Compensation Settlement On Escrow Accounts. (IMF Scam)

April 25, 2017, 12:22 am

INTERNATIONAL MONETARY FUND
1900 PENNSYLVANIA Ave NW
WASHINGTON DC.
20431.

Attention Beneficiary

This is to formally inform you that your file on your fund transfer has reached Mr. Carla Grasso Managing Director of the IMF(The International Monetary Fund). We are also aware that your transaction has been dormant for a while now, and we will like to know why. It will be in your own interest to get back to the department director Mr David who is in charge of the transfer unit of IMF, get back to him as soon as possible, failure to do so we shall confiscate your funds to charity.

Email.......imf_davidhanks147@yahoo.com

Fill Out the information to him if you are ready to get your FUNDS

Your Full Name:...............
Direct Phone:....................
Country.................
Occupation:.....................
Gender:.........
Age:..............
Bank details.............
A Scan Copy Of Your Identity Card Or Drivers License.

And take note any other email you receive form anybody claiming to have your fund should be sent to this office and you are advised to stop any transaction or payment to the institutions who have been in contact with you lately for they are scam and the FBI and EFCC are after them,so be smart the IMF is now in-charge of all dept .

We await your reply.

Have a good day.

Department Director
Mr. David Hanks

Email analysis :

NOTE : Received : from vizyontanitim.com
NOTE : (toroon12-1279381067.sdsl.bell.ca [76.65.206.75])

NOTE : imf.davidhanks247@gmail.com
NOTE : info@vizyontanitim.com

↧

Hi (Donation Scam)

April 25, 2017, 12:40 am

≫ Next: AUTOMATIC USPS statement: your package has been postponed

≪ Previous: Compensation Settlement On Escrow Accounts. (IMF Scam)

Hello,

Donation proposal for you, Contact me for more details.

Regards,
Greg.

Email analysis :

NOTE : gregoryniklos@gmail.com
NOTE : jimenezm319@cod.edu
NOTE : Received : from MAIL13.cdnet-ad.ad.cod.edu ([::1])
NOTE : by MAIL13.cdnet-ad.ad.cod.edu ([::1])
NOTE : Received : from MAIL13.cdnet-ad.ad.cod.edu (10.11.0.3)
NOTE : by MAIL13.cdnet-ad.ad.cod.edu (10.11.0.3)
NOTE : Received : from MAIL13.cdnet-ad.ad.cod.edu (10.11.0.3)
NOTE : by EDGE1.cod.edu (10.11.0.106)
NOTE : Received : from mail.cod.edu (edge1.cod.edu [192.203.136.103])

192.203.136.103 server was used to relay this scam.

NOTE : X-Originating-Ip : [105.112.35.87]

NOTE : cod.edu server was used to relay this scam

NOTE : jimenezm319 account was used to relay this scam.
NOTE : @collegedupage server was used to relay a scam.

↧

AUTOMATIC USPS statement: your package has been postponed

April 27, 2017, 12:55 am

≫ Next: Crédit Mutuel de Bretagne

≪ Previous: Hi (Donation Scam)

This is an automatic message: you are obliged to read this letter to accept
the order.
Please, use the link seen down below to contact the USPS support team.

http://www.stbishoy.org/wp-content/b4d47c6405.html

Thanks and best regards.
Takeisha Wernecke - USPS Senior Station Manager.

Email analysis :

NOTE : wo56816421@occhristian.pvt.k12.ia.us
NOTE : USPS Priority
NOTE : Received : from occhristian.pvt.k12.ia.us (unknown [186.151.239.161])
NOTE : User-Agent : Opera Mail/10.62 (Win32)
NOTE : 186.151.239.161

Phishing analysis :

CLICK : http://www.stbishoy.org/wp-content/b4d47c6405.html
OPEN : http://www.stbishoy.org/wp-content/b4d47c6405.html
REDIRECT : http://servisedelivery.com/bot14/lgen.php
RESULT : Phishing is unresponsive...

