dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
4910
share rss forum feed


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy

I know what it says it is...

But I know what it isn't...a real bill for us.
--------------------------------------------
There was an invoice issued to your company: xxxxx.com

Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.

Account Number 157BPN
Invoice Number 254423255525
Invoice Date June 21, 2013
Invoice Amount $3.072.00
Account Balance $0.00

You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.

You can also print this e-mail and send your payment to:

LexisNexis
PO BOX 7247-7090
Philadelphia, PA 19170-7090

If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.

If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.

Please add this domain @email.lexisnexismail.com to your safe senders list.

Adobe Acrobat free downloadable file available at :
»www.adobe.com/products/acrobat/r···ep2.html

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. PowerInvoice is a trademark of LexisNexis, a division of Reed Elsevier Inc.

Privacy & Security Copyright 2013 LexisNexis, a division of Reed Elsevier Inc.
All rights reserved.

-----------------------------------------
No, I have not called the number to check it out nor have I opened the attachment, supposedly a pdf. file of our invoice. I have checked out all the info I can find with it from many sources, and darned if it doesn't come up as being a legal, Lexis Nexis address every which way I look.

I know for a fact that we owe nothing to this company. What I don't know is if it's Spam, phishing, or what? I've known how to read headers for ages, but this one has me totally stymied. The header info, with pertinant .com address removed, follows. Can anyone give me some insight at what this is?
---------------------------------------------------
Received: (qmail 13738 invoked by alias); 21 Jun 2013 17:49:01 -0000
Delivered-To: harvey@hmklein.com
Received: (qmail 14090 invoked from network); 21 Jun 2013 17:49:01 -0000
Received: by simscan 1.4.0 ppid: 26925, pid: 31978, t: 0.0301s
scanners:none
Received: from mxperim8.sea5.speakeasy.net ([69.17.117.73])
(envelope-sender )
by mail21.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
for ; 21 Jun 2013 17:49:01 -0000
Received: from localhost (localhost [127.0.0.1])
by mxperim8.sea5.speakeasy.net (Postfix) with ESMTP id 75B61840D1
for ; Fri, 21 Jun 2013 10:49:00 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at mxperim8.sea5.speakeasy.net
Received: from mxperim8.sea5.speakeasy.net ([127.0.0.1])
by localhost (mxperim8.sea5.speakeasy.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RYHAU49vrULv for ;
Fri, 21 Jun 2013 10:47:59 -0700 (PDT)
Received: from bell.ca (MTRLPQ02-1176246896.sdsl.bell.ca [70.28.26.112])
by mxperim8.sea5.speakeasy.net (Postfix) with ESMTP
for ; Fri, 21 Jun 2013 10:47:59 -0700 (PDT)
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.119])
by uscwygtw01.dnb.com with ESMTP; Fri, 21 Jun 2013 12:47:57 -0500
Received: from dbpliupap119.us.dnb.com ([158.151.64.119])
by uslitintrl05.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 12:47:57 -0500
Date: Fri, 21 Jun 2013 12:47:57 -0500
From: "LexisNexis"
To:
Message-ID:
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_3600_182211989.1474803957214"
X-Nonspam: None
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail21.sea5
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=2.0 tests=BAYES_50,HTML_80_90,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,URI_REDIRECTOR autolearn=disabled
version=3.0.4

--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay



Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12


DasGoat

join:2013-02-12
Charleston, WV
reply to jaykaykay
You aren't Harvey Klein I take it?


beck
Premium,MVM
join:2002-01-29
On The Road
kudos:1

1 recommendation

reply to jaykaykay
Geez, I've gotten 50 of these today. So my vote is it's crap. I never open any kind of crap. If someone wants to send me a bill, I had better know I have it coming. lol


DasGoat

join:2013-02-12
Charleston, WV
reply to jaykaykay
Have you scanned the PDF on virustotal.com yet?


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to jaykaykay
No and no to both questions. As to doing anything with it, I have deleted it, but after looking up the info about it on all my sources to try to track it back, and finding nothing suspicious, I posted here. Most of these things come up as Spamming addresses. This one does not. Any one know what goes or have others received similar "junk" from so called Lexis Nexis?


DasGoat

join:2013-02-12
Charleston, WV
reply to jaykaykay
They are a real business, no clue what's going on at their end with email being sent from them.


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12
reply to jaykaykay
said by jaykaykay:

from so called Lexis Nexis?

So called? lol

That's like saying "so called General Electric." I assure you they are a very real, and successful, information management/public records business.
--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to DasGoat
said by DasGoat:

They are a real business, no clue what's going on at their end with email being sent from them.

That clearly did not come from lexisnexis.com:

Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.119])

Clues:
1.) IP address of sender does not resolve to a name (MTA shows "unknown")
2.) Private IP address block 10/8

It looks like the sender did try to disguise the origin/routing with some extra Received: headers. The "uslitintrl01.us.lexisnexis.com" is provided by the email (spam) client in the HELO message of the SMTP protocol and cannot be trusted.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


workablob

join:2004-06-09
Houston, TX
kudos:4
Reviews:
·Comcast
reply to jaykaykay
said by jaykaykay:

But I know what it isn't...a real bill for us.
--------------------------------------------
There was an invoice issued to your company: xxxxx.com

I am getting slammed with these.

I configured ORF on my mail server to replace zip files with a text file.

I block lexisnexus and @wellsfargo.com or whatever they come up with.

They keep trying.

LOL

Blob
--
I may have been born yesterday. But it wasn't at night.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to leibold
said by leibold:

It looks like the sender did try to disguise the origin/routing with some extra Received: headers. The "uslitintrl01.us.lexisnexis.com" is provided by the email (spam) client in the HELO message of the SMTP protocol and cannot be trusted.

Yes, it's now to the point where the names usually dropped (PayPal, eBay etc...) just don't fool as well as they previously did so dropping a new name such as lexisnexis.com doesn't raise he red flag quite as high.

jaykaykay See Profile, if the same email/attachment arrived as coming from PayPal you would have immediately recognized it for what it was - a run of the mill attempt at installing malcode via an infected pdf


nm1

@hispeed.ch
reply to jaykaykay
Hi

Funny thing. I work for LexisNexis and I received this spam too but too my private mail-address and I know for sure that it is not from our company for several reasons, even if the sender must know the structure of the company quite well. I did not open the zip-file attached. PowerInvoice is not a payment-tool but an invoicing-tool. Also, client numbers are not correct...

Deleted with good reason!


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

said by nm1 :

I know for sure that it is not from our company for several reasons, even if the sender must know the structure of the company quite well.

Maybe, but more likely it just appears as if they know a lot because they are using actual messages (either found in some victims email box or received because they themselves are Lexis Nexis customers) and use them as a template for their phishing.
This makes their message look pretty authentic at first glance.

I would not be surprised if they have a pretty high success rate
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
reply to Krisnatharok
Lexis Nexis is real, of course. The so called was in reference to the spam. I just got another one.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to leibold
said by leibold:

Maybe, but more likely it just appears as if they know a lot because they are using actual messages (either found in some victims email box or received because they themselves are Lexis Nexis customers) and use them as a template for their phishing.
This makes their message look pretty authentic at first glance.

Absolutely.
in 2012 one of the usual phished brands flagged an account for unusual activity that defied explanation.
A closer look at it showed the bad guy was doing weird things to purposefully generate not often seen warning/cautionary messages from the service provider.

They complied by sending completely unique messages to the account holder which as predicted started to show up in phishing emails.

The conclusion to this is a work in progress.

said by leibold:

I would not be surprised if they have a pretty high success rate

The next generation of Citadel will prove that out.
Sadly it will consist of many of the same machines as Citadel1


um

@verizon.net
reply to nm1
I think you're right and I think I've figured out who. Long story short - I got one of the emails and all I can say is this person sent it to the wrong IT analyst.. Do you have contact info for a security officer in your company? This is an extremely elaborate hack job built to make sure it looks legit to the victims, and invisible to the real company. I'd like to come forward and present my findings.

You can send me contact info here:
M8R-63qda51@mailinator.com


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5
reply to jaykaykay
Since they are using the postal service for their scam.
»postalinspectors.uspis.gov/conta···int.aspx
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


Tracie

@lexis-nexis.com
reply to Krisnatharok
On Friday, June 21, 2013, a large number of LexisNexis® customers and other organizations received fraudulent e-mails claiming to be from LexisNexis and containing what appear to be invoices. These e-mails and the invoices are not legitimate and originate from outside our systems. LexisNexis systems remain secure and unaffected. For more information on the incident go to »www.lexisnexis.com/media/press-r···10655006


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy

1 recommendation

Now, that is what I was looking for! whomever was sending it did a really good job with the header info, and their coming forward with this message says it all. I wasn't fooled, but I was curious as to why nothing I tried in my arsenal came up totally with a red flag. Thank you for finally tracking this whole thing down. A big thumb up for you!


linicx
Caveat Emptor
Premium
join:2002-12-03
United State
Reviews:
·TracFone Wireless
·CenturyLink
For what its worth LexisNexis® is a legal site for lawyers that has access to 97 billion public records. It can do in minutes what your lawyer would bill in hours. Best bet their client list and mail server are not one.

There is bunch of spammers at LinkedIn. It made me really angry when LinkedIn lied and assured me their members know me. The problem was and is the messages are coming from India and being delivered by LinkedIn which I pointed out before I blocked it.
--
Mac: No windows, No Gates, Apple inside


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
I knew that Lexis Nexis was a legit site and am fully aware what it does. I also knew that I wouldn't be getting a bill from them. I know Spam/Phishing when I see it, but this threw me as I couldn't find where it was coming from!


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105
reply to jaykaykay
There's only one class of Received: headers you can trust: ones from MTAs you know and trust, such as those from your Internet-facing MTA inwards. Anything else is pure speculation. At each additional hop, administrators could theoretically scan their logs for such a message being transferred by their MTA, and establish a true path. But that could require a lot of work not only on your part but on the part of each of those administrators. There is nothing in ESMTP which assures the integrity of the included header text. DKIM is one possibility, but it's not required, and since there is the potential for relaying through several more MTAs once it's signed by the sending MTA, Received: can't reasonably be included in the data which is signed.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!