Metamask 2FA Phish from 199.189.225.245 cloudhost-11129388.us-midwest-2.nxcli.net Lansing Michigan
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sun, 10 Mar 2024 23:20:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))
(envelope-from)
id 1rjY4I-000000007lk-0HQC
for dave@doctor.nl2k.ab.ca;
Sun, 10 Mar 2024 23:19:22 -0600
Resent-From: The Doctor
Resent-Date: Sun, 10 Mar 2024 23:19:22 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from cloudhost-11129388.us-midwest-2.nxcli.net ([199.189.225.245]:44472)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.97.1 (FreeBSD))
(envelope-from)
id 1rjXCS-000000006Gs-2zoS
for sales@nk.ca;
Sun, 10 Mar 2024 22:23:48 -0600
Received: (qmail 3942 invoked by uid 10050); 11 Mar 2024 04:13:11 +0000
To: sales@nk.ca
Subject: Urgent Action Required: Enable 2FA for Your Account
X-PHP-Originating-Script: 10050:hrw.php(7) : eval()'d code
Date: Mon, 11 Mar 2024 04:09:37 +0000
From: =?UTF-8?B?TdC1dGFN0LBzaw==?=
Reply-To: metamask@2fa.eth
Message-ID: <9c58377b8e11e525a60044db470bfe24@2fa.eth>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="1f3cbd9ee032c872b72b36862cf675680"
Content-Transfer-Encoding: 8bit
X-Spam_score: 16.3
X-Spam_score_int: 163
X-Spam_bar: ++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Account Security Notification body { font-family: 'Segoe
UI', Tahoma, Geneva, Verdana, sans-serif; background-color: #f5f5f5; margin:
0; padding: 0; } .container { max-width: 600px; margin: 20px auto; padding:
20px; background-color: #ffffff; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
border-radius: 10px; }
Content analysis details: (16.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
1.5 TVD_PH_SEC BODY: Message includes a phrase commonly used in phishing
mails
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts
suspended", "account credited", "account
verification"
3.0 PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
1.5 PDS_PHP_EVAL PHP header shows eval'd code
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.8 TVD_PH_BODY_META_ALL No description available.
0.9 URI_PHISH Phishing using web form
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
Subject: {SPAM?} Urgent Action Required: Enable 2FA for Your Account
This is a multi-part message in MIME format.
--1f3cbd9ee032c872b72b36862cf675680
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Account Security Notification
body {
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #f5f5f5;
margin: 0;
padding: 0;
}
.container {
max-width: 600px;
margin: 20px auto;
padding: 20px;
background-color: #ffffff;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
border-radius: 10px;
}
img {
max-width: 100%;
height: auto;
display: block;
margin: 0 auto;
}
h1 {
text-align: center;
color: #007BFF;
margin-top: 20px;
}
p {
color: #333333;
line-height: 1.5;
margin-bottom: 15px;
text-align: left;
}
.cta-button {
display: block;
width: 100%;
max-width: 200px;
margin: 20px auto;
padding: 12px 20px;
font-size: 16px;
font-weight: bold;
text-align: center;
text-decoration: none;
background-color: #007BFF;
color: #ffffff;
border-radius: 5px;
}
.footer-text {
color: #808080;
font-size: 12px;
text-align: center;
margin-top: 20px;
}
Important Account Security Notification
We take your account security seriously. Our system has detected unusual activity, prompting us to temporarily disable access to your account.
Secure your account by activating Two-Factor Authentication (2FA) now:
Activate 2FA Now
If you have questions or need assistance, our dedicated support team is ready to help you.
Thank you for your swift attention to this matter.
Best regards,MetaMask Support
© 2024 MetaMask. All rights reserved. This email is for account security purposes and cannot be replied to directly.
--1f3cbd9ee032c872b72b36862cf675680
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
Account Security Notification
Activate 2FA Now
--1f3cbd9ee032c872b72b36862cf675680--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Sun, 10 Mar 2024 23:20:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD))
(envelope-from
id 1rjY4I-000000007lk-0HQC
for dave@doctor.nl2k.ab.ca;
Sun, 10 Mar 2024 23:19:22 -0600
Resent-From: The Doctor
Resent-Date: Sun, 10 Mar 2024 23:19:22 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from cloudhost-11129388.us-midwest-2.nxcli.net ([199.189.225.245]:44472)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.97.1 (FreeBSD))
(envelope-from
id 1rjXCS-000000006Gs-2zoS
for sales@nk.ca;
Sun, 10 Mar 2024 22:23:48 -0600
Received: (qmail 3942 invoked by uid 10050); 11 Mar 2024 04:13:11 +0000
To: sales@nk.ca
Subject: Urgent Action Required: Enable 2FA for Your Account
X-PHP-Originating-Script: 10050:hrw.php(7) : eval()'d code
Date: Mon, 11 Mar 2024 04:09:37 +0000
From: =?UTF-8?B?TdC1dGFN0LBzaw==?=
Reply-To: metamask@2fa.eth
Message-ID: <9c58377b8e11e525a60044db470bfe24@2fa.eth>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="1f3cbd9ee032c872b72b36862cf675680"
Content-Transfer-Encoding: 8bit
X-Spam_score: 16.3
X-Spam_score_int: 163
X-Spam_bar: ++++++++++++++++
X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: Account Security Notification body { font-family: 'Segoe
UI', Tahoma, Geneva, Verdana, sans-serif; background-color: #f5f5f5; margin:
0; padding: 0; } .container { max-width: 600px; margin: 20px auto; padding:
20px; background-color: #ffffff; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
border-radius: 10px; }
Content analysis details: (16.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
1.5 TVD_PH_SEC BODY: Message includes a phrase commonly used in phishing
mails
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
1.5 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts
suspended", "account credited", "account
verification"
3.0 PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
1.5 PDS_PHP_EVAL PHP header shows eval'd code
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.8 TVD_PH_BODY_META_ALL No description available.
0.9 URI_PHISH Phishing using web form
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
Subject: {SPAM?} Urgent Action Required: Enable 2FA for Your Account
This is a multi-part message in MIME format.
--1f3cbd9ee032c872b72b36862cf675680
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Account Security Notification
body {
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #f5f5f5;
margin: 0;
padding: 0;
}
.container {
max-width: 600px;
margin: 20px auto;
padding: 20px;
background-color: #ffffff;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
border-radius: 10px;
}
img {
max-width: 100%;
height: auto;
display: block;
margin: 0 auto;
}
h1 {
text-align: center;
color: #007BFF;
margin-top: 20px;
}
p {
color: #333333;
line-height: 1.5;
margin-bottom: 15px;
text-align: left;
}
.cta-button {
display: block;
width: 100%;
max-width: 200px;
margin: 20px auto;
padding: 12px 20px;
font-size: 16px;
font-weight: bold;
text-align: center;
text-decoration: none;
background-color: #007BFF;
color: #ffffff;
border-radius: 5px;
}
.footer-text {
color: #808080;
font-size: 12px;
text-align: center;
margin-top: 20px;
}
Important Account Security Notification
We take your account security seriously. Our system has detected unusual activity, prompting us to temporarily disable access to your account.
Secure your account by activating Two-Factor Authentication (2FA) now:
Activate 2FA Now
If you have questions or need assistance, our dedicated support team is ready to help you.
Thank you for your swift attention to this matter.
Best regards,MetaMask Support
© 2024 MetaMask. All rights reserved. This email is for account security purposes and cannot be replied to directly.
--1f3cbd9ee032c872b72b36862cf675680
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
Important Account Security Notification
We take your account security seriously. Our system has detected unusual activity, prompting us to temporarily disable access to your account.
Secure your account by activating Two-Factor Authentication (2FA) now:
Activate 2FA Now
If you have questions or need assistance, our dedicated support team is ready to help you.
Thank you for your swift attention to this matter.
Best regards,
MetaMask Support
--1f3cbd9ee032c872b72b36862cf675680--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments