sircles.net Computer Support The sircles IT support & solutions blog | Online Fraud

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

You have received efax Message: Spam warning

2. October 2018 13:05 by sirclesadmin in Internet Security, Online Fraud
You have received efax Message: Spam warning   This email is impersonating eFax by using links

You have received efax Message: Spam warning

 

This email is impersonating eFax by using links back to the eFax images and website, but it is a very low-fi spam attempt. 'You have received fax message' sounds like someone did not quite know how to translate the sentence, when you would've thought that they would just use the text from a real eFax message.

The email in this case has arrived from efax@flumepsychiatry.com which is obviously a giveaway :

 

 

 

 

From:                                         eFax j2 Global <efax@flumepsychiatry.com>

Sent:                                           Monday, October 1, 2018 4:42 PM

To:                                               Recipient

Subject:                                     You have received efax Message

 

 

 

 

eFax_Faxing_Simplified

 

Fax Message Caller-ID: 8046 545 7372,

You've received a 3 page fax at 10-01-2018 03:24:57 GMT.

*Your reference # for this fax is dk7_dtd24-48654058334483-5433851-55.

Visit www.efax.com/efax-help-center if you have any questions regarding this notification.

 



eFax Crew

 

j2 footer
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
61526 Hollywood St, Los Angeles, CA 97426

*** This is an automatically generated message, please do not reply directly to this email address *** Privacy Policy.

 The 'get fax' link (rather an unfortunate phrase) actually points to: http://pitchbrooklyn.com?5j8ti=QIUBNYQASHUBQYUDP which is actually not working currently, probably because the spam is already a day old.

 

 

Package(3VKN_270) confirmed: 8 items sent Spam Email

4. September 2018 14:25 by sirclesadmin in Online Fraud, SPAM
Package(3VKN_270) confirmed: 8 items sent Spam Email &amp;nbsp; Watch out for this email: &amp;nbsp; v\:*

Package(3VKN_270) confirmed: 8 items sent Spam Email

 

Watch out for this email:

 

From:                                                       Bessie Daulton <maricela.schoultz@shenandoahbennett.com>

Sent:                                                         Tuesday, September 4, 2018 12:39 PM

To:                                                            Recipient

Subject:                                                   your name, Package(3VKN_270) confirmed: 8 items sent

 

 
 
 
 
 

Dear your name

We are now processsing your order 3VKN_270, please find your order details below:

 
 

Shipment Details

Name and Postcode


TOWN
County

 
 
 

Your order details here

 
 
 
 
 
 

This confirmation acts as your guarantee, which begins from the day your product is delivered to you.

 

Consumer Contracts Regulations 2013 offers the following cancellation rights

Please note that you are entitled to cancel this contract if you so wish, provided that you exercise your right no longer than 14 days after the day on which you receive the goods or services.

Please note that your right to return products does not apply to goods made to your specification, that have been clearly personalised or which by reason of their nature cannot be returned or are liable to deteriorate or expire rapidly.

If you wish to exercise your right of cancellation, you are obliged to retain possession of the goods and take reasonable care of them.

 

If you decide to cancel, you should return the goods to us at your cost within 14 days of such cancellation and we will reimburse to you (by the method used to pay for the original transaction) the amount in relation to goods to which cancellation rights apply. This includes the cost of delivery (except for the supplementary costs arising if you choose a type of delivery other than our standard and least expensive method of delivery). We may make a deduction from the reimbursement for loss in value of any goods supplied, if the loss is the result of unnecessary handling by you. We will make the reimbursement no later than 14 days after the day we receive back from you any goods supplied.

 

Returning items

We want you to be happy with your purchase. If you're not, just return the item with proof of purchase and we'll exchange or refund it.

Further information can be found in the customer service section of our website and the dispatch note included with your order. Our usual refund policy does not apply to cut or made to order products or perishable goods, which cannot be returned or exchanged unless faulty.

This does not affect your statutory rights.

Returns can be made using the following options:

 

Via our shops: please take this email with you. It shows the prices you paid at the time of your order, and so helps us process your return more quickly and accurately.

  

Further information on our Terms and Conditions can be found in the Customer Services section of our website, and on the delivery note included with your order.

 

Do you wish to track your order or require a receipt?

To track the status of your order or print a VAT receipt, if applicable, please click here. You may receive an email from us that will tell you how to track your order as soon as it has been collected for delivery.

 

Security

We will never ask you to send any personal details via email. If we require such details, for security reasons we will ask you to contact us by phone. Should you receive an email claiming to be from requesting this kind of information, please do not respond to it but do let us know.

 
 
 

Thank you for shopping with us.

Customer Services

 
 
 
 
 

Prices are subject to change without prior notification. Products subject to availability, while stocks last. Images are representative only. Errors and omissions excluded.

 

Update your details

 

Change your preferences

 
 
 
 
The actual 'Your order details here' link points to: https://assjournal.com/.cabinet/3VKN_270-package-updated which sounds like rather an odd website.
The link will download a command to upload or corrupt your personal data so do not run the command.
The windows shell command will be run on your own documents or downloads folder and may involve blackmail or identity theft.
Be sure to report the originators of this email as well as the website.
 

Upgrade to a more secure banking - Natwest Spam Warning !!

4. September 2018 07:18 by sirclesadmin in Online Fraud, SPAM
Upgrade to a more secure banking - Natwest Spam Warning &amp;nbsp; This email is a typical example of ph

Upgrade to a more secure banking - Natwest Spam Warning

 

This email is a typical example of phishing for banking details:

 

 

Upgrade to a more secure banking

 

 

From:                                                       NatWest <info@solidar.es>

Sent:                                                         Saturday, September 1, 2018 12:34 PM

To:                                                            Recipient

Subject:                                                   Upgrade to a more secure banking

 

Final hours: Get 50% OFF Yearly Premium Plans with our Surprise Sale. Hurry & upgrade your website now!


Can't see this email? Click here.

#

 
 
 

Upgrade to a more secure banking

 

 

Don’t miss out - last chance to upgrade your account and get £100 instant bonus!

 

 

We are regularly changing our online banking system, we will always contact you immediately we notice any issue on your account.

To receive the £100 bonus you are required to update your online information for your security. Please continue below.

 
 

#

Stay up to date with our latest news & features

 

Please do not reply to this email
If you wish to unsubscribe click here

View our privacy policy

 

 

 

 The email is quite well presented - the 'Can't see this email?' question at the top is a good example of how spammers use regulations to sidestep any susupicions we may have about the authenticity of an email.

If you click on the 'can't see this email?' link you are taken to: http://micato.co.uk/wp-admin/includes/036f707f904b5d1f9018d3085a975597/info/login.php?assets.adobedtm.com/5165c8c319825f6ec3fb78d0a8dcc1054ab35a3d/satelliteLib-08b84ffc82250dd93a29554e43774d72e7c1876b.js 

It is important to note in the above link the fact that the site is not secure (it begins http and not https) which is an instant and certain indicator that this is not a real banking site.

The site is already labelled by Google as deceptive:

 

And Microsoft Edge:

 

The site itself looks similar to Natwest:

 

But is obviously unsecured and way too slow for a real bank.

Report the originating email and the website as fraudulent and stay vigilant.

 

Spam Warning: Payment Message From MoneyGram Systems, Inc

23. August 2018 16:51 by sirclesadmin in Online Fraud, SPAM
Spam Warning: Payment Message From MoneyGram Systems, Inc &amp;nbsp; &amp;nbsp;

Spam Warning: Payment Message From MoneyGram Systems, Inc

 

This email has been spotted:

 

From:                                                       MoneyGram Payment Systems, Inc <moneygram@teamusacargo.com>

Sent:                                                         Thursday, August 23, 2018 4:51 PM

To:                                                            Recipient

Subject:                                                   Payment Message From MoneyGram Systems, Inc

 

 

 

 

 

 

 

Welcome to MoneyGram!

