dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5596

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

I know what it says it is...

But I know what it isn't...a real bill for us.
--------------------------------------------
There was an invoice issued to your company: xxxxx.com

Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.

Account Number 157BPN
Invoice Number 254423255525
Invoice Date June 21, 2013
Invoice Amount $3.072.00
Account Balance $0.00

You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.

You can also print this e-mail and send your payment to:

LexisNexis
PO BOX 7247-7090
Philadelphia, PA 19170-7090

If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.

If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.

Please add this domain @email.lexisnexismail.com to your safe senders list.

Adobe Acrobat free downloadable file available at :
»www.adobe.com/products/a ··· ep2.html

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. PowerInvoice is a trademark of LexisNexis, a division of Reed Elsevier Inc.

Privacy & Security Copyright 2013 LexisNexis, a division of Reed Elsevier Inc.
All rights reserved.

-----------------------------------------
No, I have not called the number to check it out nor have I opened the attachment, supposedly a pdf. file of our invoice. I have checked out all the info I can find with it from many sources, and darned if it doesn't come up as being a legal, Lexis Nexis address every which way I look.

I know for a fact that we owe nothing to this company. What I don't know is if it's Spam, phishing, or what? I've known how to read headers for ages, but this one has me totally stymied. The header info, with pertinant .com address removed, follows. Can anyone give me some insight at what this is?
---------------------------------------------------
Received: (qmail 13738 invoked by alias); 21 Jun 2013 17:49:01 -0000
Delivered-To: harvey@hmklein.com
Received: (qmail 14090 invoked from network); 21 Jun 2013 17:49:01 -0000
Received: by simscan 1.4.0 ppid: 26925, pid: 31978, t: 0.0301s
scanners:none
Received: from mxperim8.sea5.speakeasy.net ([69.17.117.73])
(envelope-sender )
by mail21.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
for ; 21 Jun 2013 17:49:01 -0000
Received: from localhost (localhost [127.0.0.1])
by mxperim8.sea5.speakeasy.net (Postfix) with ESMTP id 75B61840D1
for ; Fri, 21 Jun 2013 10:49:00 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at mxperim8.sea5.speakeasy.net
Received: from mxperim8.sea5.speakeasy.net ([127.0.0.1])
by localhost (mxperim8.sea5.speakeasy.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RYHAU49vrULv for ;
Fri, 21 Jun 2013 10:47:59 -0700 (PDT)
Received: from bell.ca (MTRLPQ02-1176246896.sdsl.bell.ca [70.28.26.112])
by mxperim8.sea5.speakeasy.net (Postfix) with ESMTP
for ; Fri, 21 Jun 2013 10:47:59 -0700 (PDT)
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.119])
by uscwygtw01.dnb.com with ESMTP; Fri, 21 Jun 2013 12:47:57 -0500
Received: from dbpliupap119.us.dnb.com ([158.151.64.119])
by uslitintrl05.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 12:47:57 -0500
Date: Fri, 21 Jun 2013 12:47:57 -0500
From: "LexisNexis"
To:
Message-ID:
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_3600_182211989.1474803957214"
X-Nonspam: None
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail21.sea5
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=2.0 tests=BAYES_50,HTML_80_90,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,URI_REDIRECTOR autolearn=disabled
version=3.0.4

Krisnatharok
PC Builder, Gamer
Premium Member
join:2009-02-11
Earth Orbit

Krisnatharok

Premium Member

Call and ask?

»www.lexisnexis.com/en-us ··· -us.page

DasGoat
join:2013-02-12
Charleston, WV

DasGoat to jaykaykay

Member

to jaykaykay
You aren't Harvey Klein I take it?

beck
MVM
join:2002-01-29
On The Road

1 recommendation

beck to jaykaykay

MVM

to jaykaykay
Geez, I've gotten 50 of these today. So my vote is it's crap. I never open any kind of crap. If someone wants to send me a bill, I had better know I have it coming. lol

DasGoat
join:2013-02-12
Charleston, WV

DasGoat to jaykaykay

Member

to jaykaykay
Have you scanned the PDF on virustotal.com yet?

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

No and no to both questions. As to doing anything with it, I have deleted it, but after looking up the info about it on all my sources to try to track it back, and finding nothing suspicious, I posted here. Most of these things come up as Spamming addresses. This one does not. Any one know what goes or have others received similar "junk" from so called Lexis Nexis?

DasGoat
join:2013-02-12
Charleston, WV

DasGoat to jaykaykay

Member

to jaykaykay
They are a real business, no clue what's going on at their end with email being sent from them.

Krisnatharok
PC Builder, Gamer
Premium Member
join:2009-02-11
Earth Orbit

Krisnatharok to jaykaykay

Premium Member

to jaykaykay
said by jaykaykay:

from so called Lexis Nexis?

So called? lol

That's like saying "so called General Electric." I assure you they are a very real, and successful, information management/public records business.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold to DasGoat

MVM

to DasGoat
said by DasGoat:

They are a real business, no clue what's going on at their end with email being sent from them.

That clearly did not come from lexisnexis.com:

Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.119])

Clues:
1.) IP address of sender does not resolve to a name (MTA shows "unknown")
2.) Private IP address block 10/8

It looks like the sender did try to disguise the origin/routing with some extra Received: headers. The "uslitintrl01.us.lexisnexis.com" is provided by the email (spam) client in the HELO message of the SMTP protocol and cannot be trusted.

workablob
join:2004-06-09
Houston, TX

workablob to jaykaykay

Member

to jaykaykay
said by jaykaykay:

But I know what it isn't...a real bill for us.
--------------------------------------------
There was an invoice issued to your company: xxxxx.com

I am getting slammed with these.

I configured ORF on my mail server to replace zip files with a text file.

I block lexisnexus and @wellsfargo.com or whatever they come up with.

They keep trying.

LOL

Blob

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to leibold

Premium Member

to leibold
said by leibold:

It looks like the sender did try to disguise the origin/routing with some extra Received: headers. The "uslitintrl01.us.lexisnexis.com" is provided by the email (spam) client in the HELO message of the SMTP protocol and cannot be trusted.

Yes, it's now to the point where the names usually dropped (PayPal, eBay etc...) just don't fool as well as they previously did so dropping a new name such as lexisnexis.com doesn't raise he red flag quite as high.

jaykaykay See Profile, if the same email/attachment arrived as coming from PayPal you would have immediately recognized it for what it was - a run of the mill attempt at installing malcode via an infected pdf

nm1
@hispeed.ch

nm1 to jaykaykay

Anon

to jaykaykay
Hi

Funny thing. I work for LexisNexis and I received this spam too but too my private mail-address and I know for sure that it is not from our company for several reasons, even if the sender must know the structure of the company quite well. I did not open the zip-file attached. PowerInvoice is not a payment-tool but an invoicing-tool. Also, client numbers are not correct...

Deleted with good reason!

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 recommendation

leibold

MVM

said by nm1 :

I know for sure that it is not from our company for several reasons, even if the sender must know the structure of the company quite well.

Maybe, but more likely it just appears as if they know a lot because they are using actual messages (either found in some victims email box or received because they themselves are Lexis Nexis customers) and use them as a template for their phishing.
This makes their message look pretty authentic at first glance.

I would not be surprised if they have a pretty high success rate

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to Krisnatharok

MVM

to Krisnatharok
Lexis Nexis is real, of course. The so called was in reference to the spam. I just got another one.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to leibold

Premium Member

to leibold
said by leibold:

Maybe, but more likely it just appears as if they know a lot because they are using actual messages (either found in some victims email box or received because they themselves are Lexis Nexis customers) and use them as a template for their phishing.
This makes their message look pretty authentic at first glance.

Absolutely.
in 2012 one of the usual phished brands flagged an account for unusual activity that defied explanation.
A closer look at it showed the bad guy was doing weird things to purposefully generate not often seen warning/cautionary messages from the service provider.

They complied by sending completely unique messages to the account holder which as predicted started to show up in phishing emails.

The conclusion to this is a work in progress.
said by leibold:

I would not be surprised if they have a pretty high success rate

The next generation of Citadel will prove that out.
Sadly it will consist of many of the same machines as Citadel1

um
@verizon.net

um to nm1

Anon

to nm1
I think you're right and I think I've figured out who. Long story short - I got one of the emails and all I can say is this person sent it to the wrong IT analyst.. Do you have contact info for a security officer in your company? This is an extremely elaborate hack job built to make sure it looks legit to the victims, and invisible to the real company. I'd like to come forward and present my findings.

You can send me contact info here:
M8R-63qda51@mailinator.com

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to jaykaykay

MVM

to jaykaykay
Since they are using the postal service for their scam.
»postalinspectors.uspis.g ··· int.aspx

Tracie
@lexis-nexis.com

Tracie to Krisnatharok

Anon

to Krisnatharok
On Friday, June 21, 2013, a large number of LexisNexis® customers and other organizations received fraudulent e-mails claiming to be from LexisNexis and containing what appear to be invoices. These e-mails and the invoices are not legitimate and originate from outside our systems. LexisNexis systems remain secure and unaffected. For more information on the incident go to »www.lexisnexis.com/media ··· 10655006

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

1 recommendation

jaykaykay

MVM

Now, that is what I was looking for! whomever was sending it did a really good job with the header info, and their coming forward with this message says it all. I wasn't fooled, but I was curious as to why nothing I tried in my arsenal came up totally with a red flag. Thank you for finally tracking this whole thing down. A big thumb up for you!

linicx
Caveat Emptor
Premium Member
join:2002-12-03
United State

linicx

Premium Member

For what its worth LexisNexis® is a legal site for lawyers that has access to 97 billion public records. It can do in minutes what your lawyer would bill in hours. Best bet their client list and mail server are not one.

There is bunch of spammers at LinkedIn. It made me really angry when LinkedIn lied and assured me their members know me. The problem was and is the messages are coming from India and being delivered by LinkedIn which I pointed out before I blocked it.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

I knew that Lexis Nexis was a legit site and am fully aware what it does. I also knew that I wouldn't be getting a bill from them. I know Spam/Phishing when I see it, but this threw me as I couldn't find where it was coming from!

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra to jaykaykay

Premium Member

to jaykaykay
There's only one class of Received: headers you can trust: ones from MTAs you know and trust, such as those from your Internet-facing MTA inwards. Anything else is pure speculation. At each additional hop, administrators could theoretically scan their logs for such a message being transferred by their MTA, and establish a true path. But that could require a lot of work not only on your part but on the part of each of those administrators. There is nothing in ESMTP which assures the integrity of the included header text. DKIM is one possibility, but it's not required, and since there is the potential for relaying through several more MTAs once it's signed by the sending MTA, Received: can't reasonably be included in the data which is signed.