“cPanel Inc”

Phishing Attack (Hacker) Account Theft

Newest Cpanel Inc phishing e-mail I received under messagecenter@cpanel.net –

I didn’t attach the spoofed link because I don’t want others to accidently click it.

The login was actually to the phishing site (in part: gestalt.as/modules/mod_feed/cpanel) and these are the partial headers:
To: webmaster@<<redacted>>
Subject: Problem with DNS setup on host-name
X-PHP-Script: [multimedios.tv/redirect.php]Multimedios TV for 201.143.12.183
From: cPanel Inc <messagecenter@cpanel.net>

Dear Customer

Due to our security upgrade to avoid multiple logon and an unauthorized access to your online cpanel and FTP account we do require you to sign in your domain name and username and password for security check on your account and afterward we shall send a security code to your email as part of confirmation that your domain has now been properly verified and secured.

To process to confirm and verify your domain for this security check please click (spoofed link was here.)

Failure to confirm your domain within 2 business days may lead to suspension of your domain if we observe any unauthorized login and may lead to total removal of the domain name from our system.

Cpanel Management

Cpanel has been posted numerous times on here. One of the posts was an American Express phishing attack with the email address paymentalert@americanexpress.com ↔ nobody@fabian.tpa.kgix.net — for addition information, click https://scammer419.wordpress.com/2012/10/31/american-express/

Name/Email-Address: cPanel Inc <> messagecenter@cpanel.net <>

Subject: Your messages

Email: Dear Customer

Due to our security upgrade to avoid multiple logon and an unauthorized access to your online cpanel and FTP account we do require you to sign in your domain name and username and password for security check on your account and afterward we shall send a security code to your email as part of confirmation that your domain has now been properly verified and secured.

To process to confirm and verify your domain for this security check please click ______ ( Hacker/Scammer had spoofed link posted there. if you get any e-mails telling you to click a link and enter ANY kind of personal information, it is most likely a scam and by putting your mouse/arrow over the link, a URL will usually pop-up. Mine pops up in the left-hand corner and it showed a website titled “deckora(dot)com/images/cpanel.net” – if it was the REAL cpanel, it would say http://cpanel(dot)net/ )

Failure to confirm your domain within 2 business days may lead to suspension of your domain if we observe any unauthorized login and may lead to total removal of the domain name from our system.

Cpanel Management

HEADER TO FIRST EMAIL:

Return-Path:		<messagecenter@cpanel.net>
X-YahooFilteredBulk:		50.23.15.231
Received-SPF:		softfail (transitioning domain of cpanel.net does not designate 50.23.15.231 as permitted sender)
X-YMailISG:		cMDrjxwWLDuvrbIE_eElZQWeaKhuy_8WKGED.g.kwLYzqXlx CLUDk0OSnySX69rNNhIY2QgVRie8Umo655Umf2JBsPG.nRW9lJrFzlquFvXP z6f2J29hO8rvk_2ABL4MGTui6AT5wrNlnORUs4xFpB04hoZevp6e_S6dTzlr CLSczCGjthhyHII7r7W9EuUxPqSICDu6boeV7E21CqICssQCNchibDkNqI9P 8Xfc23G5HyljJRPtemGy44ZoQr5hWJjdUMy1LjPLfrsILzBiTfpCTRA5gtxi lcXNf94zWbopz5aAE8LuTpQj7UU0Mf7Ib0V.D0H4h6rlQclw_tPzd2n_SOcw hDugsEN7lmiRJsGlaNNP75zfYGSR1_iOdW8bgj5Jsh1N9GLseqdha1naH28E hCxDwW_lUV1OeQx05ayJ81iHBqWP.VaBUvvoNvUwrFlpguDjTp516kf05KQf onEWIdJ2aG0svIRAhvpenGi1Ksmu9Ol3Q95UFPq1SJiqQqhEh2TUWoXoyZQw O_rDAT9vI_EnJSV_vYwubw9Sd8HZY7gXqSmc9kPQV9E4Qs6tQ4FEHBQtM_8D FX5bDQlfUZQNxvNVKO5KFas.L2erCpohkgOXyf50rtsIH_iRvizCD7IbLIth djMPfCml8dxnV6pok1C4dfW_oGoA_z36LxXb5HaRT_kK4bpPLtrb96bdNUhU UrAyJC2iQsrxNR1pr6lhSqlfYcgypfS4KtJFcwQBSS9fJdLRdcSW.g82dl.c t..x6eydLSyxpchbJQc_3khN3C1HHESb.Wjb9R.8lDW.zt4Mh1hrJsmOmKkB ckQ1OKnaTzYXPWnHXTMo8NJ7Kz6gBxwzObdM170B1yamQTyxRuQZ3rR_KOUG SkpqMgy0w1FjVRWCzuqXcPb6g0rBzXq0G8s4XzQFeHYBaXVOo8wOELq2fT6S 7YMRuIiyGgphbsM30AdV8nrAP1z5BUZSY2KRusGf0k7rZ_q.P3CE2yZD4V3N .ugmcDPn0cx_JlH_3wWTgq6JN2FMjlpp6jUw7BuWsUDkEsPEUi9wBNDLzV0j ztKI_gYjIeBRclYhcqpRWQVUFtAFXPh5ItKKSQd1LR4gZFE6nDmP0_Ji1HeC jV3H0ej5IEMUBwdQzR3wHnHFo0zrFM6DOziASkrvbDI_8VAbtVBCoZXXMQTx HRnaScwxviiBPzAmaz6VfkpEWirJH0VllaYnWcAsY7M-
X-Originating-IP:		[50.23.15.231]
Authentication-Results:		mta1082.mail.ac4.yahoo.com from=cpanel.net; domainkeys=neutral (no sig); from=cpanel.net; dkim=neutral (no sig)
Received:		from 127.0.0.1 (EHLO str.stronghousefirm.com) (50.23.15.231) by mta1082.mail.ac4.yahoo.com with SMTP; Sun, 04 Nov 2012 16:37:24 -0800
Received:		from [189.33.39.50] (port=63875 helo=kassie@firstcaremedical.net) by str.stronghousefirm.com with esmtpa (Exim 4.80) (envelope-from <messagecenter@cpanel.net>) id 1TTPPv-0007ut-Uy; Tue, 30 Oct 2012 22:56:36 -0500
Reply-To:		<messagecenter@cpanel.net>
From:		“cPanel Inc”<messagecenter@cpanel.net>
Subject:		Your messages
Date:		Wed, 31 Oct 2012 01:56:40 -0200
MIME-Version:		1.0
Content-Type:		text/html; charset=”Windows-1251″
Content-Transfer-Encoding:		7bit
X-Priority:		3
X-MSMail-Priority:		Normal
X-Mailer:		Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:		Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse:		This header was added to track abuse, please include it with any abuse report
X-AntiAbuse:		Primary Hostname – str.stronghousefirm.com
X-AntiAbuse:		Original Domain – yahoo.com
X-AntiAbuse:		Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse:		Sender Address Domain – cpanel.net
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Length:		11867

HEADER TO UPDATED EMAIL:

 

Return-Path:		<messagecenter@cpanel.net>
X-YahooFilteredBulk:		50.23.15.231
Received-SPF:		softfail (transitioning domain of cpanel.net does not designate 50.23.15.231 as permitted sender)
X-YMailISG:		kUxyYr4WLDstjJptIfyRZwUj8cb_UDN3TksCAbW95.BtAEXu Yunj0JdtiAKPKHa3Pqmpi6zlXfS75g4glT29TFW5kC1DQ.lk6UUuC29z7JZn 1NqodXRZ2kxifA4nBxfqFF2j0Nt0NvQQa8LOzfYQRPGGpfMndMZAcFTbRAZq wo2aRrH6tft7bxWbkgKhS1SxgLI99FBPxocSYReDnHAnjlAtqI4v5Yj1UKkA VyoJx_0MCgrq8Dh0_PL59PkGYoRZz1CtOIk72dumoZPdg15euehU.PsSn5B6 BIjqgTF2uzlLgqzpNGhwDk_z_DK4wbKwjkqRGBka__L1Je.3ammvOILNXVtd IBnOnF6cPg8yGHmLmt.xcMOeC88txjldu7tjHnf_62FvSOVhP4XfGFTy6Hps m5CmaLxGrKqtcL_SDaCAZwAFdKaJE43PmdjPyBmH3I5zvMXpxCwX7GhFgxhf Jqoa4LNgtFbtcZiU6nYB.AWL6RuorETInHqzx8ut15wdEq4XrFBYOqIoEJgr FQr9BS_IsqIsfy6XbKECsZfRHLLvcCGNBaQaMkvCGfz64kJWlPYoqGorilM1 OG4vIBXdSx3xsss81z.klBT.SyGcqyzCfPAi6UMievDZa.Wcba.yE2Sv20dC LI.8MkQEgcU6ANgUZWZ8xzn.Bd6RM2KwlccXzhhfflMvPfEYhRqAvA0MAVuI 5g3Cu0pClEpkpdUtj8oOcAhxcWJ1.HlftI5TFuB8IppT7pSrmZJNvjqqSLYv IUjf1WhyxYNuTiLrDHBOI8KDf8YKiHfkhA_2Lplo2wM_4ciYj5issE9vbUoW 2lFMa0nzqwRIObcAE6IW8Apw5DfBI3Kjdizxt_zbrTyn5bZzGmLYam_ZFYgY 1am1qMp3PVL.CvT5X1WG.JMDTkuvFNqnpRIp8XCxUf3J.sFwdKRXKYX490e5 9qPzis9.kksoLrQChfi_1s6NRVG7m2e2kArXsRvIxxVi6ozo2wKJaTKXXh8s 5FPsfgFgcUo2asx3iqny8_c4xEUxzzokR8oqzwQcDu.Ucu3yK_gueFQhmQUP QeTFj0_HR4Gcv87P7ahf5JwBaRhyA8FiXLywU6OIa13LEvhIpgjDNp4v9.Xy reu8yhTGwNdyuGFp6QroALLPmuny57HWc.p5tFQVkxX5kdhNVxZCGfFEhO9z 5.YKTGBUSeHO76PXzEBsn5iXhI6NmuEevX_uvqQ.fL1vkQxDWvb_MstonCQ_ Rc5fnKy1ZxIHgYtcBg–
X-Originating-IP:		[50.23.15.231]
Authentication-Results:		mta1136.mail.mud.yahoo.com from=cpanel.net; domainkeys=neutral (no sig); from=cpanel.net; dkim=neutral (no sig)
Received:		from 127.0.0.1 (EHLO str.stronghousefirm.com) (50.23.15.231) by mta1136.mail.mud.yahoo.com with SMTP; Sun, 04 Nov 2012 14:23:09 -0800
Received:		from [189.33.39.50] (port=60887 helo=kassie@firstcaremedical.net) by str.stronghousefirm.com with esmtpa (Exim 4.80) (envelope-from <messagecenter@cpanel.net>) id 1TTvHJ-00016T-Lk; Thu, 01 Nov 2012 08:57:50 -0500
Reply-To:		<messagecenter@cpanel.net>
From:		“cPanel Inc”<messagecenter@cpanel.net>
Subject:		Your messages
Date:		Thu, 1 Nov 2012 11:57:57 -0200
MIME-Version:		1.0
Content-Type:		text/html; charset=”Windows-1251″
Content-Transfer-Encoding:		7bit
X-Priority:		3
X-MSMail-Priority:		Normal
X-Mailer:		Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:		Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse:		This header was added to track abuse, please include it with any abuse report
X-AntiAbuse:		Primary Hostname – str.stronghousefirm.com
X-AntiAbuse:		Original Domain – yahoo.com
X-AntiAbuse:		Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse:		Sender Address Domain – cpanel.net
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Length:		11867

 cPanel Inc support@cpanel.net 108.165.22.246

 

“American Express”

FRAUD/PHISHING ATTACK/HACKER/SCAM

ATTENTION: This scammer is also using an IP associated with another scammer who is also trying to hack private accounts under the guise  “Cpanel Inc” – For more information, click: https://scammer419.wordpress.com/2012/11/06/cpanel-inc/

Cpanel is using the e-mail address – <messagecenter@cpanel.net> but is also emailing me numerous times so if new email-addresses show up, I will update.

NAME: American Express

EMAIL-ADDRESS:  paymentalert@americanexpress.com ↔ nobody@fabian.tpa.kgix.net

SUBJECT: Your Account Payment Alert

EMAIL: Dear Value Customer

This is a payment alert, to notify you of a new payment which has just been deposited into your account. Please visit (LINK DELETED) to view recent payments.

You, as our bank customer may use this service to contact us with enquiries regarding your account or the products and services we offer from time to time, we will also use My Messages to contact you. This may be in relation to existing products and services which you have with us or to keep you informed of enhancements to our products and services. Be sure to check My Messages regularly for any new messages. My messages will only retain 10 messages so you may want to delete those you do not need.

Click to view (LINK DELETED) to read your new messages.

© 2012 American Express Company. All rights reserved.

HEADER:

Return-Path:		<nobody@fabian.tpa.kgix.net>
X-YahooFilteredBulk:		50.115.17.123
Received-SPF:		none (domain of fabian.tpa.kgix.net does not designate permitted sender hosts)
X-YMailISG:		0Z6V1TMWLDvuEezOIFttWmFpsphW6eUBfH.WAfoW0u2BTKgr l3ZV98oLGQdPnAecGApNnXKuYcyqD5OvUAhm5Us43xLZ.nJ2cVXGR.NBjkuI vbPwrxuYogPB7JCeeU8OX1HV3hKhmIhb5ejCo8uPQkrxWhHhQtRJ0HHmZlPn pSht49NiZ9oh5z4dbn7nPbhxnv_zg4Vkvbwal9XRZj13v83EFGWt_iwu8yF3 CS8vb0nfWKePUlP7DkN23uTand1rS8ABtdSYIlwGN7r6hYofHFDI7gtncEbl J3zVNm_3XTqZVvmeoOATEyHGYxjJF.q5rZYiuSd3HOD9D5zs9.N7EeomsAHm DE8XY.oYW_5ADPSuqJcYfFw01jvRA8DMlbCHD_cgwECsakGAZJSIixlYrXRg .y_i7hIASqgiceXMabV3_oY0ETL9qgv6XqIgGNAuEaUE9h3XaxNBo2D4hAog 3RVSD152lfOojUHgSN.b5nDjoIH6ZmThi1SwNVjb4VqJyFM9Dm_qBnp2BwuN 0i4pLN1LwOySiGVPtX1GNnXM99GxcH8CKkwGmu06nAaoG24p8SQ6A2JvsIsw G5LAir.X2JT8kCoGTQ7.77YSeyups8QhD6L7MaJwMUz1lcaofZ6yWBhrgLew Zasr3yJrsbbSffN8Fj4shD6nu33utIiE3ztTxl.qRWPiVzoa2qCdqCgD5eqo nXflMBiAenbDQjPQTU0X2iR3TujDgx6nRlbnyI8PiXUdNaEEV4WhyhF2Ryr7 KZkXBsrWq0u9BJZrCZdwGynYEs1JuYL1vRGTu39hvk1jkALfF4ibn8oMqldG H3dFkxQnLgEccOT0t.m9urABBIfeoSK9J2JE67hx7PLms1R0fxa_7ijmsA7x kiGZAC8BazEzmfo_MuoYIPeKvHbxrOcb7NMa6g41KT6m6aBi.IUDxozpZxhS 0PNI6Lcsdrie29XWyr3aFRhxJgY7aRZSQ9vd9.3NenfmQxJLfDh0fCr508KY KTTUVdYbELnhJ.SsYh0f4RhtDZqCgCkXcAnjgMdlvd59LXCkvpOmqnHSETLL apmTcAjLKdhmMiug_nICf_p4KrkxVPA.ivUXDaU27UYnjh4udpUHpRiW7HfB 7e_ZoEpWaXgKsu39DpEuYetEQUcjE5kCIeITQOB6hhFM.XhYQGAB3bocsy3g fQE8VkXk8NpDFaMsn2vwW8X9ffooLXF.rlNem45iYFPgQT0-
X-Originating-IP:		[50.115.17.123]
Authentication-Results:		mta1161.mail.bf1.yahoo.com from=americanexpress.com; domainkeys=neutral (no sig); from=americanexpress.com; dkim=neutral (no sig)
Received:		from 127.0.0.1 (EHLO kualo-miranda.g1-srv1a.filteredmx.net) (50.115.17.123) by mta1161.mail.bf1.yahoo.com with SMTP; Mon, 29 Oct 2012 22:35:34 -0700
Received:		from fabian.tpa.kgix.net ([208.38.189.160]) by tpa-srv1.filteredmx.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <nobody@fabian.tpa.kgix.net>) id 1TT2cJ-0008BF-IG for; Mon, 29 Oct 2012 23:35:57 -0400
Received:		from nobody by fabian.tpa.kgix.net with local (Exim 4.77 (FreeBSD)) (envelope-from <nobody@fabian.tpa.kgix.net>) id 1TT2cH-000JVT-26 for; Tue, 30 Oct 2012 03:35:49 +0000
To:		(deleted for privacy reasons)
Subject:		Your Account Payment Alert
X-PHP-Script:		bridgepathconsulting.com/ddd.php for 189.33.39.50
From:		American Express <paymentalert@americanexpress.com>
Reply-To:		paymentalert@americanexpress.com
MIME-Version:		1.0
Content-Type:		text/html
Content-Transfer-Encoding:		8bit
Message-Id:		<E1TT2cH-000JVT-26@fabian.tpa.kgix.net>
Date:		Tue, 30 Oct 2012 03:35:49 +0000
X-Filter-ID:		XtLePq6GTMn8G68F0EmQvbKa8FrgU89SoseQtjXAYio7Ifx26YQRTEJKIzOOU4VmDTjBDjYCwV/K +dZtrV9ICUOM9RCYiZ5g7ZLBYnjTUBiMM+2oyJh9CTuoeF/kVCUmX48X4eTvaVyCJ1H6n0tKPyEb xxLK3QENjMlUnGz2Ts/i60Rl83DFJ/VYtQqvMnMWhGZ7H1pwVVwHRqvKsU9XcKzKnA7pFO6LvE9W eCWu5dm5O+TFOpFcNQUx11xJznUTYCpZ0C9WFQP8MzcaGZUHYR5adujIfc/dg5ftb5h42g8CpBC8 2akRcmGVoY/rcF6giouZc+qTBpD1PVBmeNwTiS6genBZwi7tMhX49trXdtmY0S34oJNNIM1ZRamE 7XKQPbYj3UCUuK3ReC4jKSpfCuDIRwSJEiUHoy5MhXJVirgAmAENpcMiYWYOjzrIUOoglbUy/1ye eNtUsu2IweMfaWHjcXtH4UHAOX6ta71BdV8HAOPYrVQbSex5wzfIfcffLoT9AUkl2Xzcn4+3GToy nv8+ZyaJ723lIiOycY3+aP71CZ8H4l5foYBh5eqoYaGja/jfd5PGNXlN0zaUkK5mWgzwFi9JahG5 hoiEyQ+RmYe1lr3fXVyUocZr0DeFb8bemvh8nWgRMbqJoxhwv4rarA==
X-Originating-IP:		208.38.189.160
X-SpamExperts-Domain:		fabian.tpa.kgix.net
X-SpamExperts-Username:		208.38.189.160
Authentication-Results:		filteredmx.net; auth=pass smtp.auth=208.38.189.160
X-SpamExperts-Outgoing-Class:		ham
X-SpamExperts-Outgoing-Evidence:		Combined (0.25)
X-Recommended-Action:		accept
Content-Length:		2156