NatWest phish from Godaddy Washington D.C.
Posted by Dave Yadallee onEnvelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Tue, 01 Aug 2023 17:59:19 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.96 (FreeBSD))
(envelope-from
id 1qQzF2-000Hyt-0O
for dave@doctor.nl2k.ab.ca;
Tue, 01 Aug 2023 17:57:28 -0600
Resent-From: The Doctor
Resent-Date: Tue, 1 Aug 2023 17:57:28 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from [92.204.144.42] (port=41360 helo=ns1011157.ip-92-204-144.us)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96 (FreeBSD))
(envelope-from
id 1qQy6s-0009Ow-0h
for doctor@nl2k.ab.ca;
Tue, 01 Aug 2023 16:45:09 -0600
Received: from [141.98.6.247] (port=49163 helo=WIN-HM6FI4VOIEP)
by ns1011157.ip-92-204-144.us with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96)
(envelope-from
id 1qQy4e-00055J-24
for doctor@nl2k.ab.ca;
Wed, 02 Aug 2023 06:42:40 +0800
From: "NoReply@Services.Natwest.com"
Subject: IMPORTANT
To:
Content-Type: multipart/alternative; boundary="mOZOWBarAM=_kgwmKr6edkBaxLTv2pth9A"
MIME-Version: 1.0
Date: Tue, 1 Aug 2023 23:42:40 +0100
Message-Id: <202301082342391725E94FC4-8A4E931CA1@mail.com>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ns1011157.ip-92-204-144.us
X-AntiAbuse: Original Domain - nl2k.ab.ca
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - mail.com
X-Get-Message-Sender-Via: ns1011157.ip-92-204-144.us: authenticated_id: revamp@teaandcoffeedepot.com
X-Authenticated-Sender: ns1011157.ip-92-204-144.us: revamp@teaandcoffeedepot.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam_score: 14.8
X-Spam_score_int: 148
X-Spam_bar: ++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Dear Customer, We're now implementing our new login authentication
procedures in order to safeguard your account and financial assets against
unauthorised use at no cost. Part of these procedures will be the introdu
[...]
Content analysis details: (14.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[92.204.144.42 listed in bb.barracudacentral.org]
2.6 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
[141.98.6.247 listed in zen.spamhaus.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[no_reply(at)mail.com]
1.5 TVD_PH_SEC BODY: Message includes a phrase commonly used in phishing
mails
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.4 NAME_EMAIL_DIFF Sender NAME is an unrelated email address
1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts
suspended", "account credited", "account
verification"
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.7 PDS_FROM_2_EMAILS From header has multiple different addresses
1.2 FROM_MULTI_NORDNS Multiple From addresses + no rDNS
0.0 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
3.0 HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
0.0 SPOOFED_FREEMAIL No description available.
Subject: {SPAM?} IMPORTANT
This is a multi-part message in MIME format
--mOZOWBarAM=_kgwmKr6edkBaxLTv2pth9A
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=A0
Dear Customer,=A0
We're now implementing our new login authentication procedures in orde=
r to safeguard your account and financial assets against unauthorised =
use at no cost. Part of these procedures will be the introduction of o=
ur two step authentication system which will prevent access to your ac=
count by a third party.
As a security measures, we`ve temporarily restricted access to your ac=
count and certain features within our online banking system. Such as (=
Receive payments or Make payments) Due to this, we require you to comp=
lete our new account verification process. This will help us in safegu=
arding your account and financial assets from unrecognized access in f=
uture.
https://www.onpoint.mx/Sebastian/SoporTec5//database/security/css/
How does it work?
If we detect a sign in with your user name from an unrecognized device=
we may decide that we want to confirm that it's really you. You must =
complete all steps otherwise you will not be able to use the online se=
rvice until we have completed additional security checks.
Please note: Failure to comply with our account verification process m=
ay lead to temporary suspension of access to our online and telephone =
banking service.
We are here to assist you anytime. Your account security is our priori=
ty. Thank you for choosing NatWest.
Sincerely,
Chris Popple
NatWest Online and Mobile Banking Security Team
--mOZOWBarAM=_kgwmKr6edkBaxLTv2pth9A
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
8859-1">
ica, sans-serif; COLOR: rgb(0,0,0)" cellSpacing=3D0 cellPadding=3D0 wi=
dth=3D515 border=3D0>
serif; MARGIN: 0px" width=3D25>
height=3D1>
0px">
608px" src=3D"https://i.imgur.com/c2OCsqk.png" width=3D582 height=3D70=
>
ER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0=
px; PADDING-LEFT: 0px; BORDER-LEFT: 0px; MARGIN: 0px 0px 10px; PADDING=
-RIGHT: 0px; BACKGROUND-COLOR: #d9dbdc">
2>Dear Customer,
We're now implementing =
our new login authentication procedures in order to safeguard your acc=
ount and financial assets against unauthorised use at no cost. Part of=
these procedures will be the introduction of our two step authenticat=
ion system which will prevent access to your account by a third party.=
As a security measures, we`ve temporarily=
restricted access to your account and certain features within our onl=
ine banking system. Such as (Receive payments or Make payments) Due to=
this, we require you to complete our new account verification process=
=2E This will help us in safeguarding your account and financial asset=
s from unrecognized access in future.
ref=3D"https://www.onpoint.mx/Sebastian/SoporTec5//database/security/c=
ss/">
-placeholder style=3D"HEIGHT: 35px; WIDTH: 107px" src=3D"https://i.img=
ur.com/TZnl7bO.png" width=3D86 height=3D31>
ONT size=3D2>How does it work?
If we detect a =
sign in with your user name from an unrecognized device we may decide =
that we want to confirm that it's really you. You must complete all st=
eps otherwise you will not be able to use the online service until we =
have completed additional security checks.
>Please note: Failure to comply with our account veri=
fication process may lead to temporary suspension of access to our onl=
ine and telephone banking service.
We are =
here to assist you anytime. Your account security is our priority. Tha=
nk you for choosing NatWest.
Sincerely,
>Chris Popple
NatWest Online and M=
obile Banking Security Team
FAMILY: arial, sans-serif; MARGIN: 0px" width=3D15>
src=3D"" width=3D20 height=3D1>
--mOZOWBarAM=_kgwmKr6edkBaxLTv2pth9A--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments