

We enter the password provided and then...

 

 

The text in the document pane has actually been added by the spammers. That 'was this information helpful?' text is just an image captured from the Microsoft website just as we have captured this image from the spammers. The 'Yes' and 'No' buttons are not live - they are just there to persuade you that this is a Microsoft message. The text is there to persuade you to enable the macros in this document but definitely do not.

The only true Microsoft advice here is in yellow at the top where you are 'Be careful-email attachments can contain viruses. Unless you need to edit, it's safer to stay in protected view.' and it is. We would suggest that unless you are awaiting the document and it is from the person you are expecting it to be from, never enable a Microsoft Document for editing.

Let us make sure that this document is not one we are expecting - if we click on the File menu on Microsoft Word and select the Info option we can see the below:

 

 

As we can see from the details, this document is nonsense and is not from anyone we know or want to know.

Label these as spam and report the originator to your email administrator or provider.

We have seen the following alternate subjects for the same email:

  1. About a career?
  2. Concerning a internship.
  3. Regarding a career!
  4. Regarding a job?

Reporting Fraudulent Websites with your Browser

17. May 2018 07:39 by sirclesadmin in Internet Security, Fraud, Phishing
Reporting Fraudulent Websites with your Browser &amp;nbsp;

Reporting Fraudulent Websites with your Browser

 

When you receive an email that has links to a fraudulent site, you should report that site, to your browser provider so that other users can be saved from falling into the intended trap.

When you are sent to a site that the email tells you is giving you something, and when you arrive you are asked to make a payment, that is a form of misrepresentation; which is phishing. You should report phishing sites to Google:

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

The advantage of reporting to Google is that they will adjust Google Chrome to warn people, and that is currently the most popular browser on Earth.

If the site you are sent to by a suspicious email tries to download a file to your computer (no matter what the file pertains to be) then it is most likely a malicious software site. These pages should be reported by pasting the URL in the browser address bar into the following Google page for malicious software sites:

https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en

You can also read about Google's preventative measures programme against harmful internet use here:

https://safebrowsing.google.com/

If you are using Microsoft Edge or Internet Explorer, you can also report fraudulent sites. 

You can open the old style Internet Explorer by pressing the Windows Button + R and entering iexplore and pressing OK.

From the Safety menu, point to SmartScreen Filter, then click Report Unsafe Website.

Select one or both of the following check boxes you feel to be appropriate:

  • I think this is a phishing website
  • I think this website contains malicious software

If you are using Firefox, or if you wish to report the site to Mozilla to help more people, you can report fraudulent sites to Mozilla here:

https://www.mozilla.org/en-US/about/legal/fraud-report/

Here you can choose from:

  • Domain name
  • Collecting personal information
  • Charging for software
  • Logo misuse (phishing)
  • Distributing modified Mozilla/Malware

And choose which products are affected.

In general it is always worth checking that the site is secured - by seeing if there is a padlock in the browser address bar or that the https has gone green etc. - and that the domain is correct. The domain must be the last item in the address bar before the first / (forward slash) as many fraudulent domains trick us by using facebook.com-uerjfnf0e837e3e0d0y.uzbxyn.com/webapp/ye.js or facebook.com.wifubd97fidn9.interstrartter.net/webapp/ku.js similar. Notice that the facebook.com is followed by a hyphen or a dot instead of the forward slash / that represents the end of the domain.