RSS

Tag Archives: Microsoft

“Microsoft Windows Team”

PHISHING ATTACK / HACKER

warning-beware

Microsoft Windows Update
From: “Microsoft Windows Team” <noreply@microsoft.com> Return-Path: apache@shipment.xsense.co.th

Dear Windows User,

It has come to our attention that your microsoft office records are out of date. Every single Windows installation needs to be accompanied by a valid email for proper verification purpose.

This requires you to verify the Email Account. Failure to verify your records might result in account suspension. Use the link below to verify and confirm your records.

Thank you,

Microsoft Windows Team.

———-

Return-Path: <apache@shipment.xsense.co.th>
X-YahooFilteredBulk: 58.64.30.166
X-Originating-IP: [58.64.30.166]
Authentication-Results: mta1080.mail.ne1.yahoo.com
Received: from 127.0.0.1 (EHLO shipment.xsense.co.th) (58.64.30.166) by mta1080.mail.ne1.yahoo.com with SMTP; Fri, 26 Apr 2013 06:04:49 +0000
Received: from shipment.xsense.co.th (localhost.localdomain [127.0.0.1]) by shipment.xsense.co.th (8.13.1/8.13.1) with ESMTP id r3Q64gMM016043
Received: (from apache@localhost) by shipment.xsense.co.th (8.13.1/8.13.1/Submit) id r3Q64goF016042;
From: Microsoft Windows Team <noreply@microsoft.com>
Subject: Microsoft Windows Update
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]

Advertisements
 

Tags: , , , , ,

HACKER/PHISHING-ATTACK: hanscgroot@aim.com

WARNING: Phishing Email/Attacker/Hacker – This hacker has reports under Yahoo, Aol and other popular email websites. The real Yahoo Service would NEVER send email’s like this and doesn’t ask for personal information or to click on links. They also don’t do lotteries of any kind.

UPDATE: On 11/23/12, I posted an Employment Scam (personal assistant) and after looking up information on that scammer, it not only pin-pointed Lagos, Nigeria as the location, but this phishing attacker scam continued to pop up in the search engines which makes me believe there is some kind of relations. To view the Employment Scam click here.

Hacker’s information posted below:

Name: N/A (posting as Yahoo 2012)

Email: hanscgroot(at)aim.com (now why would yahoo be using a ‘aim’ to promote yahoo service?)

IP: 41.138.187.80 – X-Originating-IP: 205.188.58.1 – Recieved from: 172.29.51.138

Subject line: ACCOUNT TERMINATION

Email: Dear Yahoo! User,
Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. [Phishing site was here] to verify your email account now. Thank you for being a loyal Yahoo! Mail user Regards Yahoo! Account Service

Header:

Return-Path: <hanscgroot@aim.com>
X-YahooFilteredBulk: 205.188.58.1
Received-SPF: pass (domain of aim.com designates 205.188.58.1 as permitted sender)
X-YMailISG: Frdoh0QWLDtQ3Xf789IXch_KzyBAtBxmsAOLFQEbyChNRsW0 rRxr_CbMvO2GgN2xixo4nLRKkdBHa2yzBXIimpEAfMPwil.V9_pwXDkReAGa DntpktH4pZ1g7BKF3HRHqZl7orDUf16aJrfkF0kFJw2kyoKEzh12uJIy8vN. AACBtFIWI6BQ2l.EJrrZDIa_c0AGbFNFUVmU1rAAbv51kis6ALrQgzL4SB4m QvSTsjY21zw6DDroyGXvQ.Q5te5zQbK4Ke1MMMooSC4FVsMaZYjFYjzMUFnT JQSKRPlPuZM0xA6KQek4xcmGfytI92Iafi86aWQc.hKNlFC8u8wytHnCj1cd v6rOg8ss4orZ9SU0MsAXtHc4VnUYdsoJeGqzqESWbRVS83h.VhFli0ogKNJl JIuLqqV08fif6W_eQEkBAUb277olnL5C6yX2roW31M11iu3R2z8qtQPe3Fko 1BBTg1ocIv5UVm3oJ0hq4WzgFEuciEntp.gHPJ0zJN8hSuAFe1hUnCQSNmi1 StUDnfIa6mNZSWWa2zLF_JWF8_P1CkY9ggsnuHxrXT3PoIP386Yio.rjP8rP pLryfxdduqTus9Gn9_MgiQ85_qOdgtcD2.0vmHnhTLjUOxj48hkwrB57.Yhn bpjzB7wX0yoEr8nhIYytEOcwnqpvNalnydCnseY3Y0MkF3vBZBUKTsIgsILW Nn6C3GqwVWHXs04oWgGRB9ZhSekDL7sKg9fhefIgAu.orN.wfmU.WlbIIWwH n6mz2s9cL6tq_9SqZXwhghLckpMFWvzL2ufPEOpBUZ56MTNRJfa4zXdNqOER hDI7o6Fv6OoCudzYfVi_YoZ_LU72kaVMW4Trdfe2MSD3LreGZX80TB4QO4iK AsfVxZpJso5sHtjdTSx9N82lpzDuelr24kbwx77iribCv0g84rq9.jIxRVXP x8RY5tWsn9TSV_GmTFMlUzjN35I26pLjAMEpdjUnieU2Xg4EfBhtakRTX0h9 HvaMRLzNkA0vEswGAZ4b5MIqtEidpIfBHYJkm8vKkmcd4.z4TSgFqoclzNRO fkPdTrrNpdVBwE_QQb.uHy8jeHTf95yWBKJs8cTjnsYK8vBV2_4eNTkxHJkV NrU6AjcCv1FYHd.N2gVU1D7rkNDUjZjfaRcuEZFKBkyT971788d2kcaTZaXB AqHebYSFfzzbW0kjAX.4PXJNTIxjj1GUEAXWpi5I1k0M9gUpf7Rbi9visCuA vJWunaHZW4ZHasyU0bwVjooB.f6TgAV_UM9tI3TVQOU10Fp5yrC5JLwd.Q.e aOXAdAdiBWb8w9fedi6FvhZut4mqDPF9rsgbO8DS_HwutwDVKnjyIm48JhQo eH9qqyx9l9TrnQecBvq0szcs47W3rhbY9ivXiH6MO6W6rUyNQamB2Brr1QZV 9QyJCGRIXzWegJ9nw94Uu.3DcQrZpuSt2ginJderG1QRFBPmJqdeAGnVnuzd FJ_khwHXQ7IsVixUIFCcJyLql.kq1qmUII_qlu3YUBeishoL64Y7kj8vMWHO PM8TMy7MLUiCBdgmQL8PqMa9XC1AEWt7UHnzQIJawXmfy6ySgiy.IRdXRfQ5 coPZ2Gr5lrEopiYzn5qFtw7TSKcFzw–
X-Originating-IP: [205.188.58.1]
Authentication-Results: mta1247.mail.ac4.yahoo.com from=aim.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO oms-db01.r1000.mx.aol.com) (205.188.58.1) by mta1247.mail.ac4.yahoo.com with SMTP; Tue, 09 Oct 2012 15:53:57 -0700
Received: from mtaomg-da02.r1000.mx.aol.com (mtaomg-da02.r1000.mx.aol.com [172.29.51.138]) by oms-db01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 3BAEE1C00007A; Tue, 9 Oct 2012 18:53:49 -0400 (EDT)
Received: from core-msa003b.r1000.mail.aol.com (core-msa003.r1000.mail.aol.com [172.29.233.73]) by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id E6686E00008F; Tue, 9 Oct 2012 18:53:47 -0400 (EDT)
X-MB-Message-Source: WebUI
Subject: ACCOUNT TERMINATION
X-MB-Message-Type: User
MIME-Version: 1.0
From:
Yahoo! Safety 2012 hanscgroot@aim.com
Content-Type: multipart/alternative; boundary=”——–MB_8CF7488138B9753_1B90_8A1BF_webmail-d041.sysops.aol.com”
X-Mailer: AOL Webmail 37058-STANDARD
Received: from 41.138.187.80 by webmail-d041.sysops.aol.com (205.188.181.84) with HTTP (WebMailUI); Tue, 09 Oct 2012 18:53:47 -0400
Message-Id: <8CF7488138935F1-1B90-261D9@webmail-d041.sysops.aol.com>
X-Originating-IP: [41.138.187.80]
Date: Tue, 9 Oct 2012 18:53:47 -0400 (EDT)
x-aol-global-disposition: S
X-SPAM-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1349823229; bh=zbZaNpxqM0rj4PGZbgVtMxM13Koe9LGyPUdKpRX+JKk=; h=From:Subject:Message-Id:Date:MIME-Version:Content-Type; b=lhYaeRDTuNvLYqvt5zSM9G8ZXo+TEdfAIjVkiblP9V6oPE6oze0CZ0aFIrGcni7Vo browcGX3cFXePQJpFDFylz5nbBvUyOYVvplAi9uLw5IHRYtnS8+oW8hv9+2/RK+oDd vmtSPx3lsot8Vi8T+s8v8yoZLC1m3oi6oNifDFeQ=
X-AOL-SCOLL-SCORE: 1:2:105769096:93952408
X-AOL-SCOLL-URL_COUNT: 2
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d338a5074aafb4348
Content-Length: 2303

Below are additional headers from emails sent by the same attacker. (to view the actual emails, scroll to the comments.)

Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134])
by mtain-dd01.r1000.mx.aol.com (Internet Inbound) with ESMTP id 9F93638000088;
Tue, 24 Jan 2012 07:25:51 -0500 (EST)
Received: from [62.49.15.17] (helo=athena.shepherdeurope.local)
by anchor-post-3.mail.demon.net with esmtp (Exim 4.69)
id 1RpfRe-0007WY-p7; Tue, 24 Jan 2012 12:25:50 +0000
Received: from User ([38.117.192.20]) by athena.shepherdeurope.local with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 24 Jan 2012 12:25:47 +0000
Reply-To:
From: “John Taylor”
Subject: APPLICATION NEEDED
Date: Tue, 24 Jan 2012 07:25:52 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 24 Jan 2012 12:25:47.0260 (UTC) FILETIME=[4CEDC3C0:01CCDA93]
x-aol-global-disposition: S
X-AOL-SCOLL-SCORE: 0:2:130702056:93952408
X-AOL-SCOLL-URL_COUNT: 0
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d408d4f1ea34f3c59
X-AOL-IP: 195.173.77.134 X-AOL-SPF:

__________

HEADER:

Delivered-To: *removed*@gmail.com
Received: by 10.143.66.11 with SMTP id t11cs90543wfk;
Fri, 27 Jan 2012 08:25:26 -0800 (PST)
Received: by 10.224.96.10 with SMTP id f10mr14678072qan.8.1327681516849;
Fri, 27 Jan 2012 08:25:16 -0800 (PST)
Return-Path:
Received: from mtaomg-da02.r1000.mx.aol.com (mtaomg-da02.r1000.mx.aol.com [172.29.51.138])
by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 602123803F37D
for ; Fri, 27 Jan 2012 05:42:34 -0500 (EST)
Received: from core-dga002a.r1000.mail.aol.com (core-dga002.r1000.mail.aol.com [172.29.229.5])
by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 12685E000091
for ; Fri, 27 Jan 2012 05:42:34 -0500 (EST)
From: jtaylorcode@aol.com
Full-name: jtaylorcode
Message-ID:
Date: Fri, 27 Jan 2012 05:42:34 -0500 (EST)
Subject: MYSTERY SHOPPER FIRST ASSIGNMENT INSTRUCTIONS(PLEASE REPLY)
To: *removed*@aol.com
MIME-Version: 1.0
Content-Type: multipart/ALTERNATIVE;
boundary=”—-=_Part_135714_1389870855.1327681516121″
X-Mailer: AOL 9.0 VR sub 134
X-Originating-IP: [41.155.42.70]
x-aol-global-disposition: S
X-SPAM-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20110426; t=1327660954;
bh=MtW/XPW6VeyvBHn/rgvupRS/YY6wX2epZWMmBT54z0c=;
h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type;
b=LsgJDos+MqYwv/1jwBKEHibdWfaNgelkoVx3LfgjXudyW9BKgMqj38iLxcaj4mjMy
2U2hHqWzFs4VHW4XcoymhJJlEOk2i0huPFk5GA/21bs5ywhdhiOtHi7td+mhVpnRtW
UTDv9v8ae+iNOQ03Z4BmWqMcjdw7HhO5QmHUy7Dw=
X-AOL-SCOLL-SCORE: 1:2:388657600:93952408
X-AOL-SCOLL-URL_COUNT: 1
X-AOL-REROUTE: YES x-aol-sid: 3039ac1d338a4f227f9a1aa8

__________

”Mr Mark Fisher”

Microsoft Sweepstakes Promotion Winner!!!
Wednesday, October 27, 2010 4:27 PM
From:
“Microsoft Sweepstakes Promotion”
IP:41.138.187.80

We are pleased to inform you of the release of the long awaited results of Sweepstakes promotion organized by Microsoft Corporations, in conjunction with the FOUNDATION FOR THE PROMOTION OF SOFTWARE (F.P.S.) held this October 2010, in London that attracted the sum of (550,000.00 GBP) and a Toshiba Laptop From the Microsoft Sweepstakes Promotion last draw held this October.Contact For Claims.

1. Full name…………..2. Contact
Address……..3.
Age……..Sex…………4. Telephone Number…..5.
Occupation………….6.Country…………….

(CONTACT MANAGER)
Mr. Mark Foster.
Email : redeemprize1010@live.co.uk

 

 

Tags: , , , , , , , , , , , , , , , , , , , , , ,

 
%d bloggers like this: