Jump to content
Sign in to follow this  
Seeker

New Spamcop Phishing

Recommended Posts

fyi, I just received a different phishing email. Preposterously worded of course, but being received the morning after I had renewed my account was a bit weird.

Dear Spamcop Webmail Subscriber

This message is to inform all our {Spamcop} webmail users that we will be
maintaining and upgrading our website in a couple of days from now. As a
Subscriber you are required to send us your Email account details to
enable us know if you are still making use of your mail box.

Be informed that we will be deleting all mail account that is not
functioning to enable us create more space for new users, You are to send
your mailaccount details which are as follows:

*User Name:
*Password:
*Date of birth:

You can also confirm your email address by logging into your account
at https://webamil.spamcop.net/ before sending us the required information.

WARNING: Any of our webmail user that refuses to send his/her verification
details within the next seven(7) days of receiveing this message and
failed to respond will be deleted immedately from our database.

Verification code: Spamcop:0090-009

Thank you for using Spamcop!
>From The Spamcop Support Team.
© Spamcop Support Team

Share this post


Link to post
Share on other sites

Remove the spelling and grammar mistakes and it might, just might make this one a little more believable. Like most phishes I receive the originators drastically reduce their rate of success with poorly worded content although the chances of catching out a SpamCop user with this must surely be nil!

Even SpamCop is not capitalised correctly. :huh:

Edited by g4mby

Share this post


Link to post
Share on other sites

A number of webmail services are currently being phished it seems and, going by the previous attempts, even a few SC account holders will fall for it. Sad, but seemingly inevitable. An interesting thing would be the 'drop-box' that is being used in such cases, the "Reply-To:" address.

Share this post


Link to post
Share on other sites

There were several clues that this message was bogus. A Reply-To address in South Africa, can't even spell "webmail" correctly in the URL! The text stinks of English-is-not-native-language.

Share this post


Link to post
Share on other sites
Thanks for the 'heads up' - but only you (and presumably SC staff) can see that report. For public consumption it needs to be a tracking URL which you can recover from the report (at the top of the parse - "Here is your TRACKING URL - it may be saved for future reference: ...").

And, sadly, some were caught by previous attempts and assuredly some will be caught by this one too. But none will be caught who heed your timely warning :) Yes, of course spammers are (also) lazy. If it were otherwise the little sods would own the observable universe by now (well, would share it with Bill Gates, anyway).

Share this post


Link to post
Share on other sites

I hope everyone who sees this in their inbox realizes it's b*llsh*t:

"

Dear spamcop.net Subscriber,

We are currently carrying-out a maintenance process to your spamcop.net

account to fight against spam MAILS,to complete this process and

if you are the rightful owner of this account you required to reply

with below information of your email

User Name here:(**********)

Password here(**********)

Failure to summit your spamcop.net details, will render your email address

in-active from our database.

NOTE: You will RECEIVE a password reset message in next two (2)

working days after undergoing this process for security reasons.

Thank you for using spamcop.net!

THE spamcop.net TEAM

"

Moderator Edit: Merged into existing Topic/Discussion on the same Subject.

Edited by Wazoo

Share this post


Link to post
Share on other sites

Still active. I just got this one. gmail account this time.

Dear SPAMCOP.NET Email Owner,

This message is from SPAMCOP.NET messaging center to all PAMCOP.NET Email owners. We are currently upgrading our data

base and e-mail center. We are deleting all unused SPAMCOP.NET email to create more space for new one.To prevent your

account from closing you will have to update it below so that we will know that it's a present used

account.

However USC has been receiving complaints from our customers for unauthorised use of the SPAMCOP.NET Email. As a result

remaking an extra security check on all of our Customers mailbox in order to protect their information from theft and

fraud.

Warning!!! Email owner that refuses to update his or her Email,within two days of receiving this warning will lose his

or her Email permanently. You are require to send us the below information

Requested Information

Email Username : .......... .....

Email Password : ................

Date of Birth : ................

Country or Territory : ..........

Thanks for your co-operation.

Copyright [at]2009 SPAMCOP.NET All rights reserved

Share this post


Link to post
Share on other sites

Yes, I got my first ever today to my SC mailbox... :-( Ironically it was the only spam item received overnight that made it through grey-listing, SpamAssassin checks, block list checks and into my mailbox :huh:

Andrew

Share this post


Link to post
Share on other sites
Yes, I got my first ever today to my SC mailbox... :-( Ironically it was the only spam item received overnight that made it through grey-listing, SpamAssassin checks, block list checks and into my mailbox :huh:

http://www.spamcop.net/sc?id=z2796589541z7...;action=display

Mine was blocked and reported also reported the reply address

Share this post


Link to post
Share on other sites

I wonder if they are actually bright enough to coordinate the attack with the maintenance window scheduled for today?

No, no, no. The human mind is always looking for patterns to explain events, even random events.

That also points out something about the spammer's mind. They're not 'human enough' to always do the pattern matching for s-p-a-m-c-o-p correctly.

Share this post


Link to post
Share on other sites

Same email, just in on 16-4 From: header says "Spamcop.net Team Support" <teamsupporttelenets4[at]gmail.com>

ReplyTo: header resolves to the same.

... going right to /dev/null

Share this post


Link to post
Share on other sites

New phish hit my in box.

Replyto: field is webmailupgrader[at]consultant.com

Body: is

"Quoting Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>:

> Dear Spamcop Webmail Account Owner,

> We are currently performing maintenance for Our Spamcop

> Digital Webmail Customers.We intend upgrading our Digital

> Webmail Security Server for better online services. We are

> canceling unused Spamcop webmail email account to create

> more space for new accounts.To prevent your account from

> closing you will have to update it below to know it's status

> as a currently used account.

>

> CONFIRM YOUR EMAIL IDENTITY BELOW

> Email Username :=====================================

> Email Password :=====================================

> Date of Birth :======================================

>

> Warning!!! Any account owner that refuses to update his/her

> webmail account within three (3) days of this update

> notification will loose his/her account permanently.

>

> Thank You For Your Support

"

Share this post


Link to post
Share on other sites

Today (1-May-2009), I received another PHISH e-mail message (in my SpamCop mailbox) to get my SpamCop username and password. The "From:" header in the message reads as "Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>" but the "Reply-To:" is "webmailupgrader[at]consultant.com".

I have already reported it through SpamCop Reporting form (the report was sent to postmaster[at]ibw.com):

Return-Path: <webmail.upgrade[at]spamcop.net>

Delivered-To: spamcop-net-MUNGED[at]spamcop.net

Received: (qmail 32767 invoked from network); 1 May 2009 16:12:29 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=3.2.4

Received: from unknown (192.168.1.86)

by filter7.cesmail.net with QMQP; 1 May 2009 16:12:29 -0000

Received: from tk.ibw.net (HELO tk.ibw.com.ni) (200.85.160.21)

by mxin2.cesmail.net with SMTP; 1 May 2009 16:12:13 -0000

X-ASG-Debug-ID: 1241194346-7d1d039c0000-B5XM8f

X-Barracuda-URL: http://200.85.160.21:8000/cgi-bin/mark.cgi

Received: from nicaraguense.ibw.com.ni (localhost [127.0.0.1])

by tk.ibw.com.ni (spam Firewall) with ESMTP

id 9BFE31788120; Fri, 1 May 2009 10:12:26 -0600 (CST)

Received: from nicaraguense.ibw.com.ni (nicaraguense.ibw.com.ni [200.85.160.12]) by tk.ibw.com.ni with ESMTP id ToK5gz4rSIDdvLAu; Fri, 01 May 2009 10:12:26 -0600 (CST)

X-Barracuda-Envelope-From: webmail.upgrade[at]spamcop.net

Received: from mailhost.ibw.com.ni (tiscapa.ibw.com.ni [200.85.160.3])

by nicaraguense.ibw.com.ni (8.12.11/8.12.9) with SMTP id n41GCQmm002175;

Fri, 1 May 2009 10:12:26 -0600 (GMT)

Message-Id: <2009___________________2175[at]nicaraguense.ibw.com.ni>

X-Barracuda-BBL-IP: 200.85.160.3

X-Barracuda-RBL-IP: 200.85.160.3

X-Priority:

Sensitivity: Company-Confidential

From: Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>

Reply-To: webmailupgrader[at]consultant.com

Organization: Spamcop Webmail Notice

To: x

X-ASG-Orig-Subj: Spamcop Email Verification

Subject: Spamcop Email Verification

Date: Fri, 1 May 2009 11:12:26 -0500

MIME-Version: 1.0

Content-Type: text/plain; charset=ISO-8859-1

Content-Transfer-Encoding: 7bit

X-Barracuda-Connect: nicaraguense.ibw.com.ni[200.85.160.12]

X-Barracuda-Start-Time: 1241194346

X-Barracuda-Virus-Scanned: by Barracuda spam & Virus Firewall at ibw.com.ni

X-SpamCop-Checked: 200.85.160.21 200.85.160.12 200.85.160.3

Dear Spamcop Webmail Account Owner,

We are currently performing maintenance for Our Spamcop

Digital Webmail Customers.We intend upgrading our Digital

Webmail Security Server for better online services. We are

canceling unused Spamcop webmail email account to create

more space for new accounts.To prevent your account from

closing you will have to update it below to know it's status

as a currently used account.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username :=====================================

Email Password :=====================================

Date of Birth :======================================

Warning!!! Any account owner that refuses to update his/her

webmail account within three (3) days of this update

notification will loose his/her account permanently.

Thank You For Your Support

Share this post


Link to post
Share on other sites

Hi Cherrick,

You wrote:

New phish hit my in box.

Replyto: field is webmailupgrader[at]consultant.com

Body: is

"Quoting Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>:

[snip]

"

Right. I received that PHISHING message today (1-May-2009) in my SpamCop mailbox, as well. The content and e-mail addresses used were the same ones that you got (webmailupgrader[at]consultant.com in the "Reply-To:" header and "webmail.upgrade[at]spamcop.net" in the "From:" header).

Regarding this, you may check the post (Post #13) that I wrote a few minutes ago, in this same forum ("SpamCop Email System & Accounts") for the discussion "New Spamcop Phishing":

http://forum.spamcop.net/forums/index.php?...ost&p=71168

Cheers!

Share this post


Link to post
Share on other sites

Well, the good news is that particular reply-to has been deactivated:

[Resolving consultant-com.mr.outblaze.com...]

[Contacting consultant-com.mr.outblaze.com [208.36.123.58]...]

[Connected]

220 spf11.us4.outblaze.com ESMTP Postfix

EHLO hexillion.com

250-spf11.us4.outblaze.com

250-PIPELINING

250-SIZE 31457280

250-ETRN

250 8BITMIME

NOOP *** See <http://www.hexillion.com/MailAdmin/> for an explanation of this session

250 Ok

NOOP *** HexValidEmail COM 1.4.12 <5c31a8fa73d35685c3baa1e0430da151bdc52a85>

250 Ok

RSET

250 Ok

MAIL FROM:<HexValidEmail[at]hexillion.com>

250 Ok

RCPT TO:<webmailupgrader[at]consultant.com>

550 <webmailupgrader[at]consultant.com>: Account Deactivated

[Address has been rejected]

RSET

250 Ok

QUIT

221 Bye

[Connection closed]

Share this post


Link to post
Share on other sites

Reply-To: header resolves to:

"upgrade[at]spamcop.net" <webmail.upgrade2[at]consultant.com>

----- Forwarded message from howell1[at]dodo.com.au -----

Date: Wed, 6 May 2009 8:59:05 +1000

From: "upgrade[at]spamcop.net" <howell1[at]dodo.com.au>

Reply-To: "upgrade[at]spamcop.net" <webmail.upgrade2[at]consultant.com>

Subject: Attn: Spamcop.net Webmail User!

Dear spamcop.net Webmail User,

We are really sorry for the inconvenience we are making you pass through,we

are having problem with our database due to our recent upgrade and we can

not find your data. Please we need to rectify this problem before the next

24-hours if not, you may not be able to send or receive email with your

spamcop.net Webmail e-mail address.

Please provide your account details below so we can rectify this problem as

soon as possible:

Username/ e-mail:

PASSWORD:

COUNTRY:

NOTE: Your data and information will not be tampered or interfered with,

We'll just record your data back into our database and send you a new

confirmation alphanumerical password that will only be valid during this

period and can be changed after this process.

Please respond to this notice to enable us provide you better online

services.

________________________________________________

This message

was sent using Dodo Webmail - www.dodo.com.au

----- End forwarded message -----

Share this post


Link to post
Share on other sites
Your data and information will not be tampered or interfered with,

We'll just record your data back into our database and send you a new

confirmation alphanumerical password that will only be valid during this

period and can be changed after this process.

Reminds me of an old Bob & Ray PSA about how the Bob & Ray bank lost all of its records, and would depositors please stop by and tell them how much they had in their accounts (no cheating, please).

-- rick

Share this post


Link to post
Share on other sites
Reply-To: header resolves to:

"upgrade[at]spamcop.net" <webmail.upgrade2[at]consultant.com>

And that one hasn't been deactivated at this time:

RCPT TO:<webmail.upgrade2[at]consultant.com>

250 Ok

(no flooding it now, play nice <_< )

Share this post


Link to post
Share on other sites
(no flooding it now, play nice <_< )

no, but I will certainly register it with a few spamming sites.. :blush:

Share this post


Link to post
Share on other sites

Another Phishing run has started. The spammer is trying to get your SpamCop username and password, plus other personal info.

Moderators:

Please feel free to move this post, delete it, or whatever.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites

Thanks for the "alert," Don. Unfortunately, the people most likely to fall for the phish probably never visit these forums, but there's always hope. I suppose JT could broadcast a message to all users, advising them of these repeated phishing attempts and that they should never give their information up.

DT

Share this post


Link to post
Share on other sites
Moderators:

Please feel free to move this post, delete it, or whatever.

Merged into the existing Topic/Discussion on the same subject matter.

Share this post


Link to post
Share on other sites

Looks like a new phishing run has started....

Apart from the obvious text the real giveaway was an entirely improbable senders address.

Be vigilant :excl:

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be
harmful to our subscriber unit.You are to enter your Username and Password here
{____________, __________} to enable us set in an anti virus in your user
account to clear up this virus. we do need your co-operation in this, Providing
us with this information we enable us insert in your account an anti virus
machine for clean up. 

Andrew

Share this post


Link to post
Share on other sites

Just got the new Phishing expedition trying to hit spamcop.net users:

Date: Thu, 23 Jul 2009 02:15:44 +0800 [01:15:44 PM CDT]

From: SPAMCOP SUPPORT TEAM <helpdesk[at]spamcop.net>Add helpdesk[at]spamcop.net to my Address Book

To: undisclosed-recipients:;

Reply-To: verification_teamss12[at]yahoo.com.hkAdd verification_teamss12[at]yahoo.com.hk to my Address Book

Subject: FINAL ACCOUNT UPDATE!!!

Headers: Show All Headers

Dear spamcop.net Subscriber,

We are currently carrying-out a mantainace

process to your spamcop.net account, to

complete this, you must reply to

this mail immediately, and enter your

User Name here (,,,,,,,,) And Password here

(.......) if you are the rightful owner of

this account.

This process we help us to fight against

spam mails.Failure to summit your password,

will render your email address

in-active from our database.

NOTE: If your have done this before, you may ignore

this mail. You will be send a password reset

messenge in next seven (7)

working days after undergoing this process

for security reasons.

Thank you for using spamcop.net!

THE SPAMCOP TEAM

Subject: line is: FINAL ACCOUNT UPDATE!!!

Reply-to: line is: verification_teamss12[at]yahoo.com.hk

If anyone wants the headers I'll do a forward.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×