RSS

HACKER/PHISHING-ATTACK: hanscgroot@aim.com

10 Oct

WARNING: Phishing Email/Attacker/Hacker – This hacker has reports under Yahoo, Aol and other popular email websites. The real Yahoo Service would NEVER send email’s like this and doesn’t ask for personal information or to click on links. They also don’t do lotteries of any kind.

UPDATE: On 11/23/12, I posted an Employment Scam (personal assistant) and after looking up information on that scammer, it not only pin-pointed Lagos, Nigeria as the location, but this phishing attacker scam continued to pop up in the search engines which makes me believe there is some kind of relations. To view the Employment Scam click here.

Hacker’s information posted below:

Name: N/A (posting as Yahoo 2012)

Email: hanscgroot(at)aim.com (now why would yahoo be using a ‘aim’ to promote yahoo service?)

IP: 41.138.187.80 – X-Originating-IP: 205.188.58.1 – Recieved from: 172.29.51.138

Subject line: ACCOUNT TERMINATION

Email: Dear Yahoo! User,
Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. [Phishing site was here] to verify your email account now. Thank you for being a loyal Yahoo! Mail user Regards Yahoo! Account Service

Header:

Return-Path: <hanscgroot@aim.com>
X-YahooFilteredBulk: 205.188.58.1
Received-SPF: pass (domain of aim.com designates 205.188.58.1 as permitted sender)
X-YMailISG: Frdoh0QWLDtQ3Xf789IXch_KzyBAtBxmsAOLFQEbyChNRsW0 rRxr_CbMvO2GgN2xixo4nLRKkdBHa2yzBXIimpEAfMPwil.V9_pwXDkReAGa DntpktH4pZ1g7BKF3HRHqZl7orDUf16aJrfkF0kFJw2kyoKEzh12uJIy8vN. AACBtFIWI6BQ2l.EJrrZDIa_c0AGbFNFUVmU1rAAbv51kis6ALrQgzL4SB4m QvSTsjY21zw6DDroyGXvQ.Q5te5zQbK4Ke1MMMooSC4FVsMaZYjFYjzMUFnT JQSKRPlPuZM0xA6KQek4xcmGfytI92Iafi86aWQc.hKNlFC8u8wytHnCj1cd v6rOg8ss4orZ9SU0MsAXtHc4VnUYdsoJeGqzqESWbRVS83h.VhFli0ogKNJl JIuLqqV08fif6W_eQEkBAUb277olnL5C6yX2roW31M11iu3R2z8qtQPe3Fko 1BBTg1ocIv5UVm3oJ0hq4WzgFEuciEntp.gHPJ0zJN8hSuAFe1hUnCQSNmi1 StUDnfIa6mNZSWWa2zLF_JWF8_P1CkY9ggsnuHxrXT3PoIP386Yio.rjP8rP pLryfxdduqTus9Gn9_MgiQ85_qOdgtcD2.0vmHnhTLjUOxj48hkwrB57.Yhn bpjzB7wX0yoEr8nhIYytEOcwnqpvNalnydCnseY3Y0MkF3vBZBUKTsIgsILW Nn6C3GqwVWHXs04oWgGRB9ZhSekDL7sKg9fhefIgAu.orN.wfmU.WlbIIWwH n6mz2s9cL6tq_9SqZXwhghLckpMFWvzL2ufPEOpBUZ56MTNRJfa4zXdNqOER hDI7o6Fv6OoCudzYfVi_YoZ_LU72kaVMW4Trdfe2MSD3LreGZX80TB4QO4iK AsfVxZpJso5sHtjdTSx9N82lpzDuelr24kbwx77iribCv0g84rq9.jIxRVXP x8RY5tWsn9TSV_GmTFMlUzjN35I26pLjAMEpdjUnieU2Xg4EfBhtakRTX0h9 HvaMRLzNkA0vEswGAZ4b5MIqtEidpIfBHYJkm8vKkmcd4.z4TSgFqoclzNRO fkPdTrrNpdVBwE_QQb.uHy8jeHTf95yWBKJs8cTjnsYK8vBV2_4eNTkxHJkV NrU6AjcCv1FYHd.N2gVU1D7rkNDUjZjfaRcuEZFKBkyT971788d2kcaTZaXB AqHebYSFfzzbW0kjAX.4PXJNTIxjj1GUEAXWpi5I1k0M9gUpf7Rbi9visCuA vJWunaHZW4ZHasyU0bwVjooB.f6TgAV_UM9tI3TVQOU10Fp5yrC5JLwd.Q.e aOXAdAdiBWb8w9fedi6FvhZut4mqDPF9rsgbO8DS_HwutwDVKnjyIm48JhQo eH9qqyx9l9TrnQecBvq0szcs47W3rhbY9ivXiH6MO6W6rUyNQamB2Brr1QZV 9QyJCGRIXzWegJ9nw94Uu.3DcQrZpuSt2ginJderG1QRFBPmJqdeAGnVnuzd FJ_khwHXQ7IsVixUIFCcJyLql.kq1qmUII_qlu3YUBeishoL64Y7kj8vMWHO PM8TMy7MLUiCBdgmQL8PqMa9XC1AEWt7UHnzQIJawXmfy6ySgiy.IRdXRfQ5 coPZ2Gr5lrEopiYzn5qFtw7TSKcFzw–
X-Originating-IP: [205.188.58.1]
Authentication-Results: mta1247.mail.ac4.yahoo.com from=aim.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO oms-db01.r1000.mx.aol.com) (205.188.58.1) by mta1247.mail.ac4.yahoo.com with SMTP; Tue, 09 Oct 2012 15:53:57 -0700
Received: from mtaomg-da02.r1000.mx.aol.com (mtaomg-da02.r1000.mx.aol.com [172.29.51.138]) by oms-db01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 3BAEE1C00007A; Tue, 9 Oct 2012 18:53:49 -0400 (EDT)
Received: from core-msa003b.r1000.mail.aol.com (core-msa003.r1000.mail.aol.com [172.29.233.73]) by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id E6686E00008F; Tue, 9 Oct 2012 18:53:47 -0400 (EDT)
X-MB-Message-Source: WebUI
Subject: ACCOUNT TERMINATION
X-MB-Message-Type: User
MIME-Version: 1.0
From:
Yahoo! Safety 2012 hanscgroot@aim.com
Content-Type: multipart/alternative; boundary=”——–MB_8CF7488138B9753_1B90_8A1BF_webmail-d041.sysops.aol.com”
X-Mailer: AOL Webmail 37058-STANDARD
Received: from 41.138.187.80 by webmail-d041.sysops.aol.com (205.188.181.84) with HTTP (WebMailUI); Tue, 09 Oct 2012 18:53:47 -0400
Message-Id: <8CF7488138935F1-1B90-261D9@webmail-d041.sysops.aol.com>
X-Originating-IP: [41.138.187.80]
Date: Tue, 9 Oct 2012 18:53:47 -0400 (EDT)
x-aol-global-disposition: S
X-SPAM-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1349823229; bh=zbZaNpxqM0rj4PGZbgVtMxM13Koe9LGyPUdKpRX+JKk=; h=From:Subject:Message-Id:Date:MIME-Version:Content-Type; b=lhYaeRDTuNvLYqvt5zSM9G8ZXo+TEdfAIjVkiblP9V6oPE6oze0CZ0aFIrGcni7Vo browcGX3cFXePQJpFDFylz5nbBvUyOYVvplAi9uLw5IHRYtnS8+oW8hv9+2/RK+oDd vmtSPx3lsot8Vi8T+s8v8yoZLC1m3oi6oNifDFeQ=
X-AOL-SCOLL-SCORE: 1:2:105769096:93952408
X-AOL-SCOLL-URL_COUNT: 2
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d338a5074aafb4348
Content-Length: 2303

Below are additional headers from emails sent by the same attacker. (to view the actual emails, scroll to the comments.)

Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134])
by mtain-dd01.r1000.mx.aol.com (Internet Inbound) with ESMTP id 9F93638000088;
Tue, 24 Jan 2012 07:25:51 -0500 (EST)
Received: from [62.49.15.17] (helo=athena.shepherdeurope.local)
by anchor-post-3.mail.demon.net with esmtp (Exim 4.69)
id 1RpfRe-0007WY-p7; Tue, 24 Jan 2012 12:25:50 +0000
Received: from User ([38.117.192.20]) by athena.shepherdeurope.local with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 24 Jan 2012 12:25:47 +0000
Reply-To:
From: “John Taylor”
Subject: APPLICATION NEEDED
Date: Tue, 24 Jan 2012 07:25:52 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 24 Jan 2012 12:25:47.0260 (UTC) FILETIME=[4CEDC3C0:01CCDA93]
x-aol-global-disposition: S
X-AOL-SCOLL-SCORE: 0:2:130702056:93952408
X-AOL-SCOLL-URL_COUNT: 0
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d408d4f1ea34f3c59
X-AOL-IP: 195.173.77.134 X-AOL-SPF:

__________

HEADER:

Delivered-To: *removed*@gmail.com
Received: by 10.143.66.11 with SMTP id t11cs90543wfk;
Fri, 27 Jan 2012 08:25:26 -0800 (PST)
Received: by 10.224.96.10 with SMTP id f10mr14678072qan.8.1327681516849;
Fri, 27 Jan 2012 08:25:16 -0800 (PST)
Return-Path:
Received: from mtaomg-da02.r1000.mx.aol.com (mtaomg-da02.r1000.mx.aol.com [172.29.51.138])
by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 602123803F37D
for ; Fri, 27 Jan 2012 05:42:34 -0500 (EST)
Received: from core-dga002a.r1000.mail.aol.com (core-dga002.r1000.mail.aol.com [172.29.229.5])
by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 12685E000091
for ; Fri, 27 Jan 2012 05:42:34 -0500 (EST)
From: jtaylorcode@aol.com
Full-name: jtaylorcode
Message-ID:
Date: Fri, 27 Jan 2012 05:42:34 -0500 (EST)
Subject: MYSTERY SHOPPER FIRST ASSIGNMENT INSTRUCTIONS(PLEASE REPLY)
To: *removed*@aol.com
MIME-Version: 1.0
Content-Type: multipart/ALTERNATIVE;
boundary=”—-=_Part_135714_1389870855.1327681516121″
X-Mailer: AOL 9.0 VR sub 134
X-Originating-IP: [41.155.42.70]
x-aol-global-disposition: S
X-SPAM-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20110426; t=1327660954;
bh=MtW/XPW6VeyvBHn/rgvupRS/YY6wX2epZWMmBT54z0c=;
h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type;
b=LsgJDos+MqYwv/1jwBKEHibdWfaNgelkoVx3LfgjXudyW9BKgMqj38iLxcaj4mjMy
2U2hHqWzFs4VHW4XcoymhJJlEOk2i0huPFk5GA/21bs5ywhdhiOtHi7td+mhVpnRtW
UTDv9v8ae+iNOQ03Z4BmWqMcjdw7HhO5QmHUy7Dw=
X-AOL-SCOLL-SCORE: 1:2:388657600:93952408
X-AOL-SCOLL-URL_COUNT: 1
X-AOL-REROUTE: YES x-aol-sid: 3039ac1d338a4f227f9a1aa8

__________

”Mr Mark Fisher”

Microsoft Sweepstakes Promotion Winner!!!
Wednesday, October 27, 2010 4:27 PM
From:
“Microsoft Sweepstakes Promotion”
IP:41.138.187.80

We are pleased to inform you of the release of the long awaited results of Sweepstakes promotion organized by Microsoft Corporations, in conjunction with the FOUNDATION FOR THE PROMOTION OF SOFTWARE (F.P.S.) held this October 2010, in London that attracted the sum of (550,000.00 GBP) and a Toshiba Laptop From the Microsoft Sweepstakes Promotion last draw held this October.Contact For Claims.

1. Full name…………..2. Contact
Address……..3.
Age……..Sex…………4. Telephone Number…..5.
Occupation………….6.Country…………….

(CONTACT MANAGER)
Mr. Mark Foster.
Email : redeemprize1010@live.co.uk

 

Advertisements
 

Tags: , , , , , , , , , , , , , , , , , , , , , ,

4 responses to “HACKER/PHISHING-ATTACK: hanscgroot@aim.com

  1. ScammersExposed

    10/10/2012 at 06:59

    The hacker mentioned in this post is also a scammer under various identities. One of those is ”Mr Mark Fisher”

    Microsoft Sweepstakes Promotion Winner!!!
    Wednesday, October 27, 2010 4:27 PM
    From:
    “Microsoft Sweepstakes Promotion”
    IP:41.138.187.80

    We are pleased to inform you of the release of the long awaited results of Sweepstakes promotion organized by Microsoft Corporations, in conjunction with the FOUNDATION FOR THE PROMOTION OF SOFTWARE (F.P.S.) held this October 2010, in London that attracted the sum of (550,000.00 GBP) and a Toshiba Laptop From the Microsoft Sweepstakes Promotion last draw held this October.Contact For Claims.

    1. Full name…………..2. Contact
    Address……..3.
    Age……..Sex…………4. Telephone Number…..5.
    Occupation………….6.Country…………….

    (CONTACT MANAGER)
    Mr. Mark Foster.
    Email : redeemprize1010@live.co.uk

     
  2. ScammersExposed

    10/10/2012 at 07:05

    Jtaylorcode@aol.com is also the scammer/hacker in this post.
    Under this fake identity, Jtaylorcode is doing a ”Mystery Shopper Scam”

    Hello
    I am happy to inform you that the funds needed for the first
    assignment has been sent to your house address through united state
    postal service(USPS) ,You will receive the total payment of $1,900 You
    are to cash the money orders at
    your bank, deduct $200 as your own wages and you will have $1,700 left
    so I want you to proceed to any western union location around you and
    pretend like a
    customer to send $1,670 to the secret shopper via western union money
    transfer. The remaining $30 will be for the western union transfer
    charges .
    Here is the name below:

    FIRST NAME-ASUNI
    LAST NAME – IGBAGBOMI
    ADDRESS – 50 MOKOTURI AVENUE
    CITY- MANILA
    COUNTRY: PHILIPPHINES

    You are expected to secretly perform the following shopping operation:

    1. How fast and Efficient is the western union Money Transfer Service?
    2. How long does it take you to have the funds wired?
    3. How Close is the western union Money Transfer Location to your area?
    4. Is the Senders Request Form too short or Long?
    5. Is the neighboring environment safe for handling Money
    Transfer Service.
    6. What is the name of the Local western union Money Transfer Agent
    where you have the funds wired?
    7. General Comment ….
    You are expected to have this done today and email us back your results
    with the following information after you have the funds wired:

    1. Name and Address of Sender
    2. Money Transfer Control number(MTCN)
    3. Amount Wired

    I will be waiting to read from you ASAP with the requested transfer
    details.

    Regards
    Jtaylorcode@aol.com

    Email header details;

    Delivered-To: *removed*@gmail.com
    Received: by 10.143.66.11 with SMTP id t11cs90543wfk;
    Fri, 27 Jan 2012 08:25:26 -0800 (PST)
    Received: by 10.224.96.10 with SMTP id f10mr14678072qan.8.1327681516849;
    Fri, 27 Jan 2012 08:25:16 -0800 (PST)
    Return-Path:
    Received: from mtaomg-da02.r1000.mx.aol.com (mtaomg-da02.r1000.mx.aol.com [172.29.51.138])
    by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 602123803F37D
    for ; Fri, 27 Jan 2012 05:42:34 -0500 (EST)
    Received: from core-dga002a.r1000.mail.aol.com (core-dga002.r1000.mail.aol.com [172.29.229.5])
    by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 12685E000091
    for ; Fri, 27 Jan 2012 05:42:34 -0500 (EST)
    From: jtaylorcode@aol.com
    Full-name: jtaylorcode
    Message-ID:
    Date: Fri, 27 Jan 2012 05:42:34 -0500 (EST)
    Subject: MYSTERY SHOPPER FIRST ASSIGNMENT INSTRUCTIONS(PLEASE REPLY)
    To: *removed*@aol.com
    MIME-Version: 1.0
    Content-Type: multipart/ALTERNATIVE;
    boundary=”—-=_Part_135714_1389870855.1327681516121″
    X-Mailer: AOL 9.0 VR sub 134
    X-Originating-IP: [41.155.42.70]
    x-aol-global-disposition: S
    X-SPAM-FLAG: YES
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
    s=20110426; t=1327660954;
    bh=MtW/XPW6VeyvBHn/rgvupRS/YY6wX2epZWMmBT54z0c=;
    h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type;
    b=LsgJDos+MqYwv/1jwBKEHibdWfaNgelkoVx3LfgjXudyW9BKgMqj38iLxcaj4mjMy
    2U2hHqWzFs4VHW4XcoymhJJlEOk2i0huPFk5GA/21bs5ywhdhiOtHi7td+mhVpnRtW
    UTDv9v8ae+iNOQ03Z4BmWqMcjdw7HhO5QmHUy7Dw=
    X-AOL-SCOLL-SCORE: 1:2:388657600:93952408
    X-AOL-SCOLL-URL_COUNT: 1
    X-AOL-REROUTE: YES
    x-aol-sid: 3039ac1d338a4f227f9a1aa8

     
    • ScammersExposed

      10/10/2012 at 07:10

      Join our Shopper Force!

      Mystery shopping and merchandising provide a flexible way for individuals to
      earn extra money. A nationwide leader in mystery shopping and merchandising
      among top brands, Consumer FeedBack IINC is constantly looking for people just
      like you to be our eyes and ears in well-known stores, restaurants and banks.

      Mystery shopping, also known as secret shopping, and merchandising are fun and
      YOU can make a huge difference for future customers.

      As a mystery shopper you work and shop together for pleasure and the pay is
      between $200 to $300 on each assignment and its on part time basis, you only
      work 2-3hours twice in a week. If you are interested kindly send me your
      Name,Address In Full,Home and Cell number for assessment and registration to
      (jtaylorcode@aol.com).

      John Taylor
      Job Processing Unit.
      Consumer FeedBack, INC
      jtaylorcode@aol.com

      Email header details;

      Return-Path:
      Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134])
      by mtain-dd01.r1000.mx.aol.com (Internet Inbound) with ESMTP id 9F93638000088;
      Tue, 24 Jan 2012 07:25:51 -0500 (EST)
      Received: from [62.49.15.17] (helo=athena.shepherdeurope.local)
      by anchor-post-3.mail.demon.net with esmtp (Exim 4.69)
      id 1RpfRe-0007WY-p7; Tue, 24 Jan 2012 12:25:50 +0000
      Received: from User ([38.117.192.20]) by athena.shepherdeurope.local with Microsoft SMTPSVC(6.0.3790.4675);
      Tue, 24 Jan 2012 12:25:47 +0000
      Reply-To:
      From: “John Taylor”
      Subject: APPLICATION NEEDED
      Date: Tue, 24 Jan 2012 07:25:52 -0500
      MIME-Version: 1.0
      Content-Type: text/plain;
      charset=”Windows-1251″
      Content-Transfer-Encoding: 7bit
      X-Priority: 3
      X-MSMail-Priority: Normal
      X-Mailer: Microsoft Outlook Express 6.00.2600.0000
      X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
      Message-ID:
      X-OriginalArrivalTime: 24 Jan 2012 12:25:47.0260 (UTC) FILETIME=[4CEDC3C0:01CCDA93]
      x-aol-global-disposition: S
      X-AOL-SCOLL-SCORE: 0:2:130702056:93952408
      X-AOL-SCOLL-URL_COUNT: 0
      X-AOL-REROUTE: YES
      x-aol-sid: 3039ac1d408d4f1ea34f3c59
      X-AOL-IP: 195.173.77.134
      X-AOL-SPF: domain : aol.com SPF : neutral

       

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: