Jump to content
Sign in to follow this  
Seeker

New Spamcop Phishing

Recommended Posts

Just got the new Phishing expedition trying to hit spamcop.net users:

Subject: line is: FINAL ACCOUNT UPDATE!!!

Thank you for the information. It would have been better to simply report it and post the TrackingURL here,

Share this post


Link to post
Share on other sites
Thank you for the information. It would have been better to simply report it and post the TrackingURL here,

How do you report it?

What is a "tracking URL"?

so ....

www.spamcop.net

click on "Report spam"

copy email address

forward Pfishing email.

Is that right?

Nope. Doesn't work. bounces back. go figure.

Still don't know how to report Pfishing. Can anyone help?

Share this post


Link to post
Share on other sites
What is a "tracking URL"?
See Tracking URL

Is "report spam" the same as "report Pfishing"?

Nope. Doesn't work. bounces back. go figure.

Still don't know how to report Pfishing. Can anyone help?

There's no distinction between "spam" and "phishing mail" as far as reporting through SpamCop is concerned. Whatever you do to submit one can be used to submit the other. If you are trying to submit the message by e-mail forwarding, make sure you add the message as an attachment, see http://www.spamcop.net/fom-serve/cache/166.html.

-- rick

(on edit: corrected public link to FAQ)

Edited by rconner

Share this post


Link to post
Share on other sites

Yes, a report would be a good thing but an alert that a further phishing expedition is in progress is no bad thing in this forum. Perhaps this new thread should merge with the existing longer-term thread with almost the same subject line ;)

Andrew

Share this post


Link to post
Share on other sites
...Perhaps this new thread should merge with the existing longer-term thread with almost the same subject line ;)
Good idea, done.

Share this post


Link to post
Share on other sites
See Tracking URL

There's no distinction between "spam" and "phishing mail" as far as reporting through SpamCop is concerned. Whatever you do to submit one can be used to submit the other. If you are trying to submit the message by e-mail forwarding, make sure you add the message as an attachment, see http://mailsc.spamcop.net/fom-serve/cache/166.html.

It should be possible to just FORWARD the Pfishing email directly to the *personal reporting address* I receive from *Report spam*, using my webmail spamcop email.

I would prefer that to going into webmail, doing a "save as" on the offending email just so I can have an attachment to send along. Too burdensome, cumbersome and not intuitive.

Share this post


Link to post
Share on other sites
It should be possible to just FORWARD the Pfishing email directly to the *personal reporting address* I receive from *Report spam*, using my webmail spamcop email.
Yes, it is, the link I gave above tells you how. I gave you a bad link that might not work (if you don't have a SpamCop username/password), here is the correct one: http://www.spamcop.net/fom-serve/cache/166.html.

Unfortunately, you can't just hit "forward" on the message as it sits in your inbox, as this causes the original headers to be lost, making the submission useless. You have to find a way to attach the spam (intact, with original headers & body) as an attachment to a message that you send to your reporting address. There are a number of ways to do this, depending upon your mail program.

-- rick

p.s., thanks for reporting the phish attempt, always good to get a warning of these things.

Share this post


Link to post
Share on other sites

I thought about making an announcement - the way that was done last time. But since I don't have an email account, I kind of hate to announce something that is hearsay - to me. The example in the ng wasn't the same as here.

Miss Betsy

Share this post


Link to post
Share on other sites

I'm tickling this thread once again... A new phishing run seems to be underway today - I've received a number of requests for username and password.

As ever, please do not respond and consider reporting in the normal way.

Andrew

Share this post


Link to post
Share on other sites

I received this today.

Return-Path: <nobody[at]dept.woosuk.ac.kr>

Received: from unknown (192.168.1.88)

Received: from unknown (HELO dept.woosuk.ac.kr) (210.93.6.8)

Received: from dept.woosuk.ac.kr (localhost [127.0.0.1])

Message-Id: <200909300945.n8U9jsIw020195[at]dept.woosuk.ac.kr>

From: "SpamCop.net" <webservices[at]gala.net>

Attention E-mail Account Holder,

SpamCop.net User. All mailhub systems will undergo regularly scheduled maintenance, and access to your mailbox via our mail portal will be unavailable for some time during this maintenance period.

We shall be carrying out service maintenance/upgrade on our database and e-mail account center for better online services. We are also deleting all unused e-mail accounts to create more space for new accounts.

In order to ensure you do not experience service interruptions or possible deactivation of your e-mail account, Please you must reply to this mail immediately confirming your e-mail account details below for confirmation and identification.

_____________________________________

1. First Name & Last:

2. Full Login Email:

3. Username:

4 Password:

5. Current Password:

_____________________________________

Failure to do this may automatically render your e-mail account deactivated from our e-mail database/mail server. To enable us upgrade your e-mail account, please do reply to this mail.

SpamCop Information Technology services.

Share this post


Link to post
Share on other sites

Hi guys. I'm not sure where to post this and how to report this properly. There seems to be a phishing attempt directed at spamcop mail users. I received the following message this morning. And since it asked me to give my user and password in a reply mail, it caused all my alarms to go off. Of course I have the full mail and headers (and it doesn't originate from inside the cesmail domain). What should I do about it?

- - -

From: helpdesk[at]spamcop.net

Subject: Dear mail.spamcop.net Email Account User,

Date: 23:33:00 GMT+02:00 14 פברו×ר 2010

Reply-To: technsupport[at]mcom.com

Dear mail.spamcop.net Email Account User,

We wrote to you on 14th February 2010 advising that you change the password on

your account in order to prevent any unauthorized account access following

the network instruction we previously communicated.

all Mailhub systems will undergo regularly scheduled maintenance. Access

to your e-mail via the Webmail client will be unavailable for some time

during this maintenance period. We are currently upgrading our data base

and e-mail account center i.e. homepage view. We shall be deleting old

[https://mail.spamcop.net/l accounts which are no longer active to create

more space for new accounts users. we have also investigated a system wide

security audit to improve and enhance

our current security.

In order to continue using our services you are require to update and

re-confirmed your email account details as requested below. To complete

your account re-confirmation, you must reply to this email immediately and

enter your account

details as requested below.

Username :

Password :

Date of Birth:

Future Password :

Failure to do this will immediately render your account deactivated from

our database and service will not be interrupted as important messages may

as well be lost due to your declining to re-confirmed to us your account

details.

We apologize for the inconvenience that this will cause you during this

period, but trusting that we are here to serve you better and providing

more technology which revolves around email and internet. It is also

pertinent, you understand that our primary concern is for our customers,

and for the security of their files and data.

CONFIRMATION CODE: mail.spamcop.net -/93-1A388-480 Technical Support Team

- - -

Share this post


Link to post
Share on other sites
What should I do about it?

These are not new, I've received several over the years. Report it as spam just as you would any other phishing attempt.

Share this post


Link to post
Share on other sites
These are not new, I've received several over the years. Report it as spam just as you would any other phishing attempt.

Thanks, but wouldn't that just report it to the masters of the domains where the message originated? That's fine, because they should plug any holes in their systems, but spamcop should also be aware of it and inform users that they should ignore these and watch out for people who fell for it and now have compromised accounts. Shouldn't it?

Share this post


Link to post
Share on other sites

And they did so in the past. It is common that many SpamCop users get these phishers at the same time. A search of threads in this forum would sure give some results. Hopefully someone will link this to previous threads.

Share this post


Link to post
Share on other sites
...but spamcop should also be aware of it and inform users that they should ignore these and watch out for people who fell for it and now have compromised accounts. Shouldn't it?
Merged with existing topic, PM sent.

Yes it should - general announcements (SpamCop Discussion) updated, cross-referenced to your post. I could have sworn there was a standing caution in http://mail.spamcop.net/news.php too - but evidently not.

Anyway, thanks for raising the alarm again.

[Edit - JT/Support are aware].

Share this post


Link to post
Share on other sites

Just to add copies of another variant of the SpamCop Phishing to this list that was received this week.

http://www.spamcop.net/sc?id=z3946826629zc...c00b82c8687657z

http://www.spamcop.net/sc?id=z3946864464z2...99ceff85afac5dz

Dear Customer,

This e-mail was send by spamcop.net to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

© spamcop.net

The attached file was named "setup.zip"

Subject: spamcop.net account notification

I would hope that no one here would ever run a zip file attached to an email related to any account; and any business stupid enough to send a zip file attached to an account notification should be shot.

One would think that by now the SpamCop filters would be able to keep this crap out of our inbox.

Share this post


Link to post
Share on other sites

here is yet another example. don't fall for it!

-----

From: Spamcop Email Administrator <warningalert61[at]ymail.com>

To: info[at]spamcop.net

Date: 100430 03:07 pm

spam Status: Spamassassin 0% probability of being spam.

Full report: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=disabled version=3.2.4 Bogofilter 62.5566% probability of being spam.

Full report: Unsure, tests=bogofilter, spamicity=0.625566, version=1.2.0

Dear subscribers.

This message is from the Spamcop Email Administrator IT Service to all our email account

subscribers.You are to provide to us the below information to revalidate your account due to spam

and to upgrade the new 2010 spam version.

Notice:Your Spamcop Email account will be expired after a week, if you do not revalidate or

update your account. Please do co-operate with us so we can serve you better, contact the

adminstrator!!****

User Name:

Password:

Confirm Your Password:

Alternative Email :

Thank You.

Spamcop Email Administrator

Warning Code :ID67565434.

Share this post


Link to post
Share on other sites

Here's one I haven't seen before:

==================================================

From: "spamcop.net support" <prostata[at]spamcop.net>

To: <prostata[at]spamcop.net>

Subject: setting for your mailbox prostata[at]spamcop.net are changed

Date sent: Tue, 4 May 2010 11:22:40 -0300

SMTP and POP3 servers for prostata[at]spamcop.net mailbox are changed. Please

carefully read the attached instructions before updating settings.

http://surprisesss.googlegroups.com/web/setup.zip

==================================================

I'm sure the zip file contains a surprise alright.

[edit] link broken - still active at this time

Edited by Farelf

Share this post


Link to post
Share on other sites
Good job reporting - looks like Google have closed all of those latter ones down - but not http://surprisesss.googlegroups.com/web/setup.zip for some reason.

The phishing flood continues unabated.

http://groups.google.com/group/googlepop/web/setup.zip

http://groups.google.com/group/smtpop/web/setup.zip

http://groups.google.com/group/smtpsmtp/web/setup.zip

http://groups.google.com/group/pop3pop/web/setup.zip

http://groups.google.com/group/pop3smtp/web/setup.zip

All reported to Google abuse.

Still getting the "Please run attached file and Follow instructions." kind as well.

[edit] Links broken - all still alive at time of checking.

The distribution method is normal for Google Groups (click the link and download the zip). I submitted one of those files to virustotal:

File size: 136966 bytes

MD5 : f5dd55f1889a864e71315c69e7cdfcb4

SHA1 : 7d8238e6bfa69d109c8030b24c7b4cb6bf813062

Result: 13/40 (32.50%)

Mostly identified as Gen:Variant.Renos.26 trojan horse, Virtool.Win32.Obfuscator.ha!a (v), etc.

"VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners." - http://www.microsoft.com/security/portal/T...dia/Browse.aspx

Yep, yet another attempt at assimilation.

Edited by Farelf

Share this post


Link to post
Share on other sites

Here's this afternoon's batch:

hxxp://groups.google.com/group/gnomm/web/setup.zip

hxxp://groups.google.com/group/forrestgump33/web/setup.zip

hxxp://groups.google.com/group/leanrock/web/setup.zip

hxxp://groups.google.com/group/smtpfree/web/setup.zip

hxxp://groups.google.com/group/djwoodo/web/setup.zip

Links are disabled since there appears to be some concern regarding them.

All have been reported to Google abuse.

Share this post


Link to post
Share on other sites
<snip>

Links are disabled since there appears to be some concern regarding them.

<snip>

...Thanks! From my perspective, it's to avoid having the unsophisticated (me, a couple of years ago) or fumble-fingered (me, my whole life) click on one of the links and download/execute the evil file. :) <g>

Share this post


Link to post
Share on other sites

...Thanks! From my perspective, it's to avoid having the unsophisticated (me, a couple of years ago) or fumble-fingered (me, my whole life) click on one of the links and download/execute the evil file. :) <g>

Exactly - if they might still be active it is an avoidable risk to others. Thanks Michael. And, again, your reporting is working:
Cannot find smtpfree

The group named smtpfree has been removed because it violated Google's Terms Of Service.

I'm guessing the 'takedowns' are processed quickly and with minimal checking when complaints come from several (some number of) sources - in any event reports to Google abuse seem to be effective and it looks like all the ones you (Michael) have mentioned to date have been taken down (including http://surprisesss.googlegroups.com/web/setup.zip at last).

This attack is not unique to SC accounts by the way. If you Google those bad group names you will find them cropping up all over the place and when I submitted that sample to virustotal I found someone else had already submitted the same, shortly before - and there is at least one other service similar to virustotal, no doubt doing its share of analyses too.

[soapbox]Important anyway to keep reporting them so they are removed from the internet as quickly as possible and before too many more of the unwary are sucked in. These would look just like the normal developer file sharing to anyone accustomed to that environment in Google groups - and sooner or later we all get the magic exploit-spam that just coincidentally happens to tick all the right boxes and is far more likely than any others to slip under our guard.

It would be nice to think Google groups might eventually amass enough data to allow law enforcement to catch and prosecute the perpetrator(s) and/or tighten the security on their "add new groups" functionality. All part of the continuing battle.[/soapbox]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×