'Changed Identification Numbers', 'Hilton Hotel' SPAM, Zombie 'Orkut' Phish ...
FYI...
'Changed Identification Numbers' Spam
- http://threattrack.tumblr.com/post/123461472968/changed-identification-numbers-spam
July 7, 2015 - "Subjects Seen:
Changed identification numbers
Typical e-mail details:
Trust You are well.
Kindly see enclosed modified personal numbers regarding Your bank card.
Kindly confirm the safe recepiency of this letter and of enclosed codes.
Consider this message as strictly personal and never copy it to other entities.
Helen Jackson
Senior Consultant
Screenshot: https://36.media.tumblr.com/eb4e4902b22641b4ca2d0db6eb7e37c9/tumblr_inline_nr4fle4nSj1r6pupn_500.png
Malicious File Name and MD5:
transcript_of_perosnal_forms.exe (0166afeac63b594aa608dab85deddc07)
___
'Hilton Hotel Receipt' Spam
- http://threattrack.tumblr.com/post/123465692883/hilton-hotel-receipt-spam
July 7, 2015 - "Subjects Seen
A for guest WARDE SAID
Typical e-mail details:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_2317766.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address.
Screenshot: https://40.media.tumblr.com/a0bffde5101dcd97699d93fec75acc82/tumblr_inline_nr4iy3iDOW1r6pupn_500.png
Malicious File Name and MD5:
FOLIODETE_0447019.exe (da3fd8a0905df536969e38468d5ca5c8)
___
Zombie 'Orkut' Phish...
- https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut-phishing-pages/
July 7, 2015 - "... Orkut -was- a Google run social network, invite-only and very popular in places like Brazil, India and the US. Unfortunately, its users were frequent targets of scams, and I myself researched the first -Worm- on the Orkut network way back in 2006. Eventually, other Google services became more popular and the shutters came down for good in 2014:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut1.jpg
This is done by logging into your Google Account, navigating to the relevant Archive section and being offered a mixture of original format files and HTML:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut2.jpg
In other words, your still-dead Orkut account has a value attached, in the form of your entirely still-alive Google login. As a result, you’ll still occasionally come across the odd -fake- Orkut frontpage asking for credentials:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut3.jpg
The above is located at:
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br
The page reads as follows:
Who do you know?
Connect to your friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures and passions all in one place
Sign in to orkut with your
Google Account
There’s another one using the same layout and text at:
davitosta(dot)xpg(dot)uol(dot)com(dot)br
These Zombie Login pages are effective whether the scammer intended any sort of “Reclaim your data” riff or not – it doesn’t matter if the page is a regular Orkut login (the ones above are straight copies of the old Orkut frontpage), or geared towards reclaiming Takeout data. It doesn’t matter if the -fakes- were created last week, last month or last year. For as long as old users of Orkut associate it with a Google login, it will always be something that can be leveraged as a potential way in to a Google account whether Orkut is actually active or not. Should the unwary end up on an Orkut -phish- by chance, they may well assume the phony site is somehow the first step to grabbing their old information. With a few taps of the keyboard, their Google login will have been swiped (another good reason to use a password manager, incidentally, because they won’t go auto-filling your data on a fake website – assuming they have autofill and you’re making use of it, of course). A single sign on for multiple services is one way to lessen the impact on users where all of the products are managed by a single company, but this does mean that when one of those services fades into oblivion it can still end up being a gateway to phishing scams. Whether you have fond memories of Orkut, scrapbooks and the occasional worm or your first response is “Orkut on the what now”, be mindful of where you’re entering your Google login – there’s a time and a place for handing over your email and password, and the above two websites are most definitely -not- it."
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-address/200.147.36.16/information/
200.147.100.28: https://www.virustotal.com/en/ip-address/200.147.100.28/information/
davitosta(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-address/200.147.36.16/information/
200.147.100.28: https://www.virustotal.com/en/ip-address/200.147.100.28/information/
:fear::fear:
FYI...
'Changed Identification Numbers' Spam
- http://threattrack.tumblr.com/post/123461472968/changed-identification-numbers-spam
July 7, 2015 - "Subjects Seen:
Changed identification numbers
Typical e-mail details:
Trust You are well.
Kindly see enclosed modified personal numbers regarding Your bank card.
Kindly confirm the safe recepiency of this letter and of enclosed codes.
Consider this message as strictly personal and never copy it to other entities.
Helen Jackson
Senior Consultant
Screenshot: https://36.media.tumblr.com/eb4e4902b22641b4ca2d0db6eb7e37c9/tumblr_inline_nr4fle4nSj1r6pupn_500.png
Malicious File Name and MD5:
transcript_of_perosnal_forms.exe (0166afeac63b594aa608dab85deddc07)
___
'Hilton Hotel Receipt' Spam
- http://threattrack.tumblr.com/post/123465692883/hilton-hotel-receipt-spam
July 7, 2015 - "Subjects Seen
A for guest WARDE SAID
Typical e-mail details:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_2317766.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address.
Screenshot: https://40.media.tumblr.com/a0bffde5101dcd97699d93fec75acc82/tumblr_inline_nr4iy3iDOW1r6pupn_500.png
Malicious File Name and MD5:
FOLIODETE_0447019.exe (da3fd8a0905df536969e38468d5ca5c8)
___
Zombie 'Orkut' Phish...
- https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut-phishing-pages/
July 7, 2015 - "... Orkut -was- a Google run social network, invite-only and very popular in places like Brazil, India and the US. Unfortunately, its users were frequent targets of scams, and I myself researched the first -Worm- on the Orkut network way back in 2006. Eventually, other Google services became more popular and the shutters came down for good in 2014:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut1.jpg
This is done by logging into your Google Account, navigating to the relevant Archive section and being offered a mixture of original format files and HTML:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut2.jpg
In other words, your still-dead Orkut account has a value attached, in the form of your entirely still-alive Google login. As a result, you’ll still occasionally come across the odd -fake- Orkut frontpage asking for credentials:
> https://blog.malwarebytes.org/wp-content/uploads/2015/07/orkut3.jpg
The above is located at:
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br
The page reads as follows:
Who do you know?
Connect to your friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures and passions all in one place
Sign in to orkut with your
Google Account
There’s another one using the same layout and text at:
davitosta(dot)xpg(dot)uol(dot)com(dot)br
These Zombie Login pages are effective whether the scammer intended any sort of “Reclaim your data” riff or not – it doesn’t matter if the page is a regular Orkut login (the ones above are straight copies of the old Orkut frontpage), or geared towards reclaiming Takeout data. It doesn’t matter if the -fakes- were created last week, last month or last year. For as long as old users of Orkut associate it with a Google login, it will always be something that can be leveraged as a potential way in to a Google account whether Orkut is actually active or not. Should the unwary end up on an Orkut -phish- by chance, they may well assume the phony site is somehow the first step to grabbing their old information. With a few taps of the keyboard, their Google login will have been swiped (another good reason to use a password manager, incidentally, because they won’t go auto-filling your data on a fake website – assuming they have autofill and you’re making use of it, of course). A single sign on for multiple services is one way to lessen the impact on users where all of the products are managed by a single company, but this does mean that when one of those services fades into oblivion it can still end up being a gateway to phishing scams. Whether you have fond memories of Orkut, scrapbooks and the occasional worm or your first response is “Orkut on the what now”, be mindful of where you’re entering your Google login – there’s a time and a place for handing over your email and password, and the above two websites are most definitely -not- it."
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-address/200.147.36.16/information/
200.147.100.28: https://www.virustotal.com/en/ip-address/200.147.100.28/information/
davitosta(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-address/200.147.36.16/information/
200.147.100.28: https://www.virustotal.com/en/ip-address/200.147.100.28/information/
:fear::fear:
Last edited: