StevenUnderwood Posted July 22, 2009 Share Posted July 22, 2009 Just got the new Phishing expedition trying to hit spamcop.net users: Subject: line is: FINAL ACCOUNT UPDATE!!! Thank you for the information. It would have been better to simply report it and post the TrackingURL here, Link to comment Share on other sites More sharing options...
cherrick Posted July 23, 2009 Share Posted July 23, 2009 Thank you for the information. It would have been better to simply report it and post the TrackingURL here, How do you report it? What is a "tracking URL"? so .... www.spamcop.net click on "Report spam" copy email address forward Pfishing email. Is that right? Nope. Doesn't work. bounces back. go figure. Still don't know how to report Pfishing. Can anyone help? Link to comment Share on other sites More sharing options...
rconner Posted July 23, 2009 Share Posted July 23, 2009 What is a "tracking URL"?See Tracking URL Is "report spam" the same as "report Pfishing"? Nope. Doesn't work. bounces back. go figure. Still don't know how to report Pfishing. Can anyone help? There's no distinction between "spam" and "phishing mail" as far as reporting through SpamCop is concerned. Whatever you do to submit one can be used to submit the other. If you are trying to submit the message by e-mail forwarding, make sure you add the message as an attachment, see http://www.spamcop.net/fom-serve/cache/166.html. -- rick (on edit: corrected public link to FAQ) Link to comment Share on other sites More sharing options...
agsteele Posted July 23, 2009 Share Posted July 23, 2009 Yes, a report would be a good thing but an alert that a further phishing expedition is in progress is no bad thing in this forum. Perhaps this new thread should merge with the existing longer-term thread with almost the same subject line Andrew Link to comment Share on other sites More sharing options...
Farelf Posted July 23, 2009 Share Posted July 23, 2009 ...Perhaps this new thread should merge with the existing longer-term thread with almost the same subject line Good idea, done. Link to comment Share on other sites More sharing options...
cherrick Posted July 23, 2009 Share Posted July 23, 2009 See Tracking URL There's no distinction between "spam" and "phishing mail" as far as reporting through SpamCop is concerned. Whatever you do to submit one can be used to submit the other. If you are trying to submit the message by e-mail forwarding, make sure you add the message as an attachment, see http://mailsc.spamcop.net/fom-serve/cache/166.html. It should be possible to just FORWARD the Pfishing email directly to the *personal reporting address* I receive from *Report spam*, using my webmail spamcop email. I would prefer that to going into webmail, doing a "save as" on the offending email just so I can have an attachment to send along. Too burdensome, cumbersome and not intuitive. Link to comment Share on other sites More sharing options...
rconner Posted July 23, 2009 Share Posted July 23, 2009 It should be possible to just FORWARD the Pfishing email directly to the *personal reporting address* I receive from *Report spam*, using my webmail spamcop email.Yes, it is, the link I gave above tells you how. I gave you a bad link that might not work (if you don't have a SpamCop username/password), here is the correct one: http://www.spamcop.net/fom-serve/cache/166.html. Unfortunately, you can't just hit "forward" on the message as it sits in your inbox, as this causes the original headers to be lost, making the submission useless. You have to find a way to attach the spam (intact, with original headers & body) as an attachment to a message that you send to your reporting address. There are a number of ways to do this, depending upon your mail program. -- rick p.s., thanks for reporting the phish attempt, always good to get a warning of these things. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 24, 2009 Share Posted July 24, 2009 I thought about making an announcement - the way that was done last time. But since I don't have an email account, I kind of hate to announce something that is hearsay - to me. The example in the ng wasn't the same as here. Miss Betsy Link to comment Share on other sites More sharing options...
agsteele Posted September 30, 2009 Share Posted September 30, 2009 I'm tickling this thread once again... A new phishing run seems to be underway today - I've received a number of requests for username and password. As ever, please do not respond and consider reporting in the normal way. Andrew Link to comment Share on other sites More sharing options...
spamlikeno Posted September 30, 2009 Share Posted September 30, 2009 I received this today. Return-Path: <nobody[at]dept.woosuk.ac.kr> Received: from unknown (192.168.1.88) Received: from unknown (HELO dept.woosuk.ac.kr) (210.93.6.8) Received: from dept.woosuk.ac.kr (localhost [127.0.0.1]) Message-Id: <200909300945.n8U9jsIw020195[at]dept.woosuk.ac.kr> From: "SpamCop.net" <webservices[at]gala.net> Attention E-mail Account Holder, SpamCop.net User. All mailhub systems will undergo regularly scheduled maintenance, and access to your mailbox via our mail portal will be unavailable for some time during this maintenance period. We shall be carrying out service maintenance/upgrade on our database and e-mail account center for better online services. We are also deleting all unused e-mail accounts to create more space for new accounts. In order to ensure you do not experience service interruptions or possible deactivation of your e-mail account, Please you must reply to this mail immediately confirming your e-mail account details below for confirmation and identification. _____________________________________ 1. First Name & Last: 2. Full Login Email: 3. Username: 4 Password: 5. Current Password: _____________________________________ Failure to do this may automatically render your e-mail account deactivated from our e-mail database/mail server. To enable us upgrade your e-mail account, please do reply to this mail. SpamCop Information Technology services. Link to comment Share on other sites More sharing options...
herouth Posted February 15, 2010 Share Posted February 15, 2010 Hi guys. I'm not sure where to post this and how to report this properly. There seems to be a phishing attempt directed at spamcop mail users. I received the following message this morning. And since it asked me to give my user and password in a reply mail, it caused all my alarms to go off. Of course I have the full mail and headers (and it doesn't originate from inside the cesmail domain). What should I do about it? - - - From: helpdesk[at]spamcop.net Subject: Dear mail.spamcop.net Email Account User, Date: 23:33:00 GMT+02:00 14 פברו×ר 2010 Reply-To: technsupport[at]mcom.com Dear mail.spamcop.net Email Account User, We wrote to you on 14th February 2010 advising that you change the password on your account in order to prevent any unauthorized account access following the network instruction we previously communicated. all Mailhub systems will undergo regularly scheduled maintenance. Access to your e-mail via the Webmail client will be unavailable for some time during this maintenance period. We are currently upgrading our data base and e-mail account center i.e. homepage view. We shall be deleting old [https://mail.spamcop.net/l accounts which are no longer active to create more space for new accounts users. we have also investigated a system wide security audit to improve and enhance our current security. In order to continue using our services you are require to update and re-confirmed your email account details as requested below. To complete your account re-confirmation, you must reply to this email immediately and enter your account details as requested below. Username : Password : Date of Birth: Future Password : Failure to do this will immediately render your account deactivated from our database and service will not be interrupted as important messages may as well be lost due to your declining to re-confirmed to us your account details. We apologize for the inconvenience that this will cause you during this period, but trusting that we are here to serve you better and providing more technology which revolves around email and internet. It is also pertinent, you understand that our primary concern is for our customers, and for the security of their files and data. CONFIRMATION CODE: mail.spamcop.net -/93-1A388-480 Technical Support Team - - - Link to comment Share on other sites More sharing options...
g4mby Posted February 15, 2010 Share Posted February 15, 2010 What should I do about it? These are not new, I've received several over the years. Report it as spam just as you would any other phishing attempt. Link to comment Share on other sites More sharing options...
herouth Posted February 15, 2010 Share Posted February 15, 2010 These are not new, I've received several over the years. Report it as spam just as you would any other phishing attempt. Thanks, but wouldn't that just report it to the masters of the domains where the message originated? That's fine, because they should plug any holes in their systems, but spamcop should also be aware of it and inform users that they should ignore these and watch out for people who fell for it and now have compromised accounts. Shouldn't it? Link to comment Share on other sites More sharing options...
dra007 Posted February 15, 2010 Share Posted February 15, 2010 And they did so in the past. It is common that many SpamCop users get these phishers at the same time. A search of threads in this forum would sure give some results. Hopefully someone will link this to previous threads. Link to comment Share on other sites More sharing options...
Farelf Posted February 15, 2010 Share Posted February 15, 2010 ...but spamcop should also be aware of it and inform users that they should ignore these and watch out for people who fell for it and now have compromised accounts. Shouldn't it?Merged with existing topic, PM sent. Yes it should - general announcements (SpamCop Discussion) updated, cross-referenced to your post. I could have sworn there was a standing caution in http://mail.spamcop.net/news.php too - but evidently not. Anyway, thanks for raising the alarm again. [Edit - JT/Support are aware]. Link to comment Share on other sites More sharing options...
dbiel Posted April 24, 2010 Share Posted April 24, 2010 Just to add copies of another variant of the SpamCop Phishing to this list that was received this week. http://www.spamcop.net/sc?id=z3946826629zc...c00b82c8687657z http://www.spamcop.net/sc?id=z3946864464z2...99ceff85afac5dz Dear Customer, This e-mail was send by spamcop.net to notify you that we have temporanly prevented access to your account. We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions © spamcop.net The attached file was named "setup.zip" Subject: spamcop.net account notification I would hope that no one here would ever run a zip file attached to an email related to any account; and any business stupid enough to send a zip file attached to an account notification should be shot. One would think that by now the SpamCop filters would be able to keep this crap out of our inbox. Link to comment Share on other sites More sharing options...
salamandir Posted April 30, 2010 Share Posted April 30, 2010 here is yet another example. don't fall for it! ----- From: Spamcop Email Administrator <warningalert61[at]ymail.com> To: info[at]spamcop.net Date: 100430 03:07 pm spam Status: Spamassassin 0% probability of being spam. Full report: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=disabled version=3.2.4 Bogofilter 62.5566% probability of being spam. Full report: Unsure, tests=bogofilter, spamicity=0.625566, version=1.2.0 Dear subscribers. This message is from the Spamcop Email Administrator IT Service to all our email account subscribers.You are to provide to us the below information to revalidate your account due to spam and to upgrade the new 2010 spam version. Notice:Your Spamcop Email account will be expired after a week, if you do not revalidate or update your account. Please do co-operate with us so we can serve you better, contact the adminstrator!!**** User Name: Password: Confirm Your Password: Alternative Email : Thank You. Spamcop Email Administrator Warning Code :ID67565434. Link to comment Share on other sites More sharing options...
mgolden Posted May 4, 2010 Share Posted May 4, 2010 Here's one I haven't seen before: ================================================== From: "spamcop.net support" <prostata[at]spamcop.net> To: <prostata[at]spamcop.net> Subject: setting for your mailbox prostata[at]spamcop.net are changed Date sent: Tue, 4 May 2010 11:22:40 -0300 SMTP and POP3 servers for prostata[at]spamcop.net mailbox are changed. Please carefully read the attached instructions before updating settings. http://surprisesss.googlegroups.com/web/setup.zip ================================================== I'm sure the zip file contains a surprise alright. [edit] link broken - still active at this time Link to comment Share on other sites More sharing options...
mgolden Posted May 4, 2010 Share Posted May 4, 2010 I'm sure the zip file contains a surprise alright. Hacker is also using http://groups.google.com/group/mailsv1/web/setup.zip http://groups.google.com/group/mailsv2/web/setup.zip http://groups.google.com/group/mailsv3/web/setup.zip http://groups.google.com/group/mailsv4/web/setup.zip http://groups.google.com/group/mailsv5/web/setup.zip All reported to Google Abuse. Link to comment Share on other sites More sharing options...
mgolden Posted May 5, 2010 Share Posted May 5, 2010 Hacker has added still more groups: http://groups.google.com/group/mails1/ through http://groups.google.com/group/mails10/ All reported to Google abuse. Link to comment Share on other sites More sharing options...
Farelf Posted May 5, 2010 Share Posted May 5, 2010 Hacker has added still more groups: http://groups.google.com/group/mails1/ through http://groups.google.com/group/mails10/ All reported to Google abuse. Good job reporting - looks like Google have closed all of those latter ones down - but not http://surprisesss.googlegroups.com/web/setup.zip for some reason. Link to comment Share on other sites More sharing options...
mgolden Posted May 5, 2010 Share Posted May 5, 2010 Good job reporting - looks like Google have closed all of those latter ones down - but not http://surprisesss.googlegroups.com/web/setup.zip for some reason. The phishing flood continues unabated. http://groups.google.com/group/googlepop/web/setup.zip http://groups.google.com/group/smtpop/web/setup.zip http://groups.google.com/group/smtpsmtp/web/setup.zip http://groups.google.com/group/pop3pop/web/setup.zip http://groups.google.com/group/pop3smtp/web/setup.zip All reported to Google abuse. Still getting the "Please run attached file and Follow instructions." kind as well. [edit] Links broken - all still alive at time of checking. The distribution method is normal for Google Groups (click the link and download the zip). I submitted one of those files to virustotal: File size: 136966 bytes MD5 : f5dd55f1889a864e71315c69e7cdfcb4 SHA1 : 7d8238e6bfa69d109c8030b24c7b4cb6bf813062 Result: 13/40 (32.50%) Mostly identified as Gen:Variant.Renos.26 trojan horse, Virtool.Win32.Obfuscator.ha!a (v), etc. "VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners." - http://www.microsoft.com/security/portal/T...dia/Browse.aspx Yep, yet another attempt at assimilation. Link to comment Share on other sites More sharing options...
mgolden Posted May 5, 2010 Share Posted May 5, 2010 Here's this afternoon's batch: hxxp://groups.google.com/group/gnomm/web/setup.zip hxxp://groups.google.com/group/forrestgump33/web/setup.zip hxxp://groups.google.com/group/leanrock/web/setup.zip hxxp://groups.google.com/group/smtpfree/web/setup.zip hxxp://groups.google.com/group/djwoodo/web/setup.zip Links are disabled since there appears to be some concern regarding them. All have been reported to Google abuse. Link to comment Share on other sites More sharing options...
turetzsr Posted May 5, 2010 Share Posted May 5, 2010 <snip> Links are disabled since there appears to be some concern regarding them. <snip> ...Thanks! From my perspective, it's to avoid having the unsophisticated (me, a couple of years ago) or fumble-fingered (me, my whole life) click on one of the links and download/execute the evil file. <g> Link to comment Share on other sites More sharing options...
Farelf Posted May 6, 2010 Share Posted May 6, 2010 ...Thanks! From my perspective, it's to avoid having the unsophisticated (me, a couple of years ago) or fumble-fingered (me, my whole life) click on one of the links and download/execute the evil file. <g>Exactly - if they might still be active it is an avoidable risk to others. Thanks Michael. And, again, your reporting is working:Cannot find smtpfree The group named smtpfree has been removed because it violated Google's Terms Of Service. I'm guessing the 'takedowns' are processed quickly and with minimal checking when complaints come from several (some number of) sources - in any event reports to Google abuse seem to be effective and it looks like all the ones you (Michael) have mentioned to date have been taken down (including http://surprisesss.googlegroups.com/web/setup.zip at last). This attack is not unique to SC accounts by the way. If you Google those bad group names you will find them cropping up all over the place and when I submitted that sample to virustotal I found someone else had already submitted the same, shortly before - and there is at least one other service similar to virustotal, no doubt doing its share of analyses too. [soapbox]Important anyway to keep reporting them so they are removed from the internet as quickly as possible and before too many more of the unwary are sucked in. These would look just like the normal developer file sharing to anyone accustomed to that environment in Google groups - and sooner or later we all get the magic exploit-spam that just coincidentally happens to tick all the right boxes and is far more likely than any others to slip under our guard. It would be nice to think Google groups might eventually amass enough data to allow law enforcement to catch and prosecute the perpetrator(s) and/or tighten the security on their "add new groups" functionality. All part of the continuing battle.[/soapbox] Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.