CRedit link phish from Amazon

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Thu, 18 Aug 2022 14:10:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oOlpU-000BEb-IX

for dave@doctor.nl2k.ab.ca;

Thu, 18 Aug 2022 14:09:24 -0600

Resent-From: The Doctor

Resent-Date: Thu, 18 Aug 2022 14:09:24 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from b224-14.smtp-out.eu-central-1.amazonses.com ([69.169.224.14]:45981)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from <01070182b16f64ac-c3b6d33d-8595-4be4-a04d-07e45e9ace04-000000@mailout-ses.dreimann.net>)

id 1oOgrY-000JbX-HO

for root@nk.ca;

Thu, 18 Aug 2022 08:51:16 -0600

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;

s=hduf2vvbwixozlk4qcqaet765lv6bsqi; d=dreimann.net; t=1660834243;

h=To:Date:From:Subject:Message-ID:MIME-Version:Content-Transfer-Encoding:Content-Type:List-ID;

bh=We4AKjip1+N50Oy+IFJxmaV2ZerpePU+sojPEnOOYJM=;

b=O6IVj4abWIxtgO34uJpVU30Q1HfmO0WHqS8pbZiWbxGxl9HBNgnz80uhQdx922v6

OlHGgwwh0CVzedfa0+0BGzdyS5OmdGiJcx59fPUfBdkH1L/Hk8BCWzHU0Ir43k0p4Jg

2VY6OSeAOq/llN8D2rfi8Uyhk3z7zEYxGgpMgjPrPs3e687+CVPnCZi9lJN6GBunsVt

dgoUb+CXs1v+dL1Buv+9olorCUXR18VkDv506Y+JtRol4WdK6ptdOtuviRzJ+OjVZim

HsxI4Hw+9e5oB+3RpZvdY7X25slnXgkSvaqZ+YvtDxGK4i5zrOznpjFNy0g8kanCf2r

cts0TG4ChA==

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;

s=54ecsf3zk7z4mwxwwox7z7bg6e5gwjsz; d=amazonses.com; t=1660834243;

h=To:Date:From:Subject:Message-ID:MIME-Version:Content-Transfer-Encoding:Content-Type:List-ID:Feedback-ID;

bh=We4AKjip1+N50Oy+IFJxmaV2ZerpePU+sojPEnOOYJM=;

b=AhMyYyQjhTG8qsi9s/Kd72f0F8HQeIRw9lBcgO8mZ3iXCHKQb2qkha8zMWoHSXBx

L9Wg5sbzapga6QjP7pmcA7X/+aVDg2Yjt7rSd3S0T6+ULZS1ttNg4OMnpZ061laI+mV

q3dUVFkHWUPzyNvZyTJ41wCV+GG3YuSMhGSlLqQc=

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dreimann.net;

s=mail2016021301; t=1660834241;

h=from:from:reply-to:subject:subject:date:date:message-id:message-id:

to:to:cc:mime-version:mime-version:content-type:content-type:

content-transfer-encoding:content-transfer-encoding:list-id;

bh=We4AKjip1+N50Oy+IFJxmaV2ZerpePU+sojPEnOOYJM=;

b=ABIsT/RnpswI9lghnqUG57coJyJwEO4WUvUqd0HFvu4Ba6ExaeZItWVo2OMXQg6ps4GP3X

be2jrl41j3ELOQNXdtpgDfR2IIdls9D93y06EiaSefltE3b4qSs3/ZTTKn/v2t5AqQ/Kty

U9xvFVwyOajYMIjWnyDqvm26ej8qug9dLtRyp46Gbfl3sO89lVgpbp2S8uJH3Ah5Ux3cZh

MfA/8j3mnjLd2piWF0WAFyhPMYpHSwDzC4P4LiBrn3DS41oYLpcPOjYP3a8TOLD5uWPejc

Udx7Htge/0e+GeZyD/8fBasK0zjJcAJEIhKXGLrP6FSmE5x4lSKnEFyG9Z2cfuoWsteeiD

hNOGRKCqtbKdVoqVeeQqdmZAahFL1nWqCGkcTrMpTuc+m9LQ8E08vcsoD8UDw++kHQqAB5

CbhBo5lENqEfbCVqR5mNf30zLPGAIuAJcIQXQUI8TqICkeB2NeeCxLaGcsg5UBkcAX9SDE

F4fJMmdNyv44w3vUrF+rjU4TyEDI9dxaEnmFHUIZk7lDJe/qu0hgcjol2WwQPvk/xdnHWo

pMnZfkH3nsDTrIFh2fxgazQw/NQyJJC/uvIUqD18t34Wnn7tGL6aJ37V8FKN/vxCpOnUq5

JJcvXa9+swymO8SipcvpXJ6qGyV9umuIokB/+KuBnBq2sVv15v7lg=

To:

Date: Thu, 18 Aug 2022 14:50:43 +0000

From: "Credit Manager"

Subject: Copy of the contract.

Message-ID: <01070182b16f64ac-c3b6d33d-8595-4be4-a04d-07e45e9ace04-000000@eu-central-1.amazonses.com>

MIME-Version: 1.0

Content-Transfer-Encoding: base64

Content-Type: text/plain; charset=UTF-8

X-rpcampaign: 07730-(93662120

List-Issue: NO

List-ID: x_78759351:x_04909:personal:dreimann.net

Feedback-ID: 1.eu-central-1.ivh71NtaoJZZ1GljfwUMZ7/BYavLah20QgFqzcrMPjs=:AmazonSES

X-SES-Outgoing: 2022.08.18-69.169.224.14



QmVsb3cgdGhlIHNpZ25lZCBjcmVkaXQgZG9jdW1lbnRzLgpQbGVhc2UgY2hlY2sgeW91ciBkb2N1

bWVudCwgYWxsIGlzIHdlbGwKCmh0dHA6Ly9zaGFyZWRmaWxlLWlkMzM5NDI0OS40NzM4OTU4NzQ4

LWlkLmNsdWIvP2NhMTg9MTYzNmUyYjZlNjA0NDdmNmY2Mjc=

Crypto currency spam from Amazon

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Sun, 07 Aug 2022 04:22:01 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oKdPh-000Ojs-Qp

for dave@doctor.nl2k.ab.ca;

Sun, 07 Aug 2022 04:21:41 -0600

Resent-From: The Doctor

Resent-Date: Sun, 7 Aug 2022 04:21:41 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from ec2-3-13-125-39.us-east-2.compute.amazonaws.com ([3.13.125.39]:56872)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.95 (FreeBSD))

(envelope-from )

id 1oKXPh-000GTC-6G

for doctor@doctor.nl2k.ab.ca;

Sat, 06 Aug 2022 21:57:22 -0600

Received: from lifewise by hosting.247webhostingservice.com with local (Exim 4.95)

(envelope-from )

id 1oKXPG-0001gO-3o

for doctor@doctor.nl2k.ab.ca;

Sat, 06 Aug 2022 23:56:50 -0400

To: doctor@doctor.nl2k.ab.ca

Subject: CRYPTOCURRENCY WILL MAKE YOU A MILLIONAIRE

X-PHP-Script: lifewiselearningcenter.com/index.php for 156.146.63.156

X-PHP-Originating-Script: 1028:PHPMailer.php

Date: Sun, 7 Aug 2022 03:56:50 +0000

From: EducationWP

Reply-To: admin@educationwp.thimpress.com

Message-ID:

X-Mailer: PHPMailer 6.6.0 (https://github.com/PHPMailer/PHPMailer)

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="b1_avqtgc8hYkFaIQtaGNs1KJFGAsLe1R7jBgLQgDuSVQ"

Content-Transfer-Encoding: 8bit

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - hosting.247webhostingservice.com

X-AntiAbuse: Original Domain - doctor.nl2k.ab.ca

X-AntiAbuse: Originator/Caller UID/GID - [1028 993] / [47 12]

X-AntiAbuse: Sender Address Domain - hosting.247webhostingservice.com

X-Get-Message-Sender-Via: hosting.247webhostingservice.com: authenticated_id: lifewise/only user confirmed/virtual account not confirmed

X-Authenticated-Sender: hosting.247webhostingservice.com: lifewise

X-Source:

X-Source-Args: php-fpm: pool lifewiselearningcenter_com

X-Source-Dir: lifewiselearningcenter.com:/public_html

X-Spam_score: 7.7

X-Spam_score_int: 77

X-Spam_bar: +++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Message Body: THE WORLD FINANCIAL CRISIS CAN MAKE YOU RICH!

https://telegra.ph/Cryptocurrency-makes-people-millionaires-at-15-people-per-hour---Page-484685-08-02

-- This e-mail was sent from a contact form on EducationWP (http://educationwp.thimpress.com/demo-el-3/)





Content analysis details: (7.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: thimpress.com]

1.6 SUBJ_ALL_CAPS Subject is all capitals

0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level

mail domains are different

-0.0 SPF_PASS SPF: sender matches SPF record

0.0 HTML_MESSAGE BODY: HTML included in message

0.4 RDNS_DYNAMIC Delivered to internal network by host with

dynamic-looking rDNS

2.5 PHP_SCRIPT Sent by PHP script

3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP

addr 1)

Subject: {SPAM?} CRYPTOCURRENCY WILL MAKE YOU A MILLIONAIRE



This is a multi-part message in MIME format.



--b1_avqtgc8hYkFaIQtaGNs1KJFGAsLe1R7jBgLQgDuSVQ

Content-Type: text/plain; charset=us-ascii



Message Body:

THE WORLD FINANCIAL CRISIS CAN MAKE YOU RICH! https://telegra.ph/Cryptocurrency-makes-people-millionaires-at-15-people-per-hour---Page-484685-08-02



--

This e-mail was sent from a contact form on EducationWP (http://educationwp.thimpress.com/demo-el-3/)



--b1_avqtgc8hYkFaIQtaGNs1KJFGAsLe1R7jBgLQgDuSVQ

Content-Type: text/html; charset=us-ascii



Message Body:


THE WORLD FINANCIAL CRISIS CAN MAKE YOU RICH! https://telegra.ph/Cryptocurrency-makes-people-millionaires-at-15-people-per-hour---Page-484685-08-02



--


This e-mail was sent from a contact form on EducationWP (http://educationwp.thimpress.com/demo-el-3/)







--b1_avqtgc8hYkFaIQtaGNs1KJFGAsLe1R7jBgLQgDuSVQ--



Vulnerability spam from Amazon

Posted by Dave Yadallee on
Return-path:

Envelope-to: dave@doctor.nl2k.ab.ca

Delivery-date: Mon, 01 Aug 2022 14:39:00 -0600

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))

(envelope-from )

id 1oIcBi-00071u-Uq

for dave@doctor.nl2k.ab.ca;

Mon, 01 Aug 2022 14:38:54 -0600

Resent-From: The Doctor

Resent-Date: Mon, 1 Aug 2022 14:38:54 -0600

Resent-Message-ID:

Resent-To: Dave Yadallee

Received: from e226-9.smtp-out.us-east-2.amazonses.com ([23.251.226.9]:48271)

by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

(Exim 4.95 (FreeBSD))

(envelope-from <010f01825a0cd5f5-a59725de-90cb-4078-be30-a60e0af58943-000000@us-east-2.amazonses.com>)

id 1oIXT7-0001y2-2E

for doctor@nk.ca;

Mon, 01 Aug 2022 09:36:38 -0600

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;

s=ndjes4mrtuzus6qxu3frw3ubo3gpjndv; d=amazonses.com; t=1659368166;

h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;

bh=Zj4vMzzTo8ILw2ATxWXbul4D+1i0/Hnif7WvHA+Q5CE=;

b=Weu+N1XX79HuVqMmI+6OEyPc11LiQOH+pHo5BnxaZ25uRTi82RpfNO2lJ8qSO3L0

6zzRUxL7fH2tvQAQJoBGcXX3HYE3eiLYA3h57U47LacxpE5s0xJF2TA9ULOlaJVZRhi

FrnT7UX9WtQfg79mZm/+hwXo8GgC/VBWrQKCFaF8=

Subject: { Bug Report } Vulnerability - Failure to invalidate session on

forget password link

From: Claire Ashton

To: "doctor@nk.ca"

Reply-To: Claire Ashton

List-Unsubscribe: ,


Subscriber-Uid:om199trscnc1a - Unsubscribe request&body=Please unsubscribe

me!>

List-Unsubscribe-Post: List-Unsubscribe=One-Click

List-Id: ze9586d69hb79

X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/sw152ng3xha7e/report-abuse/ze9586d69hb79/om199trscnc1a

X-EBS: https://email.offensiveguards.io/latest/lists/block-address

Feedback-ID: 1.us-east-2.BpxGxN9WUJ3M/MMsQjRMRMl6wUvhP63pKB5BthJ+hhA=:AmazonSES

Message-ID: <010f01825a0cd5f5-a59725de-90cb-4078-be30-a60e0af58943-000000@us-east-2.amazonses.com>

MIME-Version: 1.0

Date: Mon, 1 Aug 2022 15:36:06 +0000

Content-Type: multipart/alternative; boundary=UvMZjECZ

X-SES-Outgoing: 2022.08.01-23.251.226.9



--UvMZjECZ

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: quoted-printable



Hello doctor,



I Hope you are well, as an=C2=A0independent security res=

earcher I have

found some bugs/vulnerabilities in your website.



VULN=

ERABILITY:=C2=A0Failure to invalidate session on forget password



I hav=

e observed that when we=C2=A0request=C2=A0a forgot password link it

updat=

es the session instead of=C2=A0expiration. If an account=C2=A0is

logged=

=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the

o=

ther account will get updated but not expired.



STEPS TO REPRODUCE:

=



1. Request a forgot password link.

2. Now login in another browser and=

then use the password reset link

in another browser.

3. You will notic=

e that the password=C2=A0will be changed=C2=A0successfully

and the other =

browser will still be active with the account you opened

in it.



IMPA=

CT:



If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=

=C2=A0will not

be=C2=A0logged out from that browser and=C2=A0will be logg=

ed=C2=A0in and=C2=A0can

be=C2=A0used for malicious activities.



RECOM=

MENDATIONS:



It should expire immediately when the password=C2=A0is cha=

nged.



Regards.



OffensiveGuards

5400 N Lakewood Ave

Chicago

=



If you want this vulnerability to be published on our blog for

educact=

ional purposes, then unsubscribe

[https://email.offensiveguards.io/latest=

/campaigns/sw152ng3xha7e/track-url/om199trscnc1a/b49a449cfdbcc030f109bef0a9=

6a7f7cfab9503e]

or reply back to this email thank you.

--UvMZjECZ

Content-Type: text/html; charset=utf-8

Content-Transfer-Encoding: quoted-printable









=09{ Bug Report } Vulnerability - Failure to invalidate session on f=<br /><br /> orget password link






Hello doctor,





I Hope you are well, as an=C2=A0independent security researcher I have foun=

d some bugs/vulnerabilities in your website.





Vulnerability:=C2=A0Failure to invalidate session on forge=

t password





I have observed that when we=C2=A0request=C2=A0a forgot password link it up=

dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=

=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=

er account will get updated but not expired.





Steps to reproduce:





1. Request a forgot password link.


2. Now login in another browser and then use the password reset link in ano=

ther browser.


3. You will notice that the password=C2=A0will be changed=C2=A0successfully=

and the other browser will still be active with the account you opened in =

it.





Impact:





If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=

t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=

=C2=A0can be=C2=A0used for malicious activities.





Recommendations:





It should expire immediately when the password=C2=A0is changed.





Regards.











OffensiveGuards


5400 N Lakewood Ave


Chicago





If you want this vulnerability to be published on our blog for educactional=

purposes, then
l.offensiveguards.io/latest/campaigns/sw152ng3xha7e/track-url/om199trscnc1a=

/b49a449cfdbcc030f109bef0a96a7f7cfab9503e">unsubscribe or reply back to=

this email thank you.
s://email.offensiveguards.io/latest/campaigns/sw152ng3xha7e/track-opening/o=

m199trscnc1a" alt=3D"" />





--UvMZjECZ--