RSS

“brenda484@gmail.com”

27 Nov

PHISHING ATTACK / SCAM

Don’t click on any email links by unknown people. I received an email from brenda484@gmail.com on Nov 27, 2012 with a phishing attack email and now received another email sent in a different language from this same scammer under different email-addresses and IP’s – the return-path is still brenda484@gmail.com –

12/16/12 UPDATE: Scammer under email Brenda484@gmail.com sent me yet another phishing scam under a different language. The new information is under  “บีซี อีเว้นท์” bc_events@game.co.uk AND bc_event@truemail.co.th

RETURN PATH – “บีซี อีเว้นท์” <brenda484@gmail.com

EMAIL: สนใจสอบถามรายละเอียดได้ที่ 085-1109502 คุณฝน, 086-6030111 คุณปิงปอง, 081-5640074 คุณเกด

หรือคลิกดูรายละเอียดได้ที่ http://www.bceventrentals.com
ขออภัย หากอีเมล์นี้ รบกวนท่าน

HEADER:

Return-Path: <bc_events@game.co.uk>
X-YahooFilteredBulk: 203.144.222.231
Received-SPF: fail (domain of game.co.uk does not designate 203.144.222.231 as permitted sender)
X-YMailISG: V8iKDiEWLDukIvEUd07T.eU6cbY7Donq1ujwuoabD2tkLpCF WneV9d84VRTikW_lln6bXvguS4EQ3tP2YEvi7iyAj81ypCtWrTIfaSy8dcqk AmLfhr1HzbjRrh2HlRvtRDTe433HsjHwxmhdNy6CQT5zMZPblrZT7h_bD9FP MaTAUq9pknWtGlsBGymfofpvDntKMpLs4pNF.NKOBYs1jyMHMdp4oRksYdfH jYRQxLPOkCbtHVm4OMTIUB.C4ROsxDSsoljaVeBeKJJX0kgO3N0inEy1i9Bg s0jpFnnRMcU.4i1psAN9N7jbWN9WuuOjCzpDsv2S6uFq0FrM6INJ8V.OcaQE OJsvzRxSKy8tj77uf28g9AJp9bDPykwbuYeiEbIPkDfTjytPWyTck.uwIP.P XijywEjp4H_KbDgLcaBFcWQf6Le_nqLxAh7N.I98WcCF6oQ.9jH.VPVEbJ98 8ykioC1woM27FUdz2sdoc8XJa.ygZWxcwowYPbwA7UXibZT6kIA3yPh6Xvqr pqG7FVcw0V4luAtD5J5d.mynWJ9dk3dBAiP853zmrPjWpeIXKtW2oHlqEwTV IMwTSWywf6u_oWggVJa3ZzYxnkP6dDPfW9TIGtrgXd6W6WMm21xzrEOpCQ4m yGDnGTjb8qhYRRLSIreIi91Xhmgrzz9Fx3..dEnrH3vQmm3ehNJPwzxMMtjf bDW_f0n.Jt02kRmkQPiZ0A3wRMqs1uOUHiwwgMxU3XdFdjfJZ3Kx1MyK0S8o wPWBxB3VSOJFpXMrQXN2UEdFIzZEnQz0_IDQUciv34qLQn2NwZsUBFp13OA2 QKcYuNdziGwUWOnvx3yx1vk9X8n2fnIOHE5tSg7ZVdsfHDCY1kIhB.4MOk2u hIHzV6JI4Cr3g7PlD8ewmEM3afqncmiY3Ocp7d8jCfdfZWD7XU1QiHu8Nz7d MZYUjTVoSb6ujsZBATEb.EikW1fDPaZQM6tGqL57TSG9MPQMuxnsI3nx4vFI VIVl222nBiYIWOtDEVJyUcT7MnnWQrVaWNd72oAJkkmQvcjw9VyKfSrIxl0o .m8ljnYURbG4Ki2S1noxU5q9.9X8yal8Sfx2xOw_bvcvYyil8XdgxA990ES. 55Iu_hdq.SsK05ey1kWBBW3SsA6k2IyhZuP2UhiH.r6HXUk8WllMgev4c3D8 ifhEoFkyioe.F_DFvS_y1Rm_0RtCFsC3VtW.36JHewSySpFrQS9ToJeY6I.n X3FbmH_E_8SGD1Jxld7DtufocNbyQsI.3Yb6ngTCr1gyeq.S6ssFPmIHsRKs Re2.qKBLIGqCLgeRWMOLLu1Ilj371FFF_8hj.ApDASz5HHSMeLkPDjkgIOfu JYeL4AfhkyoeXV1yQUS2qDebvYeSCrcnUmNLgukMncdLaR0w3vfonQFL4tW5 V4JAoe.RttiA3ZBh.1DK8St98.Q9thTCtjhI0Qz8Xk10HZA-
X-Originating-IP: [203.144.222.231]
Authentication-Results: mta1235.mail.mud.yahoo.com from=game.co.uk; domainkeys=neutral (no sig); from=game.co.uk; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO mail.asianet.co.th) (203.144.222.231) by mta1235.mail.mud.yahoo.com with SMTP; Sun, 16 Dec 2012 04:17:43 +0000
Received: from irgb6.truemail.co.th ([203.144.173.222]) (envelope-sender <bc_events@game.co.uk>) by mail3.asianet.co.th (qmail-ldap-1.03) with SMTP for <dhl_compay@yahoo.com>; 16 Dec 2012 11:17:41 +0700
Message-Id: <1f5e00$ktqc5s@irp3auth.truemail.co.th>
X-Auth-ID: bc_event@truemail.co.th
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: At8PAGZKzVBuqH3V/2dsb2JhbABFgkkJAoNnpWWRORpfF3OCLRsDAQYcDSYKCwEGCzMCBBcgExEeiAcNjhuMJI5RkXUCjFWDMA2BBgMEiFuOR4QkiwiCfw
X-IronPort-AV: E=Sophos;i=”4.84,291,1355072400″; d=”scan’208,217″;a=”702361794″
Received: from ppp-110-168-125-213.revip5.asianet.co.th (HELO Automail04-PC) ([110.168.125.213]) by irp3auth.truemail.co.th with ESMTP; 16 Dec 2012 11:17:40 +0700
MIME-Version: 1.0
Errors-To: notification+zj4ocjc=oycyha@facebookmail.com
X-Mailer: Microsoft Office Outlook 12.0
From: =?utf-8?B?4Lia4Li14LiL4Li1IOC4reC4teC5gOC4p+C5ieC4meC4l+C5jA==?= <bc_events@game.co.uk>
To: =?utf-8?B?4Lia4Li14LiL4Li1IOC4reC4teC5gOC4p+C5ieC4meC4l+C5jA==?= <brenda484@gmail.com>
Date: 16 Dec 2012 11:17:45 +0700
Subject: =?utf-8?B?4LmD4Lir4Lih4LmI4LiW4Li54LiB4LiB4Lin4LmI4LiyIOC5gOC4geC4oeC4quC5jOC4leC4ueC5ieC4q+C4ouC4reC4lOC5gOC4q+C4o+C4teC4ouC4jS4uLi4u?=

203.144.173.222 << 110.168.125.213

From =?utf-8?B?4Lia4Li14LiL4Li1IOC4reC4teC5gOC4p+C5ieC4meC4l+C5jA==?= Sat Dec 15 20:17:45 2012

___________________________________________-

FIRST EMAIL (BELOW) SENT ON NOV. 27, 2012

the email says:

SUBJECT: Hey sexy

EMAIL: hiya sweety im on live in 2 mins hurry

A link which says ”Check it out” is also posted in the email but when I put the arrow over the link, the URL says 44744(dot)MOORI.com pop’s up in the left hand corner.

HEADER:

Return-Path: <brenda484@gmail.com>
X-YahooFilteredBulk: 80.146.246.58
Received-SPF: neutral (80.146.246.58 is neither permitted nor denied by domain of gmail.com)
X-YMailISG: fFqwGLYWLDuJvRbrqBfwSp47W8ESHVWUjVx6HsFhxNt1VSa3 nmxYA2jh7MwbWq3Y8ECj9mbQA._5LMTfVfJOuEcmgVllmPCSxfdf1iWXkX00 nORqxpnulVoo6r2SS5uTuLWQ46QGbyxQVBLom_mS5OE5mGQeLZDA0xvKML2f ApIzl6I.FTwV1DV.Hi0bWIrlYNeOfAjLP6v4k8oaF3aL7A6Jml96Hqd7.jXe jbBdUG.cvdCOTZIog_SxaQYXn0p.q_0RsnPLhJ9i_DFtWDztnYgE8YztIm3r aVhXCuPZPo2FW5wVqtoTUb.wYIIIynIx8v_4p4P.OQaNsFbP5Z3jUyKi9Bhr Sgt2bvoJy8UVJ_ZS84l6ermlo2pQ7DVq8KL9gx5Y01c7eTzR8fuxSUF8cZcy RCfTj7Mca4Am_.runc_zQolKgZjR6fnXKYWwSMNUcuHnpHVy7d1ajGpTFnjb 4J2m6GKzjCtHk9hNrelEN0kzHLtWawhzjgOLreVQcHJ1oO5YQ_1.BpSXmE6g RHvrvKug4DaSCW18Q0RIb5WuGlgZMl4mw2z0Kj1Nxyjm69ASuInOpuMQ_QkN mvb2_gmhHmV1C1crkvEEvUH53HRxZeJmsJVw39HN6ZZi8qM_DEqPEuh3ifBd 5KDbk5ePSnak9vOfw2tXfwwHhWBlluY9Hesmb1BHfGfdmeU2wj193T7VWDeo 3TXbBMVuJNdknHJoK4Q9XbYglmqVbnQy24RBJ6aMpnH4.vgQc3gLZ1XaLCLV s_Jmcagp1ofn2Iy22NYeVCcbiXZu.Yfk6196pJPEVkHU2A27vzT5E2OWjM7O 4YsVfYmzSF.TSbhpxkM4Ht2lFuOZdM6PTJ293jit71tuKSm_v6deLJK_8Q9R GTum5hYP1KFhnV4vttpI12u6IRuPVSkuhmyEInh4G1qI343mgOV0ufytd9FS foxataiUDQMIq0A.RbCSglcom5NoBP6ezbkpm9dLHKdaQgXKKOmdh5t_2J_s ks3NqU1_xK4bDvCl96vUgUB65m9QXsahrJncxCeDSl6WqOSrp6unFiv1wqDu b8Vv7bQVdtfrAX3MhyL5CqIHjzdDAopC
X-Originating-IP: [80.146.246.58]
Authentication-Results: mta1006.mail.bf1.yahoo.com from=; domainkeys=neutral (no sig); from=gmail.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO rstbarracuda.rst.de) (80.146.246.58) by mta1006.mail.bf1.yahoo.com with SMTP; Mon, 26 Nov 2012 20:45:43 -0800
X-ASG-Debug-ID: 1353990575-0cf27fad0001-SjFj3c
Received: from web7.rst.de (barracuda.rst.de [80.146.246.58]) by rstbarracuda.rst.de with ESMTP id 3fwwmGkzjEJ9rLCW for <porkyexposed@yahoo.com>; Tue, 27 Nov 2012 05:29:35 +0100 (CET)
X-Barracuda-Envelope-From: brenda484@gmail.com
X-Barracuda-Apparent-Source-IP: 80.146.246.58
Received: from localhost (localhost [127.0.0.1]) by web7.rst.de (8.14.3/8.14.3/SuSE Linux 0.8) with ESMTP id qAR4TcVd010064 for <porkyexposed@yahoo.com>; Tue, 27 Nov 2012 05:29:38 +0100
MIME-Version: 1.0
X-Mailer: AtMail PHP 5.06
Message-ID: <65131.1353990578@hochrhein.de>
To: deleted@yahoo.com
Reply-To: brenda484@gmail.com
Content-Type: text/html; charset=”utf-8″
X-Origin: 108.46.239.206
Date: Tue, 27 Nov 2012 05:29:38 +0100
Subject: hey sexy
From:
brenda484@gmail.com
X-ASG-Orig-Subj: hey sexy
Content-Transfer-Encoding: quoted-printable
X-Barracuda-Connect: barracuda.rst.de[80.146.246.58]
X-Barracuda-Start-Time: 1353990575
X-Barracuda-URL: http://192.168.217.58:8000/cgi-mod/mark.cgi
Example Messages Sent From 80.146.246.58
From: maria92@gmail.com
Subject: re: you are welcome
From: betty556@gmail.com
Subject: my new email addy add it
From: lisa829@yahoo.com
Subject: re: cam?
From: Kimora325@netzero.net
Subject: finally im here
From: sarah65@aim.com
Subject: re: dont lie!!!
From: alice446@aol.com
Subject: re: roflz is that real?
From: Angela485@gmail.com
Subject: i msg you before but i guess you didnt get it
From: sharon133@aim.com
Subject: re: your profile

192.168.217.58 – PROXY SERVER IP ADDRESS – LOCATION: JAPAN

Advertisements
 

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: