Phishing as a false main host

Posted by Dave Yadallee on
From - Mon Dec 24 06:04:19 2018

X-Account-Key: account2

X-UIDL: 0006895e501fb806

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-path:

Envelope-to: aboo@doctor.nl2k.ab.ca

Delivery-date: Mon, 24 Dec 2018 06:04:25 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbPuD-0007Lx-P3

for aboo@doctor.nl2k.ab.ca; Mon, 24 Dec 2018 06:04:25 -0700

Resent-From: The Doctor

Resent-Date: Mon, 24 Dec 2018 06:04:25 -0700

Resent-Message-ID: <20181224130425.GB5777@doctor.nl2k.ab.ca>

Resent-To: See root

Received: from nya.nyamera.com ([162.144.69.227]:58997)

by doctor.nl2k.ab.ca with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

(Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbNte-00055x-6x

for root@nk.ca; Mon, 24 Dec 2018 03:56:01 -0700

Received: from [94.100.31.27] (port=53137 helo=len.co.id)

by nya.nyamera.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

(Exim 4.89_1)

(envelope-from )

id 1gbNt7-00088H-Rt

for root@nk.ca; Mon, 24 Dec 2018 13:55:10 +0300

From: nk.ca

To: root@nk.ca

Subject: ATTENTION root@nk.ca

Date: 24 Dec 2018 02:55:09 -0800

Message-ID: <20181224025509.34A2F21E8524B780@len.co.id>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

X-OutGoing-Spam-Status: No, score=0.5

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - nya.nyamera.com

X-AntiAbuse: Original Domain - nk.ca

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain - len.co.id

X-Get-Message-Sender-Via: nya.nyamera.com: authenticated_id: info@chakasafaris.com

X-Authenticated-Sender: nya.nyamera.com: info@chakasafaris.com

X-Source:

X-Source-Args:

X-Source-Dir:

X-Spam_score: 5.3

X-Spam_score_int: 53

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hi root You have some undelivered incoming mails on root@nk.ca

Follow below portal to prompt delivery to avoid being blocked from receiving

mails.



Content analysis details: (5.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[162.144.69.227 listed in dnsbl.ahbl.org]

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in

dnsbl.ahbl.org

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: nk.ca]

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

identical to background

1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 SUBJ_ATTENTION ATTENTION in Subject

Subject: {SPAM?} ATTENTION root@nk.ca









Hi root


 


You have some undelivered incoming mails on root@nk.ca


 


Follow below portal to prompt delivery to avoid being blocked from rec=

eiving mails.


 




 


 


 


Best Regard,


nk.ca Mail Servicee




More blackmail phish

Posted by Dave Yadallee on
From - Mon Dec 24 06:02:19 2018

X-Account-Key: account2

X-UIDL: 0006895b501fb806

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-path:

Envelope-to: aboo@doctor.nl2k.ab.ca

Delivery-date: Mon, 24 Dec 2018 06:01:49 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbPrh-0005uF-NQ

for aboo@doctor.nl2k.ab.ca; Mon, 24 Dec 2018 06:01:49 -0700

Resent-From: The Doctor

Resent-Date: Mon, 24 Dec 2018 06:01:49 -0700

Resent-Message-ID: <20181224130149.GA5777@doctor.nl2k.ab.ca>

Resent-To: See root

Received: from [37.106.122.235] (port=41255)

by doctor.nl2k.ab.ca with esmtp (Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbKHS-000InS-7F

for root@nk.ca; Mon, 24 Dec 2018 00:04:17 -0700

Message-ID: <169842008122104909997516@uos.de>

From: "Security Team"

To: "lyndax69"

Subject: Frauders known your old password (lyndax69). Password must be changed.

Date: 24 Dec 2018 11:40:45 +0200

MIME-Version: 1.0

Content-type: text/plain;

charset="ibm852"

Content-transfer-encoding: 8bit

X-Mailer: Kxovloio fusgwr

X-Spam_score: 5.7

X-Spam_score_int: 57

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! I have bad news for you. 19/09/2018 - on this day I

hacked your OS and got full access to your account root@nk.ca On this day

your account root@nk.ca has password: lyndax69 So, you can change the password,

yes.. But my malware intercepts it every time.



Content analysis details: (5.7 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: nk.ca]

1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.

[37.106.122.235 listed in bb.barracudacentral.org]

1.0 RCVD_IN_WSFF RBL: Received via a relay in

will-spam-for-food.eu.org

[37.106.122.235 listed in will-spam-for-food.eu.org]

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[37.106.122.235 listed in bl.score.senderscore.com]

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.3 LONGWORD BODY: Uses overlong words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

Subject: {SPAM?} Frauders known your old password (lyndax69). Password must be changed.



Hello!



I have bad news for you.

19/09/2018 - on this day I hacked your OS and got full access to your account root@nk.ca

On this day your account root@nk.ca has password: lyndax69



So, you can change the password, yes.. But my malware intercepts it every time.



How I made it:

In the software of the router, through which you went online, was a vulnerability.

I just hacked this router and placed my malicious code on it.

When you went online, my trojan was installed on the OS of your device.



After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).



A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.

But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!

I'm talk you about sites for adults.



I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!



And I got an idea....

I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).

After that, I made a screenshot of your joys (using the camera of your device) and glued them together.

Turned out amazing! You are so spectacular!



I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.

I think $789 is a very, very small amount for my silence.

Besides, I have been spying on you for so long, having spent a lot of time!



Pay ONLY in Bitcoins!

My BTC wallet: 1J5SXcupgaq2tUas5S7wVtf7evJp6YC3LJ



You do not know how to use bitcoins?

Enter a query in any search engine: "how to replenish btc wallet".

It's extremely easy



For this payment I give you two days (48 hours).

As soon as this letter is opened, the timer will work.



After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.

If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".



I hope you understand your situation.

- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)

- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)

- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.



P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!

This is the word of honor hacker



I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.



Do not hold evil! I just do my job.

Good luck.





More blackmail phish

Posted by Dave Yadallee on
From - Sun Dec 23 18:32:59 2018

X-Account-Key: account2

X-UIDL: 00068944501fb806

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-path:

Envelope-to: aboo@doctor.nl2k.ab.ca

Delivery-date: Sun, 23 Dec 2018 18:32:52 -0700

Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbF6y-000A2p-Ce

for aboo@doctor.nl2k.ab.ca; Sun, 23 Dec 2018 18:32:52 -0700

Resent-From: The Doctor

Resent-Date: Sun, 23 Dec 2018 18:32:52 -0700

Resent-Message-ID: <20181224013252.GA37389@doctor.nl2k.ab.ca>

Resent-To: See root

Received: from [111.3.111.213] (port=29837)

by doctor.nl2k.ab.ca with esmtp (Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbEwJ-0006wQ-GE

for doctor@nk.ca; Sun, 23 Dec 2018 18:22:04 -0700

Message-ID: <5C20A51F.3010803@bellsoouth.net>

Date: Mon, 24 Dec 2018 16:21:35 +0700

From: "Security Team"

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7

MIME-Version: 1.0

To: "lyndax69"

Subject: Frauders known your old password (lyndax69). Password must be changed.

Content-Type: text/plain; charset=IBM852; format=flowed

Content-Transfer-Encoding: 8bit

X-Spam_score: 5.3

X-Spam_score_int: 53

X-Spam_bar: +++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! I have bad news for you. 19/09/2018 - on this day I

hacked your OS and got full access to your account doctor@nk.ca On this day

your account doctor@nk.ca has password: lyndax69 So, you can change the password,

yes.. But my malware intercepts it every time.



Content analysis details: (5.3 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: nk.ca]

1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org

[Blocked - see ]

1.0 RCVD_IN_WSFF RBL: Received via a relay in

will-spam-for-food.eu.org

[111.3.111.213 listed in will-spam-for-food.eu.org]

0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in

headers

0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date

0.3 LONGWORD BODY: Uses overlong words

1.3 RDNS_NONE Delivered to internal network by a host with no rDNS

1.0 RCVD_IN_SORBS No description available.

Subject: {SPAM?} Frauders known your old password (lyndax69). Password must be changed.



Hello!



I have bad news for you.

19/09/2018 - on this day I hacked your OS and got full access to your account doctor@nk.ca

On this day your account doctor@nk.ca has password: lyndax69



So, you can change the password, yes.. But my malware intercepts it every time.



How I made it:

In the software of the router, through which you went online, was a vulnerability.

I just hacked this router and placed my malicious code on it.

When you went online, my trojan was installed on the OS of your device.



After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).



A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.

But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!

I'm talk you about sites for adults.



I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!



And I got an idea....

I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).

After that, I made a screenshot of your joys (using the camera of your device) and glued them together.

Turned out amazing! You are so spectacular!



I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.

I think $713 is a very, very small amount for my silence.

Besides, I have been spying on you for so long, having spent a lot of time!



Pay ONLY in Bitcoins!

My BTC wallet: 1J5SXcupgaq2tUas5S7wVtf7evJp6YC3LJ



You do not know how to use bitcoins?

Enter a query in any search engine: "how to replenish btc wallet".

It's extremely easy



For this payment I give you two days (48 hours).

As soon as this letter is opened, the timer will work.



After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.

If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".



I hope you understand your situation.

- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)

- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)

- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.



P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!

This is the word of honor hacker



I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.



Do not hold evil! I just do my job.

Good luck.





Blackmail Phish

Posted by Dave Yadallee on
Return-path:

Envelope-to: aboo@nk.ca

Delivery-date: Sun, 23 Dec 2018 14:14:07 -0700

Received: from 088156136229.dynamic-ra-04.vectranet.pl ([88.156.136.229]:26184)

by doctor.nl2k.ab.ca with esmtp (Exim 4.91 (FreeBSD))

(envelope-from )

id 1gbB4H-000JFh-Kn

for aboo@nk.ca; Sun, 23 Dec 2018 14:14:07 -0700

Message-ID: <5189404BB49882BF67AEA55A766C5189@539Y51AAX>

From: "Security Team"

To: "dogs"

Subject: Frauders known your old password (dogs). Password must be changed.

Date: 23 Dec 2018 22:06:40 +0000

MIME-Version: 1.0

Content-Type: text/plain;

charset="ibm852"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

X-Spam_score: 15.2

X-Spam_score_int: 152

X-Spam_bar: +++++++++++++++

X-Spam_report: Spam detection software, running on the system "doctor.nl2k.ab.ca",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.



Content preview: Hello! I have bad news for you. 19/09/2018 - on this day I

hacked your OS and got full access to your account aboo@nk.ca On this day

your account aboo@nk.ca has password: dogs So, you can change the password,

yes.. But my malware intercepts it every time.



Content analysis details: (15.2 points, 5.0 required)



pts rule name description

---- ---------------------- --------------------------------------------------

1.5 RCVD_IN_AHBL RBL: AHBL: sender is listed in dnsbl.ahbl.org

[88.156.136.229 listed in dnsbl.ahbl.org]

0.0 RCVD_IN_AHBL_RTB RBL: AHBL: Real-Time Blocked in dnsbl.ahbl.org

0.5 RCVD_IN_AHBL_SMTP RBL: AHBL: Open SMTP relay in dnsbl.ahbl.org

1.5 RCVD_IN_AHBL_SPAM RBL: AHBL: Spam Source in dnsbl.ahbl.org

0.5 RCVD_IN_AHBL_PROXY RBL: AHBL: Open Proxy server in

dnsbl.ahbl.org

1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,

https://senderscore.org/blacklistlookup/

[88.156.136.229 listed in bl.score.senderscore.com]

0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP

address

[88.156.136.229 listed in dnsbl.sorbs.net]

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was

blocked. See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

for more information.

[URIs: nk.ca]

0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or

Generic rPTR

0.3 LONGWORD BODY: Uses overlong words

1.0 ZMIde_OutlookExpress Outlook Express should not be used anymore

0.4 RDNS_DYNAMIC Delivered to internal network by host with

dynamic-looking rDNS

2.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam

(FTSDMCXX/boundary variant) + direct-to-MX

1.0 RCVD_IN_SORBS No description available.

1.0 RCVD_IN_DYNABLOCK No description available.

0.9 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX

3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers

Subject: {SPAM?} Frauders known your old password (dogs). Password must be changed.



Hello!



I have bad news for you.

19/09/2018 - on this day I hacked your OS and got full access to your account aboo@nk.ca

On this day your account aboo@nk.ca has password: dogs



So, you can change the password, yes.. But my malware intercepts it every time.



How I made it:

In the software of the router, through which you went online, was a vulnerability.

I just hacked this router and placed my malicious code on it.

When you went online, my trojan was installed on the OS of your device.



After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).



A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.

But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!

I'm talk you about sites for adults.



I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!



And I got an idea....

I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).

After that, I made a screenshot of your joys (using the camera of your device) and glued them together.

Turned out amazing! You are so spectacular!



I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.

I think $748 is a very, very small amount for my silence.

Besides, I have been spying on you for so long, having spent a lot of time!



Pay ONLY in Bitcoins!

My BTC wallet: 1J5SXcupgaq2tUas5S7wVtf7evJp6YC3LJ



You do not know how to use bitcoins?

Enter a query in any search engine: "how to replenish btc wallet".

It's extremely easy



For this payment I give you two days (48 hours).

As soon as this letter is opened, the timer will work.



After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.

If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".



I hope you understand your situation.

- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)

- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)

- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.



P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!

This is the word of honor hacker



I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.



Do not hold evil! I just do my job.

Good luck.