You have received efax Message: Spam warning
This email is impersonating eFax by using links back to the eFax images and website, but it is a very low-fi spam attempt. 'You have received fax message' sounds like someone did not quite know how to translate the sentence, when you would've thought that they would just use the text from a real eFax message.
The email in this case has arrived from efax@flumepsychiatry.com which is obviously a giveaway :
From: eFax j2 Global <efax@flumepsychiatry.com>
Sent: Monday, October 1, 2018 4:42 PM
To: Recipient
Subject: You have received efax Message
Fax Message Caller-ID: 8046 545 7372,
You've received a 3 page fax at 10-01-2018 03:24:57 GMT.
*Your reference # for this fax is dk7_dtd24-48654058334483-5433851-55.
Visit www.efax.com/efax-help-center if you have any questions regarding this notification.
eFax Crew
|
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
61526 Hollywood St, Los Angeles, CA 97426
*** This is an automatically generated message, please do not reply directly to this email address *** Privacy Policy.
|
The 'get fax' link (rather an unfortunate phrase) actually points to: http://pitchbrooklyn.com?5j8ti=QIUBNYQASHUBQYUDP which is actually not working currently, probably because the spam is already a day old.
4. September 2018 14:25 by sirclesadmin in
Online Fraud, SPAM Package(3VKN_270) confirmed: 8 items sent Spam Email
Watch out for this email:
From: Bessie Daulton <maricela.schoultz@shenandoahbennett.com>
Sent: Tuesday, September 4, 2018 12:39 PM
To: Recipient
Subject: your name, Package(3VKN_270) confirmed: 8 items sent
| |
| | | | | | | | Dear your name
We are now processsing your order 3VKN_270, please find your order details below: | | | | | Shipment Details
Name and Postcode
TOWN
County
|
| | | | | | | Your order details here | | | | | | | | This confirmation acts as your guarantee, which begins from the day your product is delivered to you. | | |
| Consumer Contracts Regulations 2013 offers the following cancellation rights | Please note that you are entitled to cancel this contract if you so wish, provided that you exercise your right no longer than 14 days after the day on which you receive the goods or services. | Please note that your right to return products does not apply to goods made to your specification, that have been clearly personalised or which by reason of their nature cannot be returned or are liable to deteriorate or expire rapidly. | If you wish to exercise your right of cancellation, you are obliged to retain possession of the goods and take reasonable care of them. | | | If you decide to cancel, you should return the goods to us at your cost within 14 days of such cancellation and we will reimburse to you (by the method used to pay for the original transaction) the amount in relation to goods to which cancellation rights apply. This includes the cost of delivery (except for the supplementary costs arising if you choose a type of delivery other than our standard and least expensive method of delivery). We may make a deduction from the reimbursement for loss in value of any goods supplied, if the loss is the result of unnecessary handling by you. We will make the reimbursement no later than 14 days after the day we receive back from you any goods supplied. | | |
| Returning items | We want you to be happy with your purchase. If you're not, just return the item with proof of purchase and we'll exchange or refund it. | Further information can be found in the customer service section of our website and the dispatch note included with your order. Our usual refund policy does not apply to cut or made to order products or perishable goods, which cannot be returned or exchanged unless faulty. | This does not affect your statutory rights. | Returns can be made using the following options: | | | Via our shops: please take this email with you. It shows the prices you paid at the time of your order, and so helps us process your return more quickly and accurately. | | | |
| Further information on our Terms and Conditions can be found in the Customer Services section of our website, and on the delivery note included with your order. | | |
| Do you wish to track your order or require a receipt? | To track the status of your order or print a VAT receipt, if applicable, please click here. You may receive an email from us that will tell you how to track your order as soon as it has been collected for delivery. | | |
| Security | We will never ask you to send any personal details via email. If we require such details, for security reasons we will ask you to contact us by phone. Should you receive an email claiming to be from requesting this kind of information, please do not respond to it but do let us know. | | |
| | | | | Thank you for shopping with us.
Customer Services
| | | | | | |
|
| | | | | Prices are subject to change without prior notification. Products subject to availability, while stocks last. Images are representative only. Errors and omissions excluded. | | | Update your details | | | Change your preferences |
|
|
|
| |
| |
The link will download a command to upload or corrupt your personal data so do not run the command.
The windows shell command will be run on your own documents or downloads folder and may involve blackmail or identity theft.
Be sure to report the originators of this email as well as the website.
4. September 2018 07:18 by sirclesadmin in
Online Fraud, SPAM Upgrade to a more secure banking - Natwest Spam Warning
This email is a typical example of phishing for banking details:
Upgrade to a more secure banking
From: NatWest <info@solidar.es>
Sent: Saturday, September 1, 2018 12:34 PM
To: Recipient
Subject: Upgrade to a more secure banking
Final hours: Get 50% OFF Yearly Premium Plans with our Surprise Sale. Hurry & upgrade your website now! | | | | | | Upgrade to a more secure banking |
|
|
| | | | | | We are regularly changing our online banking system, we will always contact you immediately we notice any issue on your account.
To receive the £100 bonus you are required to update your online information for your security. Please continue below. |
|
|
|
|
|
|
| | | | | Stay up to date with our latest news & features |
|
|
|
|
|
|
|
|
| |
|
|
|
|
The email is quite well presented - the 'Can't see this email?' question at the top is a good example of how spammers use regulations to sidestep any susupicions we may have about the authenticity of an email.
If you click on the 'can't see this email?' link you are taken to: http://micato.co.uk/wp-admin/includes/036f707f904b5d1f9018d3085a975597/info/login.php?assets.adobedtm.com/5165c8c319825f6ec3fb78d0a8dcc1054ab35a3d/satelliteLib-08b84ffc82250dd93a29554e43774d72e7c1876b.js
It is important to note in the above link the fact that the site is not secure (it begins http and not https) which is an instant and certain indicator that this is not a real banking site.
The site is already labelled by Google as deceptive:
And Microsoft Edge:
The site itself looks similar to Natwest:
But is obviously unsecured and way too slow for a real bank.
Report the originating email and the website as fraudulent and stay vigilant.
23. August 2018 16:51 by sirclesadmin in
Online Fraud, SPAM Spam Warning: Payment Message From MoneyGram Systems, Inc
This email has been spotted:
From: MoneyGram Payment Systems, Inc <moneygram@teamusacargo.com>
Sent: Thursday, August 23, 2018 4:51 PM
To: Recipient
Subject: Payment Message From MoneyGram Systems, Inc
|
| | | Welcome to MoneyGram! | | Here is your new transaction from MoneyGram. | | | In case you don't have with MoneyGram, click on the link provided below to easily open an account with us and cash out to your banking account . |
| |
| | We look forward to helping to make your future money transfer simple and enjoyable send now! | | | | | | | | | | | | Download our App: | | | | | | | | | | | |
|
| |
| | Don't respond to this e mail. In case you have further questions, please call us. | | | | | | MoneyGram Payment Systems, Inc. | | | | | 2493 Utica Road E, Stu 100 | | | | | Minneapolis, MN 53712 |
| | This message may consist of confidential info. Don't give any information concerning this financial transaction to a third party. If you are not the intended receiver, inform us promptly and erase this e mail from your system. | | 2018 MoneyGram Payment Systems. All rights reserved. |
| |   
| | | | | |
|
|
The link actually points to: http://furnitureforthehometv.com?3le150=QAUSY1CQVUFS1QXOBsGSJTHS with no certificate or security.
The link simply downloads a harmful .DOC file named invoice.doc to your computer - DO NOT OPEN THIS FILE.
Make sure your report the email address moneygram@teamusacargo.com as dangerous, the website http://furnitureforthehometv.com seems to have been deactivated already.
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent
This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.
From: Direct <theo-letran@glampiny.com>
Sent: Thursday, August 9, 2018 6:35 AM
To: Receipent
Subject: Your Name, Pack(50RM_84248) confirmed: 7 items sent
| Order Acknowledgment | Dear Your name, Your order is now confirmed. Thanks for shopping with us! | | Billing Address:
Your Name
Your Telephone Number Postcode
Your Order Reference: 50RM_84248
Order Date: 8/9/2018 | Delivery Address:
Your Name
Your Telephone Number Postcode
|
| Your Order 50RM_84248 available here | Your right to cancel:
In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.
To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.
We recommend that you use a recorded delivery service.
Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.
As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed. |
|
|
|
|
|
The actual link downloads a zip file:
The contents of the zip file are as follows:
And when extracted, reveal:
The image just being a Google Pay image:
And the shortcut linking to:
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of -
fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string
fildunare with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.
Spam Warning: You received notification from DocuSign Signature Service
You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.
From: DocuSign Signature Service <docusign@pehache.com>
Sent: Monday, August 6, 2018 5:21 PM
To: Recipient
Subject: You received notification from DocuSign Signature Service
| 
| 
Review and sign this document. |
|
| Dear Receiver,
Please review this invoice
It is an automatically generated invoice. | | | This email contains a secure information. Do not share this code with other people. Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7 About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management. Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.
If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 Review Invoice
This message was sent to you by DocuSign Electronic Signature Service. |
| |
The folder appears to have already been removed.
Report any senders of this email, the pehache.com domain does not seem to function either.
Internal Revenue Service - Spam Warning !
Watch out for more free money!
This email has been received this week:
From: Internal Revenue Service <irs@aubodyshop.com>
Sent: Tuesday, July 31, 2018 6:16 PM
To: Recipient
Subject: Internal Revenue Service
|
Internal Revenue Service | IRS services Account Balance communication TP95 |
|
Final reminder: Notice of Intent to seize (levy) your current income tax refund.
promptly: $449.20 Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.
Download your payment Invoice
You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.
If you no more want to get warnings, please log in to your Internal revenue service account to temporarily disable or completely delete these types of signals. The following alert is sent to you automatically from the IRS services. Make sure you do not Write back. |
Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.
If you have inquiries or problems with the service, be sure to contact www.paygov.us. .
This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.
| 
|
As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
Which has already been taken down - well done for spotting that whoever the owner is...
Anyway report this email as spam and stay vigilant!
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.
This email has been received this week at sircles spam catcher:
From: TaxesGreat-Britain <seminar@toitumosi.jp>
Sent: Wednesday, August 1, 2018 9:26 AM
To: Support
Subject: (1) New message from GB Revenue and Taxes.
|
- |
Taxes&Revenue have detected that you have paid too much tax in the past |
|
| * Therefore we applied P800WForm to issue a reimbursment. --we tried to send it to you automatically. --we don't have your card details on file. --have your credit/debit card ready |
|
|
Reimbursement Information | * We applied P800WForm to issue a reimbursment. * Receipt date : 01 August 2018. * Amount: 670.25 GB P. |
|
| Delivery-Information | Card Type: | VISA | Credit Card: | ****-****-****-**** | Amount: | 670.25 | Transaction Date: | 01/08/2018 | Transaction #: | 419277 |
|
|
|
|
|
|
|
|
|
-
As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
The 'Claim Funds' link points to:
http://mocosi.co.za/img/acgetopai/ which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
The actual site:
Once you choose your wishes they take you to:
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like sircles.net with nothing following it unless after a /
Report this email and report the website.
Be safe!!!
Spam Warning: Important Docs Secured ShareFile Attachment
Watch out for this email doing the rounds this week:
From: Tracy Turner <tturner@brealzeta.com>
Sent: Thursday, July 19, 2018 5:07 PM
Subject: Important Docs
| Secured ShareFile Attachment | Expires July 20, 2018 | | | I used WeTransfer to send documents to you securely. Learn More. |
|
|
If you need any further assistance, then do not hesitate to contact me.
Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446
The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26
So be careful here - this is a fully secured SSL site with an SSL certificate:
The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:
Comodo for CPanel.
From the look of the site:
They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.
The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.
The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.
If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:
https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html
Which is again a convincing looking site using the same certificate.
The IP address gives this data:
% Information related to '89.36.218.0 - 89.36.218.255'
% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'
inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE
role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered
person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered
% Information related to '89.36.216.0/22AS200185'
route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE
We will email the abuse address to report these sites...
Amazon Spam Warning - Authorization of Account Details
We have seen this email passing through htomail and outlook defences:
From: Αmаzоn.соm <notifications@biIling-amazon.com>
Sent: Saturday, June 23, 2018 1:58 AM
To: recipient email address
Subject: Authorization of Account Details
| | | | | Authorization of Account Details | | | | CASE ID
70C4L12278 | CASE DESCRIPTION
Validation of billing details in your account | DATE
June 22, 2018 |
| Dear recipient | We need to validate your billing information you entered, which may not match with your Credit card's issuing bank. Please get these to us before June 29, 2018 to ensure that the services related to your account will not be suspended. We may contact you for additional information as part of the verification process. | | You can start your verification process by clicking on Here | | We hope to see you again soon. | | Amazon.com | | | | | |
|
| | | | | <![if !vml]> <![endif]> | | | | | | Privacy Policy | | | | Copyright © 2018 Amazon.com
All rights reserved | |
|
The link points to a site which has already been dismantled and Google Chrome already listed the site as fraudulent so we will not post it here..
Do mark this email as spam though as it is breaking through email defenses...