Stbishoy.org analysis :

Registrant Email: stbishoy.org@proxy.dreamhost.com
Updated Date: 2016-11-01T18:00:21
Creation Date: 2009-08-02T04:33:23
Registry Expiry Date: 2017-08-02T04:33:23

Servisedelivery.com analysis :

Updated Date: 2017-04-24T17:04:10
Creation Date: 2017-04-24T00:00:00
Registrar Registration Expiration Date: 2018-04-24T00:00:00
Registrar Abuse Contact Email: abuse@bizcn.com
Registrant Name: Wuxi Yilian LLC
Registrant Organization: Wuxi Yilian LLC
Registrant Street: No.1001 Anling Road
Registrant City: Xiamen
Registrant State/Province: Fujian
Registrant Postal Code: 361008
Registrant Country: cn
Registrant Phone: +86.5922577888
Registrant Fax: +86.5922179606
Registrant Email: whoisprivacyprotect@whoisservices.cn

↧

Crédit Mutuel de Bretagne

April 27, 2017, 1:38 am

≫ Next: Assalamualaikum

≪ Previous: AUTOMATIC USPS statement: your package has been postponed

Bonjour,

Nous tenons de vous informer que vous avez un nouveau message.
Pour consulter votre boite de messagerie cliquez sur le lien ci-dessous :

Consulter la boite de messagerie

Cordialement,
Laurent Biojoux,
Directeur de la Relation Clients

Crédit Mutuel de Bretagne

Veuillez ne pas répondre à cet email car les messages reçus à cette adresse ne sont pas lus. Pour
nous contacter, connectez-vous à votre compte et cliquez sur Contact en bas de n'importe quelle page.

Email analysis :

NOTE : tracey.lahey@sympatico.ca
NOTE : cmb@contact.com
NOTE : Cmm-Sending-Ip : 184.150.200.79

Phishing was sent via this ip : 184.150.200.79

Phishing analysis :

CLICK : Consulter la boite de messagerie
OPEN : https://tinyurl.com/k96mlop

↧

Assalamualaikum

April 27, 2017, 3:10 am

≫ Next: _ C O N G R A T U L A T I O N S _

≪ Previous: Crédit Mutuel de Bretagne

Greeting !

How are you? My name is Kayla Morni Mohd, a Citizen of Syria lived in Aleppo- Syria., I'm one of the former senior inspector for Syria National Petroleum Company(Kawkab Oil Company). I have Business investment transaction worth $8.2 Million. I will like to relocate out from Syria, Because here in Syria is serious war here. I wait to hear from you as soon as you see this message

regards,

Kayla Morni Mohd

Email analysis :

NOTE : morie8@bigpond.com
NOTE : X-Originating-Ip : [46.23.66.106]

↧

_ C O N G R A T U L A T I O N S _

May 4, 2017, 2:29 am

≫ Next: I wait to read from you

≪ Previous: Assalamualaikum

WESTERN UNION ASIA

[HEAD OFFICE] - KUALA LUMPUR, MALAYSIA

" WESTERN UNION GRANT 2017 "

YOUR EMAIL WAS SELECTED AND HAVE BEEN AWARDED THE SUM OF $500,000.00 USD. YOU WILL BE ISSUED A WESTERN UNION NETSPEND MASTERCARD CREDITED WITH $500,000.00 USD

NOTE: The Delivery Of Your WESTERN UNION NETSPEND MASTERCARD To Your HOME is FREE !

Your Reference No: WU/WUA2017/BBKMY

For More Information , Please Contact -

Western Union Agent: MELISSA BINTI MUBARAK
Contact E-mail: westernunion.melissamubarak@gmail.com
Office Telephone: +60165781566

CONGRATULATION ONCE AGAIN FROM WESTERN UNION © [ ASIA ].

Email analysis :

NOTE : wu.asia2017@gmail.com
NOTE : westernunion.melissamubarak@gmail.com
NOTE : info@viniwee.com
NOTE : Received : from User (unknown [51.15.147.28])

NOTE : by host.viniwee.com

↧

I wait to read from you

May 4, 2017, 2:47 am

≫ Next: NOTICE OF ONGOING INVESTIGATION

≪ Previous: _ C O N G R A T U L A T I O N S _

Greetings,

I represent an investment interest that is interested in investing abroad, a large volume of resources, we are seeking your participation as an overseas representatives to treat the investment in your country. If interested, please contact me by writing back.( )

Thank you very much

Email analysis :

NOTE : vb00149@surrey.ac.uk
NOTE : v.bokinala@surrey.ac.uk
NOTE : 19investment@gmail.com
NOTE : client-ip=195.245.231.133;

Received : from [85.158.136.51] by server-6.bemta-5.messagelabs.com

NOTE : Received : from 178.33.210.30 (131.227.131.245)

NOTE : by EXHT021P.surrey.ac.uk (131.227.200.35)

NOTE : with Microsoft SMTP Server (TLS) id 8.3.485.1;
NOTE : EXHT021P.surrey.ac.uk
NOTE : www.surrey.ac.uk

@UniOfSurrey servers were used to relay this scam

NOTE : The @UniOfSurrey servers were used to relay a scam.
NOTE : The email of #vivek_bokinala was used to relay this #scam

↧

NOTICE OF ONGOING INVESTIGATION

May 10, 2017, 2:09 am

≫ Next: Richard Maxwell

≪ Previous: I wait to read from you

Federal Bureau Of Investigations
Headquarters Washington Dc.
Building 935 Pennsylvania Ave.
NW WASHINGTON, D.C. 20535-0001
E-Mail: fbi.gov0012@usa.com

NOTICE OF ONGOING INVESTIGATION

Attn Recipient:

This is agent Josh, we were sent by the Director of Federal Bureau of Investigation (JAMES B.COMEY), we are currently in Africa as an FBI/ United States delegate that have been delegated to investigate these fraudsters who are in the business of swindling Foreigners that has transactions in Africa. Be informed that during our investigations we found out that there is a total amount of $2.5 Million that has been assigned in your name as the beneficiary and these fraudsters are busy swindling you without any hope of receiving your fund, these are the works of the fraudsters who needed to extort money from you in the name of this transfer, We have to inform you that we have arrested some men in respect of this delayed overdue fund. We have a very limited time to stay in Africa here so I advise you urgently respond to this message. These criminals will be caught unaware and we don't want them to know this new development to avoid jeopardizing our investigation, you need to conceal anything that has to do with this exercise to enable us get all the necessary information we required. I will be expecting your swift response as soon as you receive this email and notify us of any message or phone call you receive from those fraudsters for us to investigate on it before you make any contact with them.

In case if found this message in spam folder, it could be due to your Internet Service Provider, ISP. So kindly move to your inbox before replying.

Regards,
JACKSON JOSH
International Banking Unit
862 955-2836

Email analysis :

NOTE : X-Originating-Ip : [197.234.219.26]

NOTE : Received : from mzcstore262.ocn.ad.jp
NOTE : (mz-fcb262p.ocn.ad.jp [180.8.111.198])
NOTE : jackson.fbi@yahoo.com
NOTE : "WWW."@star.ocn.ne.jp

↧

Richard Maxwell

May 10, 2017, 2:08 am

≫ Next: ..£1million Donated To You##..

≪ Previous: NOTICE OF ONGOING INVESTIGATION

We have deposited the check of your fund($25.400`000`00USD)through MONEY GRAM department after our final meeting regarding your fund, All you will do is to contact money gram director (479)3853899 He will give you direction on how you will be receiving the funds daily.Remember to send him your Full information to avoid wrong transfer such as,

Receiver's Name_______________
Address: ________________
Country: _____________
Phone Number: _____________

Though,Mr.Richard Maxwell sent $4000 in your name today so contact Mr.richardmaxwe or you call him as soon as you receive this email(richardmaxwell314@gmail.com) and tell him to give you the reference, sender name and question/answer to pick the $5000 Please let us know as soon as you received all your fund,

Best Regards.

MONEY GRAM AGENT

Email analysis :

NOTE : X-Originating-Ip : [185.56.137.11]

NOTE : Received : from mail.ochoa.com.do (mail.ochoa.com.do [172.17.1.231])
NOTE : servicedesk@ochoa.com.do
NOTE : richardmaxwell314@gmail.com

↧

..£1million Donated To You##..

May 10, 2017, 2:00 am

≫ Next: Tammy Joorst (Email Leak)

≪ Previous: Richard Maxwell

You have been selected to receive a whooping sum of £1million which the Davies family donated to you After scooping £61million - in one of Britain's biggest Lotto Euro Millions .My family and i decided to set up a foundation aimed at providing financial aids and assistance to reputable individuals around the world to help fight cancer, in their various community.

It's a great way to give back to the world after miraculously cheated death, Read more about me and my family on the News Link Below.

Kindly forward your Full name, age, Tel.No, Address
Sincerely,
Davies Family Charitable Trust

Email analysis :

NOTE : Davies Family Charitable Trust
NOTE : daviesctrust@cox.net
NOTE : Received : from [192.168.176.198] (71.41.196.26)
NOTE : X-Originating-Ip : [71.41.196.26]

NOTE : by Exchange.ku.dk (172.28.3.173)

↧

Tammy Joorst (Email Leak)

May 10, 2017, 2:07 am

≫ Next: Rich and Famous

≪ Previous: ..£1million Donated To You##..

Good day

how can you supply me?

Email analysis :

NOTE : 3563909@myuwc.ac.za
NOTE : 3556254@myuwc.ac.za
NOTE : regie44@outlook.com

Email leak :

saymorebc@hotmail.com, sayyashdesigns@yahoo.com, sazdesign67@yahoo.com.au, sbaladev_24@yahoo.com, sbasnyat@las-cruces.org, sbbwa.secretary@gmail.com, sbc@sbcinv.net, sbc4radio@yahoo.com, sbghosh@hotmail.com, SBIRRO1984@hotmail.com, sbrady@hotmail.com, sbryson@westernleisureservices.com.au, sbsbjulia@gmail.com, sbugan@ncpg.gov.za, sburdisso@hotmail.com, scampbell3523@gmail.com, scampher@gmail.com, scamwarners9@gmail.com, scanvps@hotmail.com, scardoso_1@yahoo.com.ar, scarfyw1@yahoo.com.au, scarletcourierupdate@yahoo.co.uk, scc.info@tsogosun.com, scchiou_43197@yahoo.com.tw, scentedcandlelady@gmail.com, schakrabarty@gmail.com, schalk.ltgroep@mailbox.co.za, scharvest@gmail.com, scheffer.luana@gmail.com, schewitzl@gmail.com, schickelizabeth@hotmail.com, schoa2014@gmail.com, schoeman.yolandy@gmail.com, schoemanattorneys@gmail.com, scholtzrg@gmail.com, School@yahoo.de, sclsis@hotmail.com, scmibs@hotmail.com, sconature@gmail.com, sconejumpclub@hotmail.com, scordony@hotmail.com, SCOssiya@hotmail.com, scott_lee2000@yahoo.com, scottadamslv@gmail.com, scottandersonelectrical@gmail.com, scottandersonelectrical@gmail.co, scottdishner@gmail.com, scottjohn06@hotmail.com

↧

Rich and Famous

May 12, 2017, 5:36 am

≫ Next: (no subject)

≪ Previous: Tammy Joorst (Email Leak)

JOIN THE GREAT ILLUMINATI BROTHER HOOD TODAY AND LIVE A BETTER AND HAPPY LIFE. WELCOME TO THE GREAT TEMPLE OF RICHES AND FAME. Are you a business, Man, politician, musical, student and you. want to be rich, powerful and be famous in life. You can achieve your dreams by being a member of the Great illuminati brother hood. With this all your dreams and heart desire can be fully accomplish, if you really want to be a member of the great illuminati brother hood, contact the Lord illuminati now, Note: newly recruited members are entitled with 100 thousand US Dollars , A Golden Ring, that will protect and guild you from enemies, and a free visa to United State Of America . Please will do not share blood. Do not miss this opportunity. Call Jack lord Now . ¡¡¡ +19066620480. Or email now on: illuminatitemple792@gmail.com

Email analysis :

NOTE : illuminatitemple792@gmail.com
NOTE : gcdash@nitrkl.ac.in
NOTE : X-Originating-Ip : [172.16.0.20]
NOTE : Received : from zmbox2.nitrkl.ac.in
NOTE : (zmbox2.nitrkl.ac.in [172.16.0.24])
NOTE : X-Mailer : Zimbra 8.6.0_GA_1194 (zclient/8.6.0_GA_1194)
NOTE : Received : from mailhost2.nitrkl.ac.in (saraswati.nitrkl.ac.in. [27.48.137.18]

↧

(no subject)

May 12, 2017, 5:50 am

≫ Next: Update Your Account Information Now !! (PayPal Phishing Attempt)

≪ Previous: Rich and Famous

السلام عليكم انا مدام نادية محمد اريد منك ان تساعدنى لاننى لدى مشروع اريد ان اعرضه اليك لذا ارجو منك التواصل معى على هذا الايميل

nadia55mohammed@gmail.com

Translation :

Salam alaikum. I am Madame Nadia Mohamed. I want you to help me because I have a project I want to introduce to you so I hope you can contact me on this email

Nadia55mohammed@gmail.com

Email analysis :

NOTE : nadia55mohammed@gmail.com
NOTE : ib@caucasus.net
NOTE : Received : from webmail.caucasus.net
NOTE : (unknown [213.157.215.234])

NOTE : by mail.caucasus.net (Postfix)

↧

Update Your Account Information Now !! (PayPal Phishing Attempt)

May 12, 2017, 6:39 am

≫ Next: Need mnoey?Eaarn 50.000 per moonth.

≪ Previous: (no subject)

PayPal

Warning : Account Issue !
Your account is limited untill you update your information because some one requested acces to your account, here is the infos :
Location : Russia
IP adress : 176.96.80.140
Navigator : Mozilla Firefox 48.0 on Windows
The restore the access to your account please click on the link below :

Update My Account

This is an email sent automatically. Please do not reply to this letter, because the e-mail address is only configured to send but not to receive e-mails.
Copyright © 2017 All rights reserved.

Phishing screenshot :

Email analysis :

NOTE : morag@g-p-t.co.uk
NOTE : Received : from RDT.spectra.local (unknown [80.229.37.167])

NOTE : by cust-smtp-auth2.fasthosts.net.uk (Postfix)
NOTE : client-ip=213.171.216.60;

Phishing analysis :

CLICK : Update my Account
OPEN : http://sadagatismayilova.com/update-your-account-information-now/myaccount/
SCREENSHOT :

NOTE : Phishing was removed.

↧

Need mnoey?Eaarn 50.000 per moonth.

May 12, 2017, 11:04 pm

≫ Next: Notification de la dette (Phishing Banque de France)

≪ Previous: Update Your Account Information Now !! (PayPal Phishing Attempt)

###MAKE MONEY ON1|NE###
===EAARN 50.000 PER MONNTH===
1.You need 0nly email to regisster
2.Fluly automattic sytsem!NOTHING TO DO...
3.@bs0lutely passvie inc0me
http://www.wildstonesolution.com/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/5bc10d79da.html

The title of the scam can also be : Need mooney?Eran 50.000 per moonth. with a different content

###MAAKE MONNEY ONLLNE###
===EAARN 50.000 PER MONTH===
1.You neeed only emmail to reg|$ter
2.Fuliy automatic ssytem!NOTHING TO DO...
3.Absolute1y passive lnc0me
http://www.ieee-papers.com/wp-content/themes/twentyseventeen/2159b211e2.html

Email analysis :

NOTE : mhurdsj@excite.it
NOTE : gfgrimaud@tjb-barre.com
NOTE : 202.150.50.14

NOTE : 113.186.177.167

Phishing analysis :

CLICK : http://www.wildstonesolution.com/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/5bc10d79da.html
Result : Redirect to Google, the phishing was removed...

CLICK : http://www.ieee-papers.com/wp-content/themes/twentyseventeen/2159b211e2.html
RESULT : Redirect to Google, the phishing was removed

NOTE : Two wordpress websites were compromised to do this phishing.

↧

Notification de la dette (Phishing Banque de France)

May 13, 2017, 12:13 am

≫ Next: Report-ID: *@* 21/04/2017 (Phishing attempt)

≪ Previous: Need mnoey?Eaarn 50.000 per moonth.

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance,

Sacha Pierre
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : banque@banque-france.fr
NOTE : gvbev@fulda170.server4you.de
NOTE : client-ip=62.75.219.171;

NOTE : LINK : http://ascomnotizie.confcommerciocremona.it/edizioni/2013/Settembre/mp3/config/page5.html
NOTE : Download a virus "facture.zip" then redirect to the Banque de France.
NOTE : https://www.banque-france.fr/

The title of the phishing can also be "L\\\'avis de Banque de France sur facturation" with a different content :

Bonjour!

Vous avez reçu une nouvelle facture
La facture à payer peut être consultée sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Veuillez d\\\'agréer les salutations distinguées,

Patrice Salmon
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : infos@banque-france.fr
NOTE : www-data@vs186078.vserver.de
NOTE : Received : from www-data by vs186078.vserver.de

NOTE : LINK : http://deko-studio.ru/templates/jblank/html/com_contact/categories/content2.html
NOTE : Phishing is unresponsive.

The title of the phishing can also be "Notification du paiement" with a different content :

Cher client!

Nous vous informons sur la dette existante
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Meilleurs vœux,

Aubin Pascal
Spécialiste responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : apache@vps11617909.123-vps.co.uk
NOTE : Received : by vps11617909.123-vps.co.uk

NOTE : LINK : http://rolkatravel.ru/includes/Archive/content2.html
NOTE : Redirect to another phishing then Banque de France

The title of the phishing can also be "Rappel de dette" with a different content :

Vous avez reçu la facture de la société Banque de France
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler

Meilleurs vœux!

Samy Bouchet
Spécialiste principal responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : commercial@banque-france.fr
NOTE : webmaster@missdress.ru
NOTE : Received : from www-data by webs3.ru
NOTE : LINK : http://купить-дом-в-испании.рф/wp-admin/css/colors/blue/content2.html
NOTE : Phishing was removed.

The title of the phishing can also be "Vous avez les dettes" with a different content :

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance!

Salomon Legros
Chef
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : contact@banque-france.fr
NOTE : Received : by vps11617909.123-vps.co.uk

NOTE : LINK : http://smartfitness.com.ua/wp-content/themes/fitnesstheme/fontawesome/css/page6.html
NOTE : Redirect to the Banque de France.

Conclusion

Numerous phishing were removed, but I found one still active and I downloaded a virus called facture.zip

Open facture.zip

AegisLab : Troj.Script.Agent!c
Antiy-AVL : Trojan/Generic.ASVCS3S.3FA
Arcabit : JS:Trojan.Cryxos.725
Avast : Other:Malware-gen [Trj]
AVG : Script/Generic_c.NOE
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : JS:Trojan.Cryxos.725
Comodo : Heur.Dual.Extensions
Cyren : JS/Nemucod.EB1!Eldorado
DrWeb : Trojan.DownLoader24.57175
Emsisoft : JS:Trojan.Cryxos.725 (B)
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CXN
F-Prot : JS/Nemucod.EB1!Eldorado
F-Secure : JS:Trojan.Cryxos.725
Fortinet : JS/Nemucod.CXN!tr
GData : JS:Trojan.Cryxos.725
Ikarus : Trojan-Downloader.JS.Nemucod
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan.Script.Agent.gen
Microsoft : TrojanDownloader:JS/Nemucod
eScan : JS:Trojan.Cryxos.725
Rising : Downloader.Nemucod!8.34 (cloud:EJcAeQsE3jG)
Sophos : Mal/DrodZp-A
Symantec : Trojan.Gen.NPE
Tencent : Js.Trojan-downloader.Nemucod.Gbr
TrendMicro-HouseCall : Suspicious_GEN.F47V0510
ZoneAlarm by Check Point : HEUR:Trojan.Script.Agent.gen

Source code of the virus :

https://pastebin.com/raw/VaBZWADT

↧

Report-ID: @ 21/04/2017 (Phishing attempt)

May 18, 2017, 4:15 am

≫ Next: Please recheck your delivery address USPS parcel 632063287

≪ Previous: Notification de la dette (Phishing Banque de France)

Dear Driver,

This is the automatic statement of the Parking Service.

Road cameras have recorded the limit exceeding of your vehicle. Therefore, you will have to pay the applicable fine.

--------------------------------------------------------------------------- ---
So as to successfully complete the payment, you will have to finalize the invoice on the official website.

Your Fine Invoice ID is VL05U

Please submit it here: pa rking-services.us

--------------------------------------------------------------------------- ---
Then, you will have all essential details to execute the payment.

You have one day to document the fine. Else, significant charges may apply.

Please do not reply to this message.

------
Kindest Regards,

Parking Service

Email analysis :

NOTE : oybi6@wwpinc.com
NOTE : User-Agent : Mozilla/5.0 (Windows; U; Windows NT 5.1;
NOTE : en-GB; rv:1.8.0.14) Gecko/20071210 Thunderbird/1.5.0.14
NOTE : client-ip=202.55.69.138;

Phishing analysis :

CLICK : pa rking-services.us
OPEN : http://www.wik.be/backend/modules/settings/c056bc1304.html
RESULT : Phishing attempt

↧

Please recheck your delivery address USPS parcel 632063287

May 18, 2017, 4:23 am

≫ Next: lovelykumah

≪ Previous: Report-ID: *@* 21/04/2017 (Phishing attempt)

Hello,

This is to confirm that your item has been shipped at Tue, 16 May 2017 10:49:00 -0700.

You can print the shipment label by clicking on the link.

information.doc

With sincere thanks.

Shanae Stovall - USPS Support Clerk.

Email analysis :

NOTE : fisou75@viajeseci.es
NOTE : Received : from viajeseci.es (unknown [222.222.219.154])

Phishing analysis :

CLICK : information.doc
OPEN : http://be-tiger.com/wp-content/sg.php
RESULT : Phishing was removed

↧

lovelykumah

May 18, 2017, 4:33 am

≫ Next: Congratulations! You've won ｣2,000,000! (Scam leak)

≪ Previous: Please recheck your delivery address USPS parcel 632063287

Hello Dear am well pleased to contact you here, i am female, please i will like you to mail me back so that i will send you my pictures and to discuss the confidential issue i have to discuss with you. please reply me back for more details,miss lovely my email(lovelykumah11@hotmail.com)

Email analysis :

NOTE : lovelykumah11@hotmail.com
NOTE : Received : from sonic.gate.mail.ne1.yahoo.com
NOTE : by sonic325.consmr.mail.gq1.yahoo.com
NOTE : client-ip=98.137.67.179;

↧

Congratulations! You've won ｣2,000,000! (Scam leak)

May 18, 2017, 5:06 am

≫ Next: PayPal Phishing

≪ Previous: lovelykumah

Your E-mail/Mobile Number has won £2,000,000 GBP in the Coca-Cola Promo,
To claim go to www.moboccolagify.com , click CLAIM enter Ref#: CC74117Q

Email analysis :

NOTE : ash0611jnag@gmail.com
NOTE : Received : from User (unknown [109.236.88.198])

NOTE : (Authenticated sender: admin@demo.pop-it.fr)
NOTE : by mail1.demo.pop-it.fr

Scam analysis :

CLICK : http://www.moboccolagify.com/
REDIRECTED : http://www.moboccolagify.com/cgi-sys/suspendedpage.cgi
RESULT : The scam was removed.

www.moboccolagify.com analysis :

Domain Name: moboccolagify.com
Registry Domain ID: 2099820320_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2017-05-11
Creation Date: 2017-02-22
Registrar Registration Expiration Date: 2018-02-22
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Reseller: QHOSTER.COM
Status: clientTransferProhibited
Registrant Name: Catherine Wosoh
Registrant Street: Bow Cottage, Robin Hood Ln, Wrightington
Registrant City: Appley Bridge
Registrant State/Province: Wigan
Registrant Postal Code: WN6 9QG
Registrant Country: GB
Registrant Phone: +44.02033897270
Registrant Email: xavierjapa147@gmail.com
Admin Name: Catherine Wosoh
Admin Street: Bow Cottage, Robin Hood Ln, Wrightington
Admin City: Appley Bridge
Admin State/Province: Wigan
Admin Postal Code: WN6 9QG
Admin Country: GB
Admin Phone: +44.02033897270
Admin Email: xavierjapa147@gmail.com
Registry Tech ID:
Tech Name: Catherine Wosoh
Tech Organization:
Tech Street: Bow Cottage, Robin Hood Ln, Wrightington
Tech City: Appley Bridge
Tech State/Province: Wigan
Tech Postal Code: WN6 9QG
Tech Country: GB
Tech Phone: +44.02033897270
Tech Email: xavierjapa147@gmail.com
Name Server: NS1.QHOSTER.NET
Name Server: NS2.QHOSTER.NET
Name Server: NS3.QHOSTER.NET
Name Server: NS4.QHOSTER.NET

xavierjapa147@gmail.com analysis :

xavierjapa147@gmail.com
Name Marianne Dillon
Address 4988 WORTH ST
City MILLINGTON
State MICHIGAN
Country US United States
Phone +1.9893251951
Fax +1.8017659400

List of domains registred by xavierjapa147@gmail.com :

newteamonli.com :

Registrant Name: MARIANNE DILLON
Registrant Organization:
Registrant Street: 4988 WORTH ST
Registrant City: MILLINGTON
Registrant State/Province: MICHIGAN
Registrant Postal Code: 48746
Registrant Country: US
Registrant Phone: +1.9893251951
Registrant Email: XAVIERJAPA147@GMAIL.COM

moboccolaltd.com :

Out

leekansoliccitor.com

Name: samuel buchman
Organization: buchman Inc
Mailing Address: 12927 288th St, Lindstrom 55045 US
Phone: +1.9706730990
Email:xavierjapa147@Gmail.com

Conclusion : Too much leakage to send a scam with no content...

↧

Latest Images