Phish | Entries from Friday, April 29. 2022

Attempt to phish nk.ca accounts

Posted by Dave Yadallee on Friday, April 29. 2022

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 29 Apr 2022 15:32:02 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nkYD1-0008dh-W7

for dave@doctor.nl2k.ab.ca;

Fri, 29 Apr 2022 15:31:28 -0600

Resent-From: The Doctor

Resent-Date: Fri, 29 Apr 2022 15:31:27 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [87.246.7.50] (port=57158 helo=nk.ca)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nkTNz-000CR1-CM

for sales@nk.ca;

Fri, 29 Apr 2022 10:22:31 -0600

From: Email Support

To: sales@nk.ca

Subject: WARNING : Activate sales@nk.ca

Date: 29 Apr 2022 09:21:59 -0700

Message-ID: <20220429092159.EB3D141BDE628B81@nk.ca>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0012_AC5A2FCF.ECEA7AC1"

X-Spam_score: 13.5

X-Spam_score_int: 135

X-Spam_bar: +++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Dear, sales Email ID: sales@nk.ca Please click the button

below to confirm your email address and activate your account to avoid loss

of your account.

Content analysis details: (13.5 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[87.246.7.50 listed in bb.barracudacentral.org]

0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=helo;id=nk.ca;ip=87.246.7.50;r=doctor.nl2k.ab.ca]

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=noreply%40nk.ca;ip=87.246.7.50;r=doctor.nl2k.ab.ca]

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME

0.7 MPART_ALT_DIFF BODY: HTML and text parts are different

2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

above 50%

[cf: 100]

0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

[cf: 100]

1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

1.4 FSL_BULK_SIG Bulk signature with no Unsubscribe

3.0 URI_FIREBASEAPP Link to hosted firebase web application,

possible phishing

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF

failed

Subject: {SPAM?} WARNING : Activate sales@nk.ca

------=_NextPart_000_0012_AC5A2FCF.ECEA7AC1

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable

Dear, sales

------=_NextPart_000_0012_AC5A2FCF.ECEA7AC1

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

hemas-microsoft-com:vml" xmlns=3D"http://www.w3.org/1999/xhtml">

ale=3D1">

=20=20=20=20=20=20=20=20

d>

margin:0;

padding:0;

width:100%; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%; /*@editable*/background-color:#ffffff;

/*@editable*/background-image:none;

/*@editable*/background-repeat:no-repeat;

/*@editable*/background-position:center;

/*@editable*/background-size:cover">

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%">

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%" align=3D"center">
=3D"4">Email ID: sales@nk.ca

=3D"padding: 0px 20px; direction: ltr;">

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%; margin: 0px; padding: 0px 20px 16px; text=

-align: center; line-height: 1.5; font-size: 18px; direction: ltr;" align=

=3D"center">Please click the button below to confirm your =

email address and activate your account to avoid loss of your account.
t>

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%; margin: 0px; padding: 24px 0px 16px; text=

-align: center; line-height: 1.5; font-size: 18px; direction: ltr;" align=

=3D"center">

-webkit-text-size-adjust:100%; border-width: 1px 1px 2px; border-style: =

solid; border-color: rgb(2, 135, 190); padding: 10px 30px; border-radius: 4=

px; color: rgb(255, 255, 255); font-weight: 600; display: inline-block; min=

-width: 180px; background-color: rgb(3, 170, 220); text-decoration-line: no=

ne;" href=3D"https://mik0495.web.app/01mik04953984.html#iuser=3Dsales@nk.ca=

" target=3D"_blank" rel=3D"noopener noreferrer">

-> Confirm sales@nk.ca Now <-

10px 0;

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%">

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%; margin: 0px; padding: 0px 20px 16px; line=

-height: 1.5; font-size: 18px; direction: ltr;" align=3D"center">

padding:0; mso-line-height-rule:exactly; -ms-text-size-adjust:100%;

-webkit-text-size-adjust:100%">

------=_NextPart_000_0012_AC5A2FCF.ECEA7AC1--

Sexual Blackmail phishing

Posted by Dave Yadallee on Friday, April 29. 2022

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 29 Apr 2022 08:46:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nkRsK-0007MA-4b

for dave@doctor.nl2k.ab.ca;

Fri, 29 Apr 2022 08:45:40 -0600

Resent-From: The Doctor

Resent-Date: Fri, 29 Apr 2022 08:45:40 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [223.104.204.29] (port=9957)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nkRgY-0006Gd-DI

for doctor@nk.ca;

Fri, 29 Apr 2022 08:33:36 -0600

Message-ID: <08218A9DC2A336D5FC57401F7EEB0821@0VE1U34JT1>

From:

To:

Subject: Payment from your account.

Date: 30 Apr 2022 05:09:02 +0700

MIME-Version: 1.0

Content-Type: text/plain;

charset="ibm852"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

X-Spam_score: 17.1

X-Spam_score_int: 171

X-Spam_bar: +++++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Greetings! I have to share bad news with you. Approximately

few months ago I have gained access to your devices, which you use for internet

browsing. After that, I have started tracking your internet activities.

Content analysis details: (17.1 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date

3.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam

(FTSDMCXX/boundary variant) + no rDNS

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

2.5 BITCOIN_XPRIO Bitcoin + priority

0.6 PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2

0.3 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam

(FTSDMCXX/boundary variant) + direct-to-MX

0.5 PDS_BTC_ID FP reduced Bitcoin ID

2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX

2.1 BITCOIN_MALWARE BitCoin + malware bragging

3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers

0.2 MALWARE_NORDNS Malware bragging + no rDNS

1.0 BITCOIN_ONAN BitCoin + [censored]

Subject: {SPAM?} Payment from your account.

Greetings!

I have to share bad news with you.

Approximately few months ago I have gained access to your devices, which you use for internet browsing.

After that, I have started tracking your internet activities.

Here is the sequence of events:

Some time ago I have purchased access to email accounts from hackers (nowadays, it is quite simple to purchase such thing online).

Obviously, I have easily managed to log in to your email account (doctor@nk.ca).

One week later, I have already installed Trojan virus to Operating Systems of all the devices that you use to access your email.

In fact, it was not really hard at all (since you were following the links from your inbox emails).

All ingenious is simple. (^^)

This software provides me with access to all the controllers of your devices (e.g., your microphone, video camera and keyboard).

I have downloaded all your information, data, photos, web browsing history to my servers.

I have access to all your messengers, social networks, emails, chat history and contacts list.

My virus continuously refreshes the signatures (it is driver-based), and hence remains invisible for antivirus software.

Likewise, I guess by now you understand why I have stayed undetected until this letter...

While gathering information about you, I have discovered that you are a big fan of adult websites.

You really love visiting porn websites and watching exciting videos, while enduring an enormous amount of pleasure.

Well, I have managed to record a number of your dirty scenes and montaged a few videos, which show the way you masturbate and reach orgasms.

If you have doubts, I can make a few clicks of my mouse and all your videos will be shared to your friends, colleagues and relatives.

I have also no issue at all to make them available for public access.

I guess, you really don't want that to happen, considering the specificity of the videos you like to watch, (you perfectly know what I mean) it will cause a true catastrophe for you.

Let's settle it this way:

You transfer $1550 USD to me (in bitcoin equivalent according to the exchange rate at the moment of funds transfer), and once the transfer is received, I will delete all this dirty stuff right away.

After that we will forget about each other. I also promise to deactivate and delete all the harmful software from your devices. Trust me, I keep my word.

This is a fair deal and the price is quite low, considering that I have been checking out your profile and traffic for some time by now.

In case, if you don't know how to purchase and transfer the bitcoins - you can use any modern search engine.

Here is my bitcoin wallet: 1HPaBSaYhPRJpfpL7rN36fSWmv8YR6pgzs

You have less than 48 hours from the moment you opened this email (precisely 2 days).

Things you need to avoid from doing:

*Do not reply me (I have created this email inside your inbox and generated the return address).

*Do not try to contact police and other security services. In addition, forget about telling this to you friends. If I discover that (as you can see, it is really not so hard, considering that I control all your systems) - your video will be shared to public right away.

*Don't try to find me - it is absolutely pointless. All the cryptocurrency transactions are anonymous.

*Don't try to reinstall the OS on your devices or throw them away. It is pointless as well, since all the videos have already been saved at remote servers.

Things you don't need to worry about:

*That I won't be able to receive your funds transfer.

- Don't worry, I will see it right away, once you complete the transfer, since I continuously track all your activities (my trojan virus has got a remote-control feature, something like TeamViewer).

*That I will share your videos anyway after you complete the funds transfer.

- Trust me, I have no point to continue creating troubles in your life. If I really wanted that, I would do it long time ago!

Everything will be done in a fair manner!

One more thing... Don't get caught in similar kind of situations anymore in future!

My advice - keep changing all your passwords on a frequent basis

Blackmail phishing

Posted by Dave Yadallee on Friday, April 29. 2022

Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Fri, 29 Apr 2022 07:30:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nkQgE-000EHs-5v

for dave@doctor.nl2k.ab.ca;

Fri, 29 Apr 2022 07:29:06 -0600

Resent-From: The Doctor

Resent-Date: Fri, 29 Apr 2022 07:29:06 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from [160.154.162.97] (port=48207)

by doctor.nl2k.ab.ca with esmtp (Exim 4.95 (FreeBSD))

(envelope-from )

id 1nkPvy-000OJs-BT

for doctor@nl2k.ab.ca;

Fri, 29 Apr 2022 06:41:23 -0600

Message-ID: <626BDCD2.9070105@nl2k.ab.ca>

Date: Fri, 29 Apr 2022 11:40:50 -0100

From:

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15

MIME-Version: 1.0

To:

Subject: =?UTF-8?B?RG8gWW91IERvIEFueSBvZiBUaGVzZSBFbWJhcnJhc3NpbmcgVGhpbmdzPw==?=

Content-Type: multipart/alternative;

boundary="------------030504020800080807010903"

X-Spam_score: 11.8

X-Spam_score_int: 118

X-Spam_bar: +++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: I am sorry to inform you but your device was hacked. That's

what happened. I have used a Zero Click vulnerability with a special code

to hack your device through a website. A complicated software that requires

precise skills that I posess. This exploit [...]

Content analysis details: (11.8 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

2.5 STOX_BOUND_090909_B No description available.

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[160.154.162.97 listed in bb.barracudacentral.org]

1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL,

https://senderscore.org/blocklistlookup/

[160.154.162.97 listed in bl.score.senderscore.com]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

0.9 SPF_FAIL SPF: sender does not match SPF record (fail)

[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=doctor%40nl2k.ab.ca;ip=160.154.162.97;r=doctor.nl2k.ab.ca]

0.0 HTML_MESSAGE BODY: HTML included in message

-0.0 T_SCC_BODY_TEXT_LINE No description available.

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

0.5 PDS_BTC_ID FP reduced Bitcoin ID

2.5 BITCOIN_SPAM_02 BitCoin spam pattern 02

Subject: {SPAM?} =?UTF-8?B?RG8gWW91IERvIEFueSBvZiBUaGVzZSBFbWJhcnJhc3NpbmcgVGhpbmdzPw==?=

This is a multi-part message in MIME format.

--------------030504020800080807010903

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Content-Transfer-Encoding: quoted-printable

I am sorry to inform you but your device was hacked.

That's what happened. I have used a Zero Click vulnerability with a =

special code to hack your device through a website.

A complicated software that requires precise skills that I posess.

This exploit works in a chain with a specially crafted unique code and =

such type of an attack goes undetected.

You only had to visit a website to be infected, and unfortunately for =

you it's that simple for me.

You were not targeted, but just became one of the many unlucky people =

who got hacked through that webpage.

All of this happened in August. So I’ve had enough time to collect =

the information.

I think you already know what is going to happen next.

For a couple of month my software was quietly collecting information =

about your habits, websites you visit, websearches, texts you send.

There is more to it, but I have listed just a few reasons for you to =

understand how serious this is.

To be clear, my software controlled your camera and microphone as well.

It was just about right timing to get you privacy violated. I have made =

a few pornhub worthy videos with you as a lead actor.

I’ve been waiting enough and have decided that it’s time to =

put an end to this.

Here is my offer. Let’s name this a “consulting fee” I =

need to get, so I can delete the media content I have been collecting.

Your privacy stays untouched, if I get the payment.

Otherwise, I will leak the most damaging content to your contacts and =

post it to a public website for perverts to view.

You and I understand how damaging this will be to you, it's not that =

much money to keep your privacy.

I don’t care about you personally, that's why you can be sure that =

all files I have and software on your device will be deleted immediately =

after I receive the transfer.

I only care about getting paid.

My modest consulting fee is 1700 US Dollars to be transferred in =

Bitcoin. Exchange rate at the time of the transfer.

You need to send that amount to this wallet: =

1JwLUkacG322ARR8cSYGLQxnXh3EXZvXDF

The fee is non negotiable, to be transferred within 2 business days.

Obviously do not try to ask for help from the law enforcement unless you =

want your privacy to be violated.

I will monitor your every move until I get paid. If you keep your end of =

the agreement, you wont hear from me ever again.

Take care and have a good day.

--------------030504020800080807010903

Content-Type: text/html; charset="ISO-8859-1"

Content-Transfer-Encoding: quoted-printable

charset=3DISO-8859-1">

I am sorry to inform you but your device was hacked.

That's what happened. I have used a Zero Click vulnerability with a =

special code to hack your device through a website.

A complicated software that requires precise skills that I posess.

This exploit works in a chain with a specially crafted unique code and =

such type of an attack goes undetected.

You only had to visit a website to be infected, and unfortunately for =

you it's that simple for me.

You were not targeted, but just became one of the many unlucky people =

who got hacked through that webpage.

All of this happened in August. So I’ve had enough time to collect =

the information.

I think you already know what is going to happen next.

For a couple of month my software was quietly collecting information =

about your habits, websites you visit, websearches, texts you send.

There is more to it, but I have listed just a few reasons for you to =

understand how serious this is.

To be clear, my software controlled your camera and microphone as =

well.

It was just about right timing to get you privacy violated. I have made =

a few pornhub worthy videos with you as a lead actor.

I’ve been waiting enough and have decided that it’s time to =

put an end to this.

Here is my offer. Let’s name this a “consulting fee” I =

need to get, so I can delete the media content I have been =

collecting.

Your privacy stays untouched, if I get the payment.

Otherwise, I will leak the most damaging content to your contacts and =

post it to a public website for perverts to view.

You and I understand how damaging this will be to you, it's not that =

much money to keep your privacy.

I don’t care about you personally, that's why you can be sure that =

all files I have and software on your device will be deleted immediately =

after I receive the transfer.

I only care about getting paid.

My modest consulting fee is 1700 US Dollars to be transferred in =

Bitcoin. Exchange rate at the time of the transfer.

You need to send that amount to this wallet: =

1JwLUkacG322ARR8cSYGLQxnXh3EXZvXDF

The fee is non negotiable, to be transferred within 2 business =

days.

Obviously do not try to ask for help from the law enforcement unless you =

want your privacy to be violated.

I will monitor your every move until I get paid. If you keep your end of =

the agreement, you wont hear from me ever again.

Take care and have a good day.

--------------030504020800080807010903--

Mon	Tue	Wed	Thu	Fri	Sat	Sun
← Back	April '22					Forward →
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30