 

Here is your new transaction from MoneyGram.

 

 

In case you don't have with MoneyGram, click on the link provided below to easily open an account with us and cash out to your banking account .

 

 

We look forward to helping to make your future money transfer simple and enjoyable send now!

 

View your transaction details

 



 

  

 

  

 

  

Download our App:

  

 

  

App store logo

  

 

  

 

 

Don't respond to this e mail. In case you have further questions, please call us.

 

Customer Protection

 

|

 

Privacy Policy

  

 

MoneyGram Payment Systems, Inc.

 

|

 

2493 Utica Road E, Stu 100

 

|

 

Minneapolis, MN 53712

 

This message may consist of confidential info. Don't give any information concerning this financial transaction to a third party. If you are not the intended receiver, inform us promptly and erase this e mail from your system.

 

2018 MoneyGram Payment Systems. All rights reserved.

 

Facebook  Twitter  Youtube

  

 

  

 

The link actually points to: http://furnitureforthehometv.com?3le150=QAUSY1CQVUFS1QXOBsGSJTHS with no certificate or security.

The link simply downloads a harmful .DOC file named invoice.doc to your computer - DO NOT OPEN THIS FILE.

Make sure your report the email address moneygram@teamusacargo.com as dangerous, the website http://furnitureforthehometv.com seems to have been deactivated already.

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent &amp;nbsp; &amp;nbsp;

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.

 

From:                                                       Direct <theo-letran@glampiny.com>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

 

Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!

 

Billing Address:
Your Name 
Your Telephone Number Postcode 




Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

 
 
The hyperlink 'Your Order 50RM_84248 available here' actually links to: https://kocobanana.com/.orderdetails/50RM_84248-confirmation which is presumably a genuine website as it has a certificate but it simply forwards you to: https://support.office.com/office-training-center?wt.mc_id=AID573689_QSG_184686 which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
 
The contents of the zip file are as follows:
 
 
And when extracted, reveal:
 
 
The image just being a Google Pay image:
 
 
And the shortcut linking to:
 
 
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
 
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service&amp;nbsp; &amp;nbsp;

Spam Warning: You received notification from DocuSign Signature Service 

 

You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.

 

 

 

 

From:                                                       DocuSign Signature  Service <docusign@pehache.com>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service

 

 

 

 

 

 

DocuSign

Review and sign this document.

 

Dear Receiver,

Please review this invoice
It is an automatically generated invoice.

 

This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.

 

 

 The 'view invoice' link actually points at: http://keithharenda.com?6d50=QAUSY1CQVUFS1QXOBsGSJTHS which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: http://nashvillechildfamilywellness.com?20Yy5=QAUSY1CQVUFS1QXOBsGSJTH S being used by the same email.
The 'review invoice' link at the bottom points to: http://kphbuilds.com?7P62A=QAUSY1CQVUFS1QXOBsGSJTHS which also appears to have been shut down.
 
Report any senders of this email, the pehache.com domain does not seem to function either.

Internal Revenue Service - Spam Warning !

1. August 2018 13:29 by sirclesadmin in Internet Security, Online Fraud, SPAM
Internal Revenue Service - Spam Warning ! Watch out for more free money! This email has been receive

Internal Revenue Service - Spam Warning !

Watch out for more free money!

This email has been received this week:

 

 

From:                                                       Internal Revenue Service <irs@aubodyshop.com>

Sent:                                                         Tuesday, July 31, 2018 6:16 PM

To:                                                            Recipient

Subject:                                                   Internal Revenue Service

 

IRS.gov Banner

Internal Revenue Service

IRS services     Account Balance communication TP95

 

Final reminder: Notice of Intent to seize (levy) your current income tax refund.


 

promptly: $449.20

Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.


Download your payment Invoice 


You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.

 If you no more want to get warnings, please log in to your Internal revenue service account  to temporarily disable or completely delete these types of signals.

The following alert is sent to you automatically from the IRS services. Make sure you do not Write back.


Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.

If you have inquiries or problems with the service, be sure to contact www.paygov.us.
.



This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.

Powered by GovDelivery

 

 
As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
 
The link 'Download yoru Payment Invoice' points to: http://cliptrips.info?8yi2O=QAUSY1CQVUFS1QXOBsGSJTHS
 
Which has already been taken down - well done for spotting that whoever the owner is...
 
Anyway report this email as spam and stay vigilant!
 

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

 

This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <seminar@toitumosi.jp>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.

 

 

-

Taxes&Revenue have detected that you have paid too much tax in the past

 

* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.

Delivery-Information

Card Type:

VISA

Credit Card:

****-****-****-****

Amount:

670.25

Transaction Date:

01/08/2018

Transaction #:

419277

 

 

Total  

670.25   GB P

 

-

 
 
As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
 
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
 
The 'Claim Funds' link points to: http://mocosi.co.za/img/acgetopai/ which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
 
The actual site:
 
 
Once you choose your wishes they take you to:
 
 
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
 
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like sircles.net with nothing following it unless after a /
 
Report this email and report the website.
 
Be safe!!!

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment

 

Watch out for this email doing the rounds this week:

 

From:                                                       Tracy Turner <tturner@brealzeta.com>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs

 

 

Secured ShareFile Attachment

Expires July 20, 2018

Brealzeta.pdf

568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.

 

 

If you need any further assistance, then do not hesitate to contact me.

 

Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446

 

The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 

 

So be careful here - this is a fully secured SSL site with an SSL certificate:

 

 

The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:

 

 

Comodo for CPanel. 

 

From the look of the site: 

 

 

They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.

 

The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.

 

If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:

 

https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html

 

 

 

Which is again a convincing looking site using the same certificate.

 

The IP address gives this data:

% Information related to '89.36.218.0 - 89.36.218.255'

% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'

inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to '89.36.216.0/22AS200185'

route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE

 

We will email the abuse address to report these sites...

Amazon Spam Warning - Authorization of Account Details

27. June 2018 13:59 by sirclesadmin in Internet Security, Online Fraud
Amazon Spam Warning - Authorization of Account Details &amp;nbsp; We have seen this email passing&amp;nbsp;t

Amazon Spam Warning - Authorization of Account Details

 

We have seen this email passing through htomail and outlook defences:

 

From:                                                       Αmаzоn.соm <notifications@biIling-amazon.com>

Sent:                                                         Saturday, June 23, 2018 1:58 AM

To:                                                            recipient email address

Subject:                                                   Authorization of Account Details

 

 
 

 

Authorization of Account Details

 
 

CASE ID
70C4L12278

CASE DESCRIPTION

Validation of billing details in your account

DATE
June 22, 2018

Dear recipient

We need to validate your billing information you entered, which may not match with your Credit card's issuing bank. Please get these to us before June 29, 2018 to ensure that the services related to your account will not be suspended. We may contact you for additional information as part of the verification process.

 

You can start your verification process by clicking on Here

 

We hope to see you again soon.

 

Amazon.com

 

 
 
 
 

<![if !vml]>Image result for Amazon Logo Icon<![endif]>

 
 
 

 Privacy Policy

 
 

Copyright © 2018 Amazon.com
All rights reserved

 

This email sent to recipient email address

Email ID: 122744Px690808054Fw90f4v6nJK9o408488ef019626

 
 
The link points to a site which has already been dismantled and Google Chrome already listed the site as fraudulent so we will not post it here..
 
Do mark this email as spam though as it is breaking through email defenses...