An example of a possible scam...

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
Gogeta70
^_^
^_^
Posts: 3275
Joined: 25 Jun 2005, 16:00
18

An example of a possible scam...

Post by Gogeta70 »

Image

I received an email tonight that looked like that. I blurred out those credentials because i don't want people logging into 'my' account. As you can see in the picture, they made some gramatical errors(if you read), i circled some words that were messed up, and they gave an IP address. I did a WHOIS on the IP address to find that it was Verizon's IP...

Code: Select all

 70.16.202.134
Record Type: 	  	IP Address

OrgName:    Verizon Internet Services Inc. 
OrgID:      VRIS
Address:    1880 Campus Commons Dr
City:       Reston
StateProv:  VA
PostalCode: 20191
Country:    US

NetRange:   70.16.0.0 - 70.23.255.255 
CIDR:       70.16.0.0/13 
NetName:    VIS-70-16
NetHandle:  NET-70-16-0-0-1
Parent:     NET-70-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET
Comment:    Please send all abuse reports to abuse@verizon.net.
Comment:    DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered.
RegDate:    2004-03-30
Updated:    2006-06-01

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName:   VIS Abuse 
OrgAbusePhone:  +1-214-513-6711
OrgAbuseEmail:  abuse@verizon.net

OrgTechHandle: ZV20-ARIN
OrgTechName:   Verizon Internet Services 
OrgTechPhone:  +1-703-295-4583
OrgTechEmail:  IPMGMT@verizon.com
Another thing: I don't have a bank account. None of my parents bank accounts are registered under my email. I don't have a cell phone.

Second of all, i showed you some URL's in the picture. Those urls are subdomains, and they are hosted by 'ddns.nu' (bpa.nu)

I also noticed they try and get you to log in. No matter what.

Thirdly, I don't use 'Bankone,' i use First National Bank.

Taking all of this into account, i'm going to have to assume that this is an attempt of scamming me out of... something... i probably don't have...

Just be careful what you log into and who/what you give your information to.
¯\_(ツ)_/¯ It works on my machine...

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

scam alert!

Post by DNR »

A few more things

The email says it would direct you to a secure login so you could input your sensitive nfo. It does not take you to a https server.

Gotp the link they provide and read the web page script for login, then go to www.chase.com the real website and read their login script, it takes you to a secure server https, while the fake webpage justs posts your login and passwords to the same server bpa.nu

The fake webpage is the exact same web page source as the real site, the only difference is the login scheme.

Also the email says do not reply to that specific email, why? because it was spoofed and any reply will be lost. The true intention of this email is to get you to go to a http link and then give up personal nfo like debit card # and pin, maybe your mother's madien name.

Check out :
.nunames.nu

.nunames.nu/cgi-bin/drill.cfm?domainname=bpa.nu

Technical Information for bpa.nu
Status: Active
Incept date: 2000-05-20 16:09:00
Expiration date: 2007-05-20 16:09:00
renew
Technical Contact for bpa.nu
Alan Yates
alany@ay.com.au
AY Communications
PO Box 103
Harbord 2096 AU
Voice: +61 2 9905 2883
Fax: +61 2 9938 5952

Who ever has admin rights to the bpa.nu account will be able to view the stolen logins and passwords. You might contact via email abuse@chase.com.

DNR
Last edited by DNR on 21 Aug 2006, 08:30, edited 1 time in total.
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
18
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

Post by Nerdz »

What are the header of that email? :)
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

no email

Post by DNR »

The email addy is likely spoofed or one-time use, to spam.

BTW you got no bank account? man, you a broke motherfucker :lol:

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

I receive such annoying emails too a lot, fake "Paypal warnings", or fake emails from banks I've never heard of (but hey, they say I have an account, maybe I have a lot of money and don't even know it :lol: )....and OF COURSE they say I have to login with my name/pass, else evil things will happen (bank account closed, paypal account hacked, etc...).
it's people like that who give hackers a bad name, just look in the media, for them a hacker is somebody who tries to steal money from users. too bad they don't understand that such people are not hackers, they are nothing but shabby criminals...the online-equivalent of people who would steal your grannies purse on the trainstation, they're the scum of the internet and play in the same league as childporn publishers.
hmmm....would be interesting to "login" with fake data while running a network sniffer to see where the data is send to: mailbombing can still be fun... :lol:

User avatar
Gogeta70
^_^
^_^
Posts: 3275
Joined: 25 Jun 2005, 16:00
18

Post by Gogeta70 »

To: gogeta@hackermail.com
Cc:
Subject: Chase Bank Security Department Alert
Date: Sun, 20 Aug 2006 21:40:48 -0700
Return-Path: <webmastr@web1.mpamedia.com>
Delivered-To: gogeta@hackermail.com
Received: (qmail 17924 invoked by uid 0); 21 Aug 2006 04:41:00 -0000
X-Ob-Received: from unknown (192.168.9.179) by mta45-2.us4.outblaze.com; 21 Aug 2006 04:41:00 -0000
Received: from web1.mpamedia.com (66-28.254-125.ottenhoff.net [66.28.254.125]) by spf4-1.us4.outblaze.com (Postfix) with ESMTP id AA5D36EF1D for <gogeta@hackermail.com>; Mon, 21 Aug 2006 04:48:33 +0000 (GMT)
Received: from webmastr by web1.mpamedia.com with local (Exim 4.30) id 1GF1ai-0002UA-F1 for gogeta@hackermail.com; Sun, 20 Aug 2006 21:40:48 -0700
Content-Type: text/html
X-Mailer:
Message-Id: <E1GF1ai-0002UA-F1@web1.mpamedia.com>
¯\_(ツ)_/¯ It works on my machine...

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

repost, ip scan

Post by DNR »

192.168.9.179 remember that 192.168.x.x are those wifi privately assigned (and dynamically issued) - pretty much untrace able until you get the previous hop : 66.28.254.125(66-28.254-125.ottenhoff.net)

Trying 66.28.254 at ARIN

OrgName: Cogent Communications
OrgID: COGC
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

66.28.254.125(66-28.254-125.ottenhoff.net) now the previous hop before the offending IP is important. Check out ottenhoff.net, it is a so called computer security company. It probably leased the IP range from Cogent communications,

Registrant:
Ottenhoff, Robb
Ottenhoff Consulting
11554 Stoney Brook Ct.
Beaumont, CA 92223-8029
US

Domain Name: OTTENHOFF.NET its dns servers are cogent's.



66.28.254.125 is down or heavily firewalled at this time, the last hop that is live is 66.28.67.166 and I get no response from scans.

regardless, it is the bpa.nu site that is hosting the fake bank webpage, and it is likely that someone with admin rights to that server spoofed off of ottenhoff.net's wifi AP. The cracker could be local to beaumont CA, and just has a web host in AU.

Sam Spade Email Parser:
08/23/06 10:35:50 Input
The Received: headers are the important ones to read

My comments are just hints, and should be considered only
an opinion. I may have guessed wrong, or things may have
changed since I was written

To: gogeta@hackermail.com
Cc:
Subject: Chase Bank Security Department Alert
Date: Sun, 20 Aug 2006 21:40:48 -0700
Return-Path: <webmastr@web1.mpamedia.com>
Delivered-To: gogeta@hackermail.com
Received: (qmail 17924 invoked by uid 0); 21 Aug 2006
04:41:00 -0000
This received header was added by your mailserver
Just a qmail status line

X-Ob-Received: from unknown (192.168.9.179) by
mta45-2.us4.outblaze.com; 21 Aug 2006 04:41:00 -0000
Received: from web1.mpamedia.com
(66-28.254-125.ottenhoff.net [66.28.254.125]) by
spf4-1.us4.outblaze.com (Postfix) with ESMTP id AA5D36EF1D
for <gogeta@hackermail.com>; Mon, 21 Aug 2006 04:48:33
+0000 (GMT)
spf4-1.us4.outblaze.com received this from someone claiming
to be web1.mpamedia.com
but really from 66.28.254.125(66-28.254-125.ottenhoff.net)
All headers below may be forged


Received: from webmastr by web1.mpamedia.com with local
(Exim 4.30) id 1GF1ai-0002UA-F1 for gogeta@hackermail.com;
Sun, 20 Aug 2006 21:40:48 -0700
web1.mpamedia.com received this from someone claiming
to be webmastr
(web1.mpamedia.com doesn't record the senders IP
address in any way I recognise, so it's impossible to be
sure. All received headers after this one should be
treated with suspicion)

I posted this yesterday, deleted it today. I am not feeling well :?:

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
gnifyus
Newbie
Newbie
Posts: 1
Joined: 24 Sep 2006, 16:00
17

Post by gnifyus »

I sometimes for a hoot, log in to these phishing emails and put in completely fake information. It obviously doesn't matter what login and password you use, it always takes it. Imagine the dissapointment.... :cry:

Post Reply