mxlab - all about anti virus and anti spam » scam

Google Picasa scam

mxlab — Fri, 10 Jun 2011 08:49:38 +0000

MX Lab, http://www.mxlab.eu, reported earlier regarding emails that offer an alternative to the official Adobe PDF Reader and the VOIP add ons for Skype.

It now seems that Google Picasa is the next victim of the same type of scam. We intercepted a few messages with the subject “The iTunes of Photo Organization” coming for the email address Picture Tools . This is the message:

The message has a download URL in the format hxxp://aphyet.com/re.php?lnk=1203683910&e=****.****@****.be. Following the link takes us to hxxp://officialversion.su/pics/1/index.asp?aff=11677&camp=esp_may09hld_picasa_jun10 with the following web site:

Notice the button on the right “Download Picasa” now and the mention of 24/7 support. This is very familiar and did ring a bell at the MX Lab HQ. We started to investigate the web site further.

We found a registration and order process very similar to the past cases with the Adobe PDF Reader 2011 and the VOIP add ons for Skype.

The payment transaction appears to be processed on an unsecure HTTP connection but a look into the HTML learns us that the payment form in embedded in an and the form is processed by hxxps://secure-signupway.com/p06/?siteid=6882. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

As expected, the domain license details are protected and the domain is registered a few days ago.

Domain Name: APHYET.COM 

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 06-Jun-2011
Expiration Date: 06-Jun-2012

Domain servers in listed order:
    ns1.reg.ru
    ns2.reg.ru

Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Our recommendation is not to fill in any credit card details – your credit card details will likely be abused – and download this software. Please note that for the real Picasa you need to go to the Google web site at http://picasa.google.com/. And it’s free.

Receive a bonus of 2000 € – not everything is what it looks like

mxlab — Sun, 03 Apr 2011 16:17:41 +0000

MX Lab, http://www.mxlab.eu, intercept a large spam campaign what in fact appears to be an SMS scam system.

Email messages are sent from no-reply-xxx@finance-magazine.eu, where the XXX stands for random numbers. The domain finance-magazine.eu is from the The European CFO Magazine.

Many different subjects in the French language are being used to get some attraction:

Une offre qou vous ne pouvez pas refuser
Une opportunite unique d’une vie
Faire de l’argent n’a jamais ete aussi facile!
Etes-vous interesse ?
…

This is the email content:

The embedded URLs directs visitors to hxxp://berborso.com/c/8D1DB23B.

On this landing page you will need to fill in your details including your mobile phone number.

When your details are submitted, you’ll receive an SMS with an activation code. This code needs to be filled in again on this webform together with some additional details.

I haven’t filled in my real phone number but I’m pretty sure that this is a complete SMS scam. I wouldn’t be suprised if you receive more SMS messages later on that are credited on your phone bill later on.

This domain name is registered in the Ukraine:

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: BERBORSO.COM

Creation Date: 28-Mar-2011
Modification Date: 28-Mar-2011
Expiration Date: 28-Mar-2012

Domain servers in listed order:
ns1.hahray.in
ns2.hahray.in

Registrant:
Son Svan hdgi-domains@gmail.com
WATER STREET 45/54
CHRIST CHURCH, BB17056
BARBADOS
+1.24615566596

Be carefull if you receive offers like this.

Download Adobe Reader 10 Alternative scam

mxlab — Fri, 01 Apr 2011 05:58:20 +0000

MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Acrobat 2010 PDF Reader and VOIP Addons for Skype and Emails offering PDF Reader 2010 lead to unsecure payment site.

MX Lab noticed a new version that will offer the latest PDF Reader. The emails have the subject “Download Adobe Reader 10 Alternative” with the email address dailynews_dec09@m120.redmediaone.com.

This is the body of the email:

Following the link to the web site will lead us here:

When clicking on the download button we have the following screen that looks very familiar:

Okay, let’s go throught the registration process:

The registration transactions are performed on the domain secure-signupway.com. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

Now, this is also interesting. The domain from where the message is sent, redmediaone.com, has protected registrant details in the WHOIS.

Registrant:
   redmediaone.com
   c/o Whois Privacy Service
   PO BOX 501610
   San Diego, CA 92150-1610
   US

   Domain Name: REDMEDIAONE.COM

   Administrative Contact, Technical Contact, Zone Contact:
      redmediaone.com
      c/o Whois Privacy Service
      PO BOX 501610
      San Diego, CA 92150-1610
      US
      (619) 393-2111
      whois@emailaddressprotection.com

   Domain created on 18-May-2010
   Domain expires on 17-May-2012
   Last updated on 25-Mar-2011

   Domain servers in listed order:

      NS1.DOMAINDISCOVER.COM
      NS2.DOMAINDISCOVER.COM

In the message is the download URL and an unsubscribe URL present that is handled by http://list.onemediaclick.com/. And also iin this case, the registrant details are protected.

Domain Name: ONEMEDIACLICK.COM
Registrar: MONIKER

Registrant [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US

Administrative Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Billing Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Technical Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Domain servers in listed order:

        NS1.DOMAINSERVICE.COM         208.73.210.41
        NS2.DOMAINSERVICE.COM         208.73.211.42
        NS3.DOMAINSERVICE.COM
        NS4.DOMAINSERVICE.COM

        Record created on:        2011-02-14 12:05:30.0
        Database last updated on: 2011-02-14 12:05:32.93
        Domain Expires on:        2012-02-14 12:05:31.0

The web site of Onemediaclick:

These guys are, according to the address on the site, located in Switzerland. When trying to contact them through the web form, nothing happens. The

Japan earthquake exploited by scammers

mxlab — Thu, 17 Mar 2011 23:12:20 +0000

As with all major events worldwide, spammers and scammers are exploiting these events to get their message delivered into your inbox. Now with the earthquake, the tsunami and problems in the nuclear powerplants in Japan it is not different.

MX Lab, http://www.mxlab.eu/, has intercepted some emails where scammers want to exploit the generosity of people. Here we have an example with the subject “JAPANESE EARTHQUAKE VICTIMS!”:

Dear Sir/Madam,

I am Kasumi Umeko resident in Spain. We have other japanese families living as a community here in Spain. Our family members were severely affected by the recent Tsunami earthquake that happened in the pacific ocean that devasted Tokyo and led to the lost over 13,000 lives and properties worth billions of Dollars.

We implore to help the earthquake victims that lack food and shelter. We have established a distribtion channel to these victims. You can send your gifts and aids as cash by western union money transfer system to our division responsible for the distribution of food, shelter and medical assistance using the information stated below:

FIRST NAME: SHIZUKA
LAST NAME:TADASHI
ADDRESS: CALLE VELAZQUEZ 8
28010 MADRID.

After making the payment send the payment details to the Assistance Distribution Section as stated below:

SENDER’S DETAILS:
FIRST NAME:
LAST NAME:
MONEY TRANSFER CONTROL NUMBERS. (MTCN)
COUNTRY:
ADDRESS:
Email: japvictimsesp@yahoo.co.jp

Thanks for your assistance to the need of humanity of the Japanese people. May God richly blessed and also expand your territory in any field of your endevour.

Yours truly,
Susumu Takumi

Now, please, do not fall for such scams. You will only transfer funds to people who have no intensions whatsoever helping the Japanese people. When emails like this one mention “western union money transfer system” you should be very carefull and it is even better to delete the message immediatly.

Malicious spam campaign regarding VOIP Addons for Skype – the story goes on

mxlab — Thu, 30 Sep 2010 13:10:59 +0000

MX Lab, http://www.mxlab.eu, reported earlier on regarding a malicious spam campaign regarding an offer to get Skype VOIP Addons.

We have been following the campaigns and what is quite stunning is that the authors of this campaign are using different ESPs – or Email Service Providers – in order to get the message to their subscription database.

In the past we’ve seen messages coming from:

Emailsparkle.com – owned by Dotster
digioffice-mail.be – owned by Mario Vleugels from West Technologies, located in Belgium
createsend1.com – owned by Campaign Monitor

Today we have the messages coming from Stream Send and the senders email address is newsletter@skype–2010.com. As you can notice, a new domain name is also present. This is used to avoid spam engines with the intent analysis technology where filtering is based on URLs inside the message.

The body of the email:

Dear Skype Users,

This is to notify that new updates have been released for Skype. Following are major new features:

- Talk more for free via Voice Over IP (VoIP)
- Lower cost when connecting to landlines (much cheaper than Calling Card)
- Record your conversation (better than telephone quality)
- Instant messaging & file-sharing, video calls
- Now available on PSP!

To check and upgrade, go to Skype Updates Center

Skype has changed the way we think of telecommunications.

Thank you for choosing us.

With best regards,
Mike Pickman
Skype Support
Copyrights Skype 2010 – All Rights Reserved

If you notice a change in email delivery, please post it in the comments.

[Update 01-01-2010 20:32]

We got a reply from the abuse department of Stream Send:

“Thank you for contacting us. We’ve reviewed the information that you have sent us and have taken action against the account holder that sent out this email.”.

Great, down again but for how long.

Emails with the URL anoniemberichtje.com is a phishing attempt and you will get a expensive SMS subscription

mxlab — Tue, 14 Sep 2010 23:26:15 +0000

MX Lab intercepted some emails with the subject “Lees ffkes mn bericht” – can be translated to “read my message”.

This message is written in the Dutch language – some words in a dialect – and it is targeting Dutch email users - and is notifying the recipient that a private messages is waiting to be read.

The message appears to be coming from a Hotmail.com account and is sent from one of the Hotmail servers with the IP 65.55.111.173. The IP seems to be a valid IP address being used by Hotmail.

IP Address: 65.55.111.173
Host: blu0-omc4-s34.blu0.hotmail.com
Location: US, United States
Organization: Microsoft Corp

The body of the email:

Ik heb u juist een anoniem berichtje gestuurd, kunde da ffkes lezen?

Klik op onderstaande link om het berichtje te zien.

hxxp://www93.anoniemberichtje.com/?message=3191332f9645ad23fc538e1932cd936d

Wij zijn de enigste die het berichtje kunnen zien.

Stuurt ge wa terug?

Translated to English:

I just send you an anonymous message, can you read it?

Click on the link below to see the message.

hxxp://www93.anoniemberichtje.com/?message=3191332f9645ad23fc538e1932cd936d

We are the only one who can see the message.

Do you send something back?

When following the URL you will get the following screen.

Great, you will need to fill in your Windows Live account details on a non Microsoft web site. This looks to me like a genuine phishing attempt in the first place.

We filled in some dummy email address and password combination and the webpage becomes visible.

It’s all in Dutch but I will give you an idea of what this page is about. “You have received 1 private message” and you will need to fill in your mobile number in the webform. From that point on, you will receive an SMS and you will need to confirm your mobile number.

After that, the private message for you will be visible and you can also send unlimited private messages.

The web site also states “Are you under 18? Ask permission from your parent or guardian” and to the right, the black box with 3355 – which is a special mobile SMS number – and 28.00 € / week does make it appear that you will subscribe to a sort of SMS service for that amount each month.

Now, the domain anoniemberichtje.com is registered with the following details.

Domain Name      : anoniemberichtje.com
PunnyCode        : ANONIEMBERICHTJE.COM
Creation Date    : 2010-09-02 13:59:22
Updated Date     : 2010-09-14 09:32:35
Expiration Date  : 2011-09-02 13:59:19

Registrant:
  Organization   : wu ling
  Name           : wuling
  Address        : ShangHai
  City           : Shang Hai
  Province/State : Shanghai
  Country        : cn
  Postal Code    : 200085

Administrative Contact:
  Name           : wuling
  Organization   : wuling
  Address        : ShangHai
  City           : Shang Hai
  Province/State : Shanghai
  Country        : cn
  Postal Code    : 200085
  Phone Number   : 86-755-12345678
  Fax            : 86-755-12345678
  Email          : lixing763@yahoo.cn

Technical Contact:
  Name           : wuling
  Organization   : wuling
  Address        : ShangHai
  City           : Shang Hai
  Province/State : Shanghai
  Country        : cn
  Postal Code    : 200085
  Phone Number   : 86-755-12345678
  Fax            : 86-755-12345678
  Email          : lixing763@yahoo.cn

Billing Contact:
  Name           : wuling
  Organization   : wuling
  Address        : ShangHai
  City           : Shang Hai
  Province/State : Shanghai
  Country        : cn
  Postal Code    : 200085
  Phone Number   : 86-755-12345678
  Fax            : 86-755-12345678
  Email          : lixing763@yahoo.cn

So, the conclusion is that you better do not attempt to fill in your mobile number or your Windows Live account details.

Directory scam: Registration of the World Business Directory 2010/2011

mxlab — Tue, 09 Mar 2010 10:05:14 +0000

MX Lab reported in 2009 about the misleading marketing trick that the World Business Directory uses. Guess what, they are back!

MX Lab received a new registration form from the World Business Directory and again, we want to point out a few things before you sign their contract.

The email comes from info@companyworld2010.com, with the subject “Registration of the World Business Directory 2010/2011″ and this is the email content:

Dear Madam/Sir,

In order to have your company registered in the World Business
Directory for 2010/2011, please print, complete and return the
enclosed form (PDF file) to the following address:

World Business Directory
Suite 149 – Rosden House – 372 Old Street
EC1V 9AU / London – United Kingdom
E-mail: office@companyworld2010.com
Fax: +44 207 806 8157

Updating is free of charge!

To unsubscribe, please send an email to
unsubscribe@companyworld2010.com

Attached is a PDF file named world-businessdirectory.pdf.

The 1st point that needs your attention is the text block 1:

To update your company profile, please print, complete and return
this form (Updating is free of charge). Only sign if you want to
place an insertion.

As you can read, updating is free of charge but if you want your company get listed in this directory you will need to sign and have to pay.

What is the price of this directory you may ask yourself? Well, you have to go to text block 2 with the very small letters and this includes:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS GBP 980.

And there you have it, this contract will cost your business a total amount of GBP 2940 over 3 years. After the 3 years subscription you can stop your contract if you inform them on time:

THE SUBSCRIPTION WILL BE AUTOMATICALLY EXTENDED EVERY YEAR FOR ANOTHER YEAR, UNLESS SPECIFIC WRITTEN NOTICE IS RECEIVED BY THE SERVICE PROVIDER OR THE SUBSCRIBER TWO MONTHS BEFORE THE EXPIRATION OF THE SUBSCRIPTION.

A few arguments from our side that this is a scam:

The from email address contains the domain companyworld2010.com and when trying to see if there is a site online we got the notification “This account has been suspended”. We might see new emails from the World Business Directory appear with other domains.

When getting some WHOIS information on the domain we got the following:

Registrant:
 international group c/o Free Private Reg
 P.O. Box 81024
 Burnaby, BC V5H 4K2
 CA

 Domain name: COMPANYWORLD2010.COM

 Administrative Contact:
    boot, cornelis  companyworld2010.com@freeprivateregistration.com
    P.O. Box 81024
    Burnaby, BC V5H 4K2
    CA
    852-3594-1708
 Technical Contact:
    Hostmaster, Domain  hostmaster@doteasy.com
    Suite 210 - 3602 Gilmore Way
    Burnaby, BC V5G 4W9
    CA
    (604) 434-4307    Fax: (604) 608-6832

 Registrar of Record: In2net Network Inc.
 Record last updated on 05-Mar-2010.
 Record expires on 05-Mar-2011.
 Record created on 05-Mar-2010.

 Domain servers in listed order:
    DNS8.DOTEASY.COM   65.61.199.14
    DNS7.DOTEASY.COM   65.61.198.14

 Domain status: clientTransferProhibited
                clientUpdateProhibited

The registrant information is rather vague and points to a PO Box and the administrative contact has the same address. The domain freeprivateregistration.com in the email address of the administrative contact is just a domain alias from doteasy.com. These details must be fake.

In 2009, the PDF document needed to be returned to an address in The Netherlands, in this 2010/2011 edition it needs to be returned to an address in London, UK.

When visiting their site at http://www.world-businessdirectory.com/ on the ‘About us’ page we found the following text:

The World Business Directory online is product of EU Business Services Ltd, a corporation organized and existing under the laws of Nevis, West Indies.

We also found the UK address on the ‘Contact us’ page.

Our recommendation is: don’t sign the document and don’t do business with this company.

Follow these guidelines if you are a victim of this directory scam:

Do not pay, even if they imply to take your case to court.
If you have paid a certain amount, stop the next payments. Expect that you won’t get a refund either.
Send them a letter informing them you have been misled and telling them to cancel the contract.
If possible, report to (local) authorities.

Additional information:

Stop EU Business Services Ltd Trading As World Business Directory
Stop world-businessdirectory.com

On the web site of Richard Corbett you can find some background information about directory scams and what to do when you are a victim of such a scam.

Phishing PayPal email includes web form

mxlab — Wed, 03 Jun 2009 12:46:03 +0000

One of the latest phishing emails with the subject “PayPal Forma ID PP697″ caught our attention because of the fact that it included a complete HTML form inside the email. The phishing is regarding a refund request and the amount would be transferred to your credit card within 5 or 7 days.

The form seduces you to submit not only your credit card details but also your email and PayPal password. This could directly lead to the hacking and abuse of your PayPal account.

The form sends the filled in details to the host hxxp://www.swisstools.net/mailform.asp and when processed it will redirect you to the Italian PayPal web site. When we tested this we got a Microsoft OLE DB Provider for ODBC Driver error as a result.

World Business Guide is using misleading marketing trick

mxlab — Wed, 03 Jun 2009 11:14:54 +0000

Today, MX Lab received an email regarding the “World BusinessGuide” directory. At first there seems nothing wrong with the mailing but when looking further there are some points that need your attention.

The messages is from “World Business Register” with different email addresses in use:

info@easyhomecorporation.com
info@easycitycorporation.com
info@bigorganization4you.com
www@companyregpro.net
www@companyregstore.net
www@easycompregonline.com
www@bestcompregpro.com

The subject is “Business Registration 2009/2010″. The body of the email:

Ladies and Gentlemen.

In order to have your company inserted in the registry of World Businesses
for 2009/2010 edition, please print, complete and submit the enclosed
form (PDF file) to the following address:

WORLD BUSINESS GUIDE
P.O. Box 2021
3500 GA Utrecht
The Netherlands

email: register@wbgtoday.net
FAX: +31 20 524 8107

Updating is free of charge!

If you are not the intended recipient, please submit an email to
unsubscribe@wbgtoday.net
Your request shall be dealt with accordingly.

Attached is a PDF document that needs to be printed, filled in and sent to an PO Box address in The Netherlands.

When reading the PDF document carefully you can find the following:

I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS EURO 995.

While the email itself states “Updating is free of charge!” you will have to pay € 995 each year with a minimum 3 year period by signing the document. This is quite misleading if you ask me.

A few more observations that should warn you about a possible scam:

the email is sent from easyhomecorporation.com while there is no web site on this place so the registration of this domain is purely for spoofine the real origin.
and more important, the document needs to be sent to a PO Box in The Netherlands while the company is International Directories Group Ltd located in Spain according to the document.

In the past we have received similar letters by regular post here in Belgium and some organisations like Unizo have instructions (in Dutch) on how to report the illegal and deceptive practices to the authorities.

If you have received such a email, or regular mail, don’t sign the document, sent it to the trash or report to your local authorities.

[Update March, 9th 2010] MX Lab received a new registration PDF from the World Business Directory. Read the article.

Belgian court condemns 18 persons regarding Nigerean spam

mxlab — Mon, 18 May 2009 21:46:15 +0000

The correctional court of Brugges, Belgium, condems 18 persons with prison sentences from 2 to 6 years for sending out fraudulent spam between Februay 2007 and November 2008.

In the Nigerian spam emails they claimed to have a fund in Ghana where a substantional amount of money was blocked after a woman died in a car accident. The small fortune of 35 million Euro could be released with the help and a contribution of the addressee.

The police could arrest the gang after a tip and a thorough investigation of mobile phone conversations.