sircles.net Computer Support The sircles IT support & solutions blog | Phishing

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Electronic Intuit Message - Spam Alert!

6. June 2018 17:06 by sirclesadmin in Online Fraud, SPAM, Phishing
Electronic Intuit  Message - Spam Alert!   watch out for this spam QuickBooks message: &n

Electronic Intuit  Message - Spam Alert!

 

watch out for this spam QuickBooks message:

 

INTUITNEWTEST

From:                                         Intuit Inc. <quickbooks@paolasrestaurant.com>

Sent:                                           Wednesday, June 6, 2018 5:02 PM

To:                                               Accounts Team

Subject:                                     Electronic Intuit  Message

 

 

 

 

  

 

Number:

2209

Payment Due Date

06/07/2018

BALANCE DUE

$3,420.00

Dear Customer,

This bill notice is being provided to you by Intuit Inc. from Veri Facts Inc. Please click the button above to find an invoice

 

intuit test

Intuit, Inc. 2014-2018 All rights reserved. TurboTax and Mint are registered brand names and trademarks of Intuit Inc. Conditions, support and service are subject to modification with out notice  Privacy Terms

The 'Pay Here' link actually points to: http://minerco-corp.net?5YpI5=QIUBNYQASHUBQYUDP which has already been shut down so no need to report this site.

Do report this email as spam to your email provider though and keep vigilant.

Reporting Fraudulent Websites with your Browser

17. May 2018 07:39 by sirclesadmin in Internet Security, Fraud, Phishing
Reporting Fraudulent Websites with your Browser &amp;nbsp;

Reporting Fraudulent Websites with your Browser

 

When you receive an email that has links to a fraudulent site, you should report that site, to your browser provider so that other users can be saved from falling into the intended trap.

When you are sent to a site that the email tells you is giving you something, and when you arrive you are asked to make a payment, that is a form of misrepresentation; which is phishing. You should report phishing sites to Google:

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

The advantage of reporting to Google is that they will adjust Google Chrome to warn people, and that is currently the most popular browser on Earth.

If the site you are sent to by a suspicious email tries to download a file to your computer (no matter what the file pertains to be) then it is most likely a malicious software site. These pages should be reported by pasting the URL in the browser address bar into the following Google page for malicious software sites:

https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en

You can also read about Google's preventative measures programme against harmful internet use here:

https://safebrowsing.google.com/

If you are using Microsoft Edge or Internet Explorer, you can also report fraudulent sites. 

You can open the old style Internet Explorer by pressing the Windows Button + R and entering iexplore and pressing OK.

From the Safety menu, point to SmartScreen Filter, then click Report Unsafe Website.

Select one or both of the following check boxes you feel to be appropriate:

  • I think this is a phishing website
  • I think this website contains malicious software

If you are using Firefox, or if you wish to report the site to Mozilla to help more people, you can report fraudulent sites to Mozilla here:

https://www.mozilla.org/en-US/about/legal/fraud-report/

Here you can choose from:

  • Domain name
  • Collecting personal information
  • Charging for software
  • Logo misuse (phishing)
  • Distributing modified Mozilla/Malware

And choose which products are affected.

In general it is always worth checking that the site is secured - by seeing if there is a padlock in the browser address bar or that the https has gone green etc. - and that the domain is correct. The domain must be the last item in the address bar before the first / (forward slash) as many fraudulent domains trick us by using facebook.com-uerjfnf0e837e3e0d0y.uzbxyn.com/webapp/ye.js or facebook.com.wifubd97fidn9.interstrartter.net/webapp/ku.js similar. Notice that the facebook.com is followed by a hyphen or a dot instead of the forward slash / that represents the end of the domain.

 

💸 Incoming BitCoin Transfer - You received 0.881110 BTC!

17. May 2018 07:24 by sirclesadmin in Internet Security, Fraud, SPAM, Phishing
&#128184; Incoming BitCoin Transfer - You received 0.881110 BTC! &amp;nbsp; The following email has been report

💸 Incoming BitCoin Transfer - You received 0.881110 BTC!

 

The following email has been reported as currently active:

 

Hello,

You just received 0.881110 BitCoin incoming transfer from Info.

Sender: info@sthildas.oldham.sch.uk

Receiver: recipient email

Amount: 0.881110 BTC

Deadline: 23-05-2018 13:19:28

Transfer has been made from account holder:

c23cb46b19164de4ea6667a27c7c95bab1a6509b76a9fae2856d7a8cf72b950e

Accept the transfer now:

http://www4.bitcoin-gb.tk/claim/uk4njQORyWgrV0hS

Only 7 days remaining to accept your BitCoin transfer! If you do not accept this transfer, the money will be returned to sender.

To claim your BitCoin please visit the link below:

http://www4.bitcoin-gb.tk/claim/uk4njQORyWgrV0hS

Best regards,

Roxana Rigby

Bitcoin Account Manager

The link forwards you to:

https://cryptocode.online/

Whenever there is a supposed quick way to increase capital, con-people quickly associate themselves with the name in the hope of riding the excitement in order to rip people off. Any crypto currency such as Bitcoin is a huge risk to invest in and should be treated with EXTREME caution. This website is not an investment site, but an attempt at taking money based on the reputation of Bitcoin - do not enter your name, report this site as fraudulent using your browser, and mark this email as spam and/or phishing.

The intent of this email is fraudulent, and so it is safe to assume that the website is fraudulent also. Any testimonials are contrived and should not be believed.

You can report fraudulent websites with the help of this page which tells you how to report fraudulent or malware websites.

Virus alert... from Mail Admin adminso90a@maraco.com

15. May 2018 10:13 by sirclesadmin in Internet Security, SPAM, Phishing
You may receive the following: &amp;nbsp; /* Style Definitions */ table.MsoNormalTable {mso-style-n

Virus alert... from Mail Admin #

 

You may receive the following:

 

 

Dear: recipient@emaildomain.com

We suspect that there might be some virus activities in your email account that is affecting our email server's deliveribilty performance.

And we demand that you take immediate action to scan and delete these threats from your email account.

To keep your account safe, please follow the URL below to run a quick email scan.

Scan- recipient@emaildomain.com

 


If you ignore this notice, your account might be suspended to protect our server from further damage.


Source: Email Security Team

 

The link above points to: 

http://lauratimmermans.ca/Drupal/server/upload/scan%202018/scan%202018/scan/auth.php?%20email=recipient@emaildomain.com

 

Where recipient@emaildomain.com is replaced by your email address which enables the website to look fairly realistic:

 

Which is a link to a compromised website that will ask for your email password - UNDER NO CIRCUMSTANCES SHOULD YOU EVER ENTER YOUR EMAIL PASSWORD INTO AN UNKNOWN SITE!

 

The above obviously has all sorts of fake associations to antivirus companies along the bottom, but the only point of this is to get your email account login password.

 

The 'Start Scan' button will show a progress meter, just to convince you that the site is real and give them time to login to your email and steal your data.

 

This website has been reported to the owners and to Google and Microsoft.

 

Please mark this email as spam and inform your email provider that this email should be blocked.

 

Spam: Important Information from NatWest

6. April 2018 12:27 by sirclesadmin in Fraud, SPAM, Phishing
Spam: Important Information from NatWest &amp;nbsp; Beware of these email purporting to be from Natwest

Spam: Important Information from NatWest

 

Beware of these email purporting to be from Natwest:

 

From:                                                       NatWest <Natwesttinformationdispatch@ipconnect.de>

Sent:                                                         Friday, April 6, 2018 2:42 AM

To:                                                            Accounts Team

Subject:                                                   Important Information from NatWest

 

 

 

 

New ways to pay


Hello


To help us confirm your identity when you log on to Internet Banking, we're improving the way we uniquely identify you based on how you use the service.


Please click this to go to your account for further information.

To keep us updated about changes in your information and Keeping yourself safe online follow this link.

Please take a moment to check the contact details we hold for you by clicking ’Check my details now’.
.

Thank your for choosing NatWest.


Kind regards

Scott Miller
Craig Williams
Head of Customer Services

New ways to pay

 

 

The link in the above leads to: http://rivertheater.org/fonts/nwolb/index.php which Chrome has already marked as deceptive. Microsoft Edge also blocks the site and in IE it simply doesn't work.

Nothing too disturbing then, but mark as spam and report the site just in case :)

 

 

Fwd: You never responded about your wining of US$ 1,450.000.00 in Free GOOGLE/MICROSOFT/MOBILE AWARD PRIZE, with ref: no SA712R to redeem it, email us on: GOOGLE.MICROSOFT@bigmir.net, with ref: no SA712R or contact your OVERSEAS CLAIMS AGENT. Please fi...

16. March 2018 15:22 by sirclesadmin in Internet Security, Fraud, SPAM, Phishing
&amp;nbsp;GOOGLE/MICROSOFT/MOBILE AWARD PRIZE &amp;nbsp; This is often a thankless task, corresponding about

 GOOGLE/MICROSOFT/MOBILE AWARD PRIZE

 

This is often a thankless task, corresponding about confidence tricksters and unsolicited email or trojan attacks, but every so often you see something so brilliant or funny, that it really does brighten your day.

This example barely even constitutes an email, it is so terse and unkempt, but it is the attachment that is worth bringing to light:

Firstly, I love the way that the subject implies that this email has been forwarded, as if they have received a spam email and liked it so much that they want to try it out on someone else.

I also love the statement of the funds - United States Dollars - as if they are mined on another planet and flown here under heavy intergalactic-guard.

Best of all though, I love the blinding mishmash of trademarks, signatures and barcodes at the bottom, ensuring any innocent bystander will be overwhelmed with its authority.

The file is attached as a BMP file - an uncompressed bitmap - presumably in order to circumvent firewalls??? Sure a PDF would have made for a more believable choice, but I suppose they are more easily read by text analysis in search of keywords.

The email is below:

 

 

From:                                                       GOOGLE MICROSOFT MOBILE <treece@centurylink.net>

Sent:                                                         Friday, March 16, 2018 1:01 PM

Subject:                                                   Fwd: You never responded about your wining of US$ 1,450.000.00 in Free GOOGLE/MICROSOFT/MOBILE AWARD PRIZE, with ref: no SA712R to redeem it, email us on: GOOGLE.MICROSOFT@bigmir.net, with ref: no SA712R or contact your OVERSEAS CLAIMS AGENT. Please fi...

Attachments:                                         Associate555.bmp

 

Obviously filling in the form would be a mistake but it is tempting nonetheless...


Spam - 💸 BitCoin Transfer - You received 1.225999 BTC!

7. March 2018 10:44 by sirclesadmin in Fraud, SPAM, Phishing
Spam -&amp;nbsp;&#128184; BitCoin Transfer - You received 1.225999 BTC! &amp;nbsp; This is out there today: Contai

Spam - 💸 BitCoin Transfer - You received 1.225999 BTC!

 

This is out there today:

Containing:

 

Hello,

 

You just received 1.225999 BitCoins incoming transfer from Admin.

 

Sender: admin@digital-notes.co.uk

Receiver: support@berkshirecomputersupport.co.uk

Amount: 1.225999 BTC

Deadline: 14-03-2018 08:47:26

 

Transfer has been made from account holder:

93f8a344845dec17a47ea1d168f3bdc7ddcd3e60a06433f18c9cc8d546576e09

 

Accept the transfer now:

http://f.bitcoin-uk.ml/claim-now/zEQkqAbVymHYvO

 

Only 7 days remaining to accept your BitCoin transfer!

If you do not accept this transfer, the money will be returned to sender.

 

To claim your BitCoin please visit the link below:

http://f.bitcoin-uk.ml/claim-now/zEQkqAbVymHYvO

 

Best regards,

--

Raisa Figueroa

Bitcoin Account Manager

 

The shortcut lead you to: https://crypto-code.xyz/?tid=10259c54399cc945385a70597fd4a3&aff_id=3593&pop=0

Now with all sites that tell you that you are a lucky chosen few, these people are confidence tricksters and no one ever gives away anything worth keeping unless they are your friend.

Report this website as fraudulent and these emails as spam. They have lied about sending you the Bitcoins so they are lying about everything else.

-------------------------------------

 Another variant:

Good afternoon,

 

Your incoming BitCoin transfer is still waiting for your acceptance.

 

Sender: 349504625c1aa05936385d819a4a579da5b15f8c6a1a3818c0a6c0b959f38511

Sender Email: admin@nlmcc.org.uk

Amount: 0.767837 BTC

Deadline: 11-03-2018 16:05:50

 

Accept the transfer now:

http://uk5.bitcoin-uk.ga/accept-transfer/YPx79WODu8GwZBI0

 

 

Only 3 days remaining to accept your BitCoin transfer!

If you do not accept this transfer, the money will be returned to sender.

 

To claim your BitCoin please visit the link below now:

http://uk5.bitcoin-uk.ga/accept-transfer/YPx79WODu8GwZBI0

 

If not accepted, this transfer will be returned to sender in 72 hours.

 

Register your free account and receive your BitCoin now.

Use our platform to trade BitCoin automatically.

Join the BitCoin revolution!

 

Best regards,

--

Samatha Caraballo

Bitcoin Account Manager

 

CITY SIGN & GRAPHICS LTD Phishing Spam

6. March 2018 06:59 by sirclesadmin in SPAM, Phishing
CITY SIGN &amp;amp; GRAPHICS LTD Phishing Spam &amp;nbsp; You may see this fake invoice from the above compa

CITY SIGN & GRAPHICS LTD Phishing Spam

 

You may see this fake invoice from the above company:

 

Invoice 1717 from CITY SIGN & GRAPHICS LTD

From:                                                       CITY SIGN & GRAPHICS LTD <callum.cooper=fleetalliance.co.uk@mail71.suw111.mcdlv.net> on behalf of CITY SIGN & GRAPHICS LTD <callum.cooper@fleetalliance.co.uk>

Sent:                                                         Monday, March 5, 2018 8:36 AM

To:                                                            Accounts Team

Subject:                                                   Invoice 1717 from CITY SIGN & GRAPHICS LTD

 

 

 

 

 

company_logo

CITY SIGN & GRAPHICS LTD  

 

INVOICE

1717

DUE DATE

5/03/2018

BALANCE DUE

£336.00

Dear Client  Cloud Computing Solutions for Businesses,

Here's your invoice! We appreciate your prompt payment.

Thanks for your business!
CITY SIGN & GRAPHICS LTD

    Attach

 

 

 









You can update your preferences or unsubscribe from this list.

 

 

Once again the source seems to be Mail Chimp - what's happening here???

The subscription management is purported to be: https://fleetalliance.us7.list-manage.com/profile?u=b212d462f136b69a3db447652&id=d818e849e8&e=5affe53069

And unsubscribe is: https://fleetalliance.us7.list-manage.com/unsubscribe?u=b212d462f136b69a3db447652&id=d818e849e8&e=5affe53069&c=f92a69ac8d

The invoice download link is to: http://aipv.co.uk/Invoice%203-5-2018.zip which obviously downloads a harmful file to your computer.

The site has already been labelled as dangerous so all that remains is to report the email as spam and delete.

Spam - New Private Message from Jeremy. Facebook Toya <toya-651@c.privmsg.tk>

1. March 2018 09:50 by sirclesadmin in Internet Security, SPAM, Phishing
Spam - New Private Message from Jeremy. Facebook Toya &amp;lt;toya-651@c.privmsg.tk&amp;gt; &amp;nbsp; We are se

Spam - New Private Message from Jeremy. Facebook Toya <toya-651@c.privmsg.tk>

 

We are seeing this one today:

 

From:                                                       Facebook Toya <toya-651@c.privmsg.tk>

Sent:                                                         Wednesday, February 28, 2018 9:43 PM

To:                                                            Email

Subject:                                                   New Private Message from Jeremy.

 


Hello [Your Email]!

You received a New Private Message from Jeremy.

Please Click the link below to read Your Message:
http://c.privmsg.tk/go.php?g=UTRuZnU0MXh1NytmK1FpY3VSa0NjZVM0cnhPd0JtWTNEVWNydkpNRFFZZ3dieTgxWWNhZFNJSW8xa0UrWUw5T21pM2xySUowUE5hVjVKRFkrVTZUVWsvd2o5bjU0SVQ0MmJtcTNFNnV3aUZRL25ROUUyZHB1c1psRzR2Wk5hRGVvQjZnL0gxTnlEOHlkc0g5T1VLelNRPT0=
You can reply to Jeremy directly:
jeremy@gardencenter.co.uk


Thanks,
Notification Center




-----------------------------------
To stop notifications:
http://c.privmsg.tk/unsubscribe.php?u=eGlSakNiTW9Lc0ZJZTdDanN0S24xMXl3VmM2V0R1emFyOGl0MUg3VWRXcWJxQ1lHQmtqOUc1a1R1UW8wSmtwNA==

Obviously a spammer as we can see from the email address - to be blacklisted and deleted as soon as received.

 

Invoice for Company Cloud Computing Solutions for Businesses Spam

22. February 2018 08:35 by sirclesadmin in SPAM, Phishing
Invoice for Company Cloud Computing Solutions for Businesses Spam &amp;nbsp; You may receive this email,

Invoice for [Your Website Page Title]

 

You may receive this email, or one similar:

 

From:                                         HQ <julija=cosmicintelligenceagency.com@mail29.sea61.rsgsv.net> on behalf of HQ <julija@cosmicintelligenceagency.com>

Sent:                                           22 February 2018 07:47

To:                                               Accounts Team

Subject:                                     invoice

 

Invoice for Company Cloud Computing Solutions for Businesses

Hello,
Please view/download your invoice copy.
Regards,

Copyright © 2018 Cosmic Intelligence Agency, All rights reserved.
subscribed to the C*I*A

Our mailing address is:

Cosmic Intelligence Agency

370 St Kilda Road, Melbourne, Victoria, Australia

Melbourne, VIC 3004

Australia


Add us to your address book



https://cosmicintelligenceagency.us5.list-manage.com/unsubscribe?u=b231b23ae086d8b4b6437c421&id=4817b954c4&e=a600919b63&c=ddd63f9e4f



This email was sent to accounts@sircles.not
why did I get this? unsubscribe from this list update subscription preferences
Cosmic Intelligence Agency · 370 St Kilda Road, Melbourne, Victoria, Australia · Melbourne, VIC 3004 · Australia

 

Oddly, they seem to be using MailChimp as their transport - not sure how that happened as MailChimp are very strict about these matters.

Now the download link for the invoice points to: https://sangamhotel.com/Invoice%20for%20company.zip which downloads a zip file.

The file is called 'invoice for company' and is a JS Javascript file.

This file is dangerous and should not be opened.

This email should be reported as spam to mailchimp and possibly even to the CIA

We have also seen this same email with the files stored at:

https://nasirakabdayak.com/Scanned FAX.zip

 

And the subscription links to be:

https://nixonhire.us6.list-manage.com/unsubscribe

 

We are also seeing these as arriving from the company name: Nixon Hire, as below:

In the email above the site has already been disabled and so the logo is no longer working...

HTML is below:


Recipient: Cloud Computing Solutions for Businesses
Date: 26/02/2018
Type:Invoice/Fax
Click on image or here , and get attached copy.

 

Copyright © 2018 Nixon Hire, All rights reserved.
You are receiving this email because you have previously opted in to receive emails from Nixon Hire.

Our mailing address is:

Nixon Hire

City West Business Park

Scotswood Road

Newcastle Upon Tyne, NE4 7DF

United Kingdom


Add us to your address book



Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

 

Once again the subscription points to mailchimp:

https://nixonhire.us6.list-manage.com/profile?u=49ab97c4aa&id=1a1758171e&e=270c72add7

https://nixonhire.us6.list-manage.com/unsubscribe?u=49ab97c4aa&id=1a1758171e&e=270c72add7&c=e43f84ff25