dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1308
share rss forum feed


Camelot One
Premium,MVM
join:2001-11-21
Greenwood, IN
kudos:1

[Phish] New phishing email imitating NewEgg

Click for full size
First time I have seen one imitating NewEgg. And they have done a pretty good job copying the real messages. My most recent legit payment charged email (7/11/13) doesn't have a LiveChat link, but otherwise looks the same.

Possibly worth noting, I received this message at ALL of my addresses registered with LogMeIn. All of which are non-existent addresses that dump into a catch-all account, are not used anywhere but LogMeIn, and the message has not been received on any addresses other than those registered with LogMeIn.

All of the links point to:
htt(p)://lettingagentsouthshields.co.uk/happenstance/index.html

said by Email Header :

Return-path:
Envelope-to: --address removed --
Delivery-date: Tue, 20 Aug 2013 11:32:02 -0500
Received: from mail.ccoc.us ([24.105.190.106]:29190)
by gator3200.hostgator.com with esmtp (Exim 4.80)
(envelope-from )
id 1VBoqf-0007fR-Lc
for --address removed --; Tue, 20 Aug 2013 11:32:02 -0500
Received: from [34.4.148.149] (account service@citibank.com HELO cgjufwd.jkqtl.ua)
by mail.ccoc.us (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 613706200 for --address removed --; Tue, 20 Aug 2013 11:32:00 -0500
From: "Newegg"
To: --address removed --
Cc: --address removed --
Subject: Newegg.com - Payment Charged
Date: Tue, 20 Aug 2013 11:32:00 -0500
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_gztjdw_71_15_97"
X-Mailer: rrzbxp_58
Content-Language: en
X-Spam-Status: No, score=2.2
X-Spam-Score: 22
X-Spam-Bar: ++
X-Spam-Flag: NO



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6

There's a few interesting items in that.
Could you post it to the phishtracker?
»/phishtrack



Camelot One
Premium,MVM
join:2001-11-21
Greenwood, IN
kudos:1

Sorry, I didn't think about it until after cleaning the trash.



sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to Camelot One

Interesting. My logmein email hasn't gotten one.
--
Oh, Opera, what have you done?



EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

1 edit
reply to Camelot One

34.4.148.149 looks like a fake entry. The IP block is registered to Halliburton.

24.105.190.106 looks like a system in ccoc.us (Catholic Charities of Onondaga County) has been compromised.

The code from the website leads to more interesting items, then to gordonpoint dot org and a nonexistent php script.

<html>
 
<table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
 
<script type="text/javascript" src="http://ftp.a1suretybonds.com/noisiest/elitist.js"></script>
<script type="text/javascript" src="http://gps-emirates.com/advancement/elysiums.js"></script>
<script type="text/javascript" src="http://68grill.com/srinagar/grasp.js"></script>
</html>
 
--
This post represents the official view of the voices in my head