login · register	food site

	All Forums		Hot Topics		Gallery

how-to block ads

Forums →

Broadband Tech → Security → Scam and Phishbusters > [Phish] New phishing email imitating NewEgg

uniqs
754

« [Phish] Love e-cards • [Scam] We have deposited the funds as we agreed... »

Camelot One
Premium,MVM
join:2001-11-21
Greenwood, IN
kudos:1

[Phish] New phishing email imitating NewEgg

First time I have seen one imitating NewEgg. And they have done a pretty good job copying the real messages. My most recent legit payment charged email (7/11/13) doesn't have a LiveChat link, but otherwise looks the same.

Possibly worth noting, I received this message at ALL of my addresses registered with LogMeIn. All of which are non-existent addresses that dump into a catch-all account, are not used anywhere but LogMeIn, and the message has not been received on any addresses other than those registered with LogMeIn.

All of the links point to:
htt(p)://lettingagentsouthshields.co.uk/happenstance/index.html

said by Email Header :

Return-path:
Envelope-to: --address removed --
Delivery-date: Tue, 20 Aug 2013 11:32:02 -0500
Received: from mail.ccoc.us ([24.105.190.106]:29190)
by gator3200.hostgator.com with esmtp (Exim 4.80)
(envelope-from )
id 1VBoqf-0007fR-Lc
for --address removed --; Tue, 20 Aug 2013 11:32:02 -0500
Received: from [34.4.148.149] (account service@citibank.com HELO cgjufwd.jkqtl.ua)
by mail.ccoc.us (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 613706200 for --address removed --; Tue, 20 Aug 2013 11:32:00 -0500
From: "Newegg"
To: --address removed --
Cc: --address removed --
Subject: Newegg.com - Payment Charged
Date: Tue, 20 Aug 2013 11:32:00 -0500
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_gztjdw_71_15_97"
X-Mailer: rrzbxp_58
Content-Language: en
X-Spam-Status: No, score=2.2
X-Spam-Score: 22
X-Spam-Bar: ++
X-Spam-Flag: NO

actions · 2013-Aug-20 1:37 pm ·

Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6

There's a few interesting items in that.
Could you post it to the phishtracker?
»/phishtrack

actions · 2013-Aug-20 8:41 pm ·

Camelot One
Premium,MVM
join:2001-11-21
Greenwood, IN
kudos:1

Sorry, I didn't think about it until after cleaning the trash.

actions · 2013-Aug-20 8:52 pm ·

sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

reply to Camelot One

Interesting. My logmein email hasn't gotten one.
--
Oh, Opera, what have you done?

hey mods · actions · 2013-Aug-25 10:50 am ·

EGeezer
Go Cats
Premium
join:2002-08-04
Midwest
kudos:8

1 edit

reply to Camelot One

34.4.148.149 looks like a fake entry. The IP block is registered to Halliburton.

24.105.190.106 looks like a system in ccoc.us (Catholic Charities of Onondaga County) has been compromised.

The code from the website leads to more interesting items, then to gordonpoint dot org and a nonexistent php script.

<html>
 
<table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
 
<script type="text/javascript" src="http://ftp.a1suretybonds.com/noisiest/elitist.js"></script>
<script type="text/javascript" src="http://gps-emirates.com/advancement/elysiums.js"></script>
<script type="text/javascript" src="http://68grill.com/srinagar/grasp.js"></script>
</html>

--
This post represents the official view of the voices in my head

hey mods · actions · 2013-Aug-26 10:32 pm ·

Forums → Broadband Tech → Security → Scam and Phishbusters	« [Phish] Love e-cards • [Scam] We have deposited the funds as we agreed... »