I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books. Nick Olsen Network Operations (855) FLSPEED x106 ---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON I have received bogus emails from both of the above on Friday. These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either. I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay. How this information could get to someone spoofing is a little disconcerting. I have changed EBAY and Paypal Passwords as instructed. Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
I think it's a troll, trying to shock you into clicking on something. On Mon, Jun 11, 2012 at 2:05 PM, Nick Olsen <nick@flhsi.com> wrote:
I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books.
Nick Olsen Network Operations (855) FLSPEED x106
---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON
I have received bogus emails from both of the above on Friday.
These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either.
I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay.
How this information could get to someone spoofing is a little disconcerting.
I have changed EBAY and Paypal Passwords as instructed.
Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
Examination of the raw messages confirms phishing messages. Visible URLS do not match effective URLs. On Jun 11, 2012, at 2:07 PM, Scott Brim wrote:
I think it's a troll, trying to shock you into clicking on something.
James R. Cutler james.cutler@consultant.com -top posted by OS X Mail
Yup. They hope that the message contents are a coincidence and scare you into seeing (i.e. clicking on..) what's it's about. This happened to me a few years ago where I changed my ebay password, and about 30 minutes later got a phishing email that my password change failed. So I clicked the link and re-did it. As soon as I clicked on the submit button I noticed that the URl I was forwarded to was to some server in Russia. /facepalm. I went and sheepishly changed my ebay password AGAIN that very moment, with a bit of awe towards the clever con I had fallen into. Luckily I noticed. But how many others didn't? -B On Mon, Jun 11, 2012 at 11:07 AM, Scott Brim <scott.brim@gmail.com> wrote:
I think it's a troll, trying to shock you into clicking on something.
On Mon, Jun 11, 2012 at 2:05 PM, Nick Olsen <nick@flhsi.com> wrote:
I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books.
Nick Olsen Network Operations (855) FLSPEED x106
---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON
I have received bogus emails from both of the above on Friday.
These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either.
I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay.
How this information could get to someone spoofing is a little disconcerting.
I have changed EBAY and Paypal Passwords as instructed.
Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
Sometimes I wonder how many nanog'ers would fall for a phishing email sent to this DL. I suspect the number is more than 0. -Dan On Mon, 11 Jun 2012, Bryan Irvine wrote:
Yup. They hope that the message contents are a coincidence and scare you into seeing (i.e. clicking on..) what's it's about.
This happened to me a few years ago where I changed my ebay password, and about 30 minutes later got a phishing email that my password change failed. So I clicked the link and re-did it. As soon as I clicked on the submit button I noticed that the URl I was forwarded to was to some server in Russia. /facepalm.
I went and sheepishly changed my ebay password AGAIN that very moment, with a bit of awe towards the clever con I had fallen into. Luckily I noticed. But how many others didn't?
-B
On Mon, Jun 11, 2012 at 11:07 AM, Scott Brim <scott.brim@gmail.com> wrote:
I think it's a troll, trying to shock you into clicking on something.
On Mon, Jun 11, 2012 at 2:05 PM, Nick Olsen <nick@flhsi.com> wrote:
I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books.
Nick Olsen Network Operations (855) FLSPEED x106
---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON
I have received bogus emails from both of the above on Friday.
These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either.
I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay.
How this information could get to someone spoofing is a little disconcerting.
I have changed EBAY and Paypal Passwords as instructed.
Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
I have gotten them from "amazon" stating "order number X was cancelled and please click on the below file for more information". Because I order so much on amazon, I almost thought it was real and clicked on it but then went to the amazon site and looked at "my open orders". It always pays to goto the site, not believe email. -----Original Message----- From: Nick Olsen [mailto:nick@flhsi.com] Sent: Monday, June 11, 2012 2:06 PM To: Brandt, Ralph; nanog@nanog.org Subject: re: EBAY and AMAZON I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books. Nick Olsen Network Operations (855) FLSPEED x106 ---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON I have received bogus emails from both of the above on Friday. These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either. I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay. How this information could get to someone spoofing is a little disconcerting. I have changed EBAY and Paypal Passwords as instructed. Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
I have a spam pit email address which I monitor for trends to have a little bit of jump on the possible things users might touch at work. I started seeing the amazon, ebay and paypal ones a few weeks back. The other one I have started to see a lot of is the "Free or cheaper home phone service through magic jack" ones. Again as expected they link to some .ru domain and look just like the normal sign up page. Also my handy dandy virtual machine was instantly owned with malware just by loading the page. The VM runs Windows 7 as a non administrative user, UAC cranked up and IE9. Something like 10 installed apps showed up including "Adobe Flash Player Latest." The other cool one I have been seeing is along the lines of "How to better utilize your office phone system" or "New Business Phone systems" with supposed links to "popular new phone system trends". This one is rather crafty as it has an embedded image which is a nice weblink to an infected jpg. So you click show picture in outlook, or in your browser and you get another installed piece of nastyware. -----Original Message----- From: Kain, Rebecca (.) [mailto:bkain1@ford.com] Sent: Monday, June 11, 2012 12:40 PM To: nick@flhsi.com; Brandt, Ralph; nanog@nanog.org Subject: RE: EBAY and AMAZON I have gotten them from "amazon" stating "order number X was cancelled and please click on the below file for more information". Because I order so much on amazon, I almost thought it was real and clicked on it but then went to the amazon site and looked at "my open orders". It always pays to goto the site, not believe email. -----Original Message----- From: Nick Olsen [mailto:nick@flhsi.com] Sent: Monday, June 11, 2012 2:06 PM To: Brandt, Ralph; nanog@nanog.org Subject: re: EBAY and AMAZON I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books. Nick Olsen Network Operations (855) FLSPEED x106 ---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON I have received bogus emails from both of the above on Friday. These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either. I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay. How this information could get to someone spoofing is a little disconcerting. I have changed EBAY and Paypal Passwords as instructed. Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
These are exploit kit teasers. Black hole exploit kit specifically. I wouldn't click on any of the links in there. Anyone who would like to send me copies of these, I'll take. -- Joel Esler On Jun 11, 2012, at 4:51 PM, Blake Pfankuch <blake@pfankuch.me> wrote:
I have a spam pit email address which I monitor for trends to have a little bit of jump on the possible things users might touch at work. I started seeing the amazon, ebay and paypal ones a few weeks back. The other one I have started to see a lot of is the "Free or cheaper home phone service through magic jack" ones. Again as expected they link to some .ru domain and look just like the normal sign up page. Also my handy dandy virtual machine was instantly owned with malware just by loading the page. The VM runs Windows 7 as a non administrative user, UAC cranked up and IE9. Something like 10 installed apps showed up including "Adobe Flash Player Latest."
The other cool one I have been seeing is along the lines of "How to better utilize your office phone system" or "New Business Phone systems" with supposed links to "popular new phone system trends". This one is rather crafty as it has an embedded image which is a nice weblink to an infected jpg. So you click show picture in outlook, or in your browser and you get another installed piece of nastyware.
-----Original Message----- From: Kain, Rebecca (.) [mailto:bkain1@ford.com] Sent: Monday, June 11, 2012 12:40 PM To: nick@flhsi.com; Brandt, Ralph; nanog@nanog.org Subject: RE: EBAY and AMAZON
I have gotten them from "amazon" stating "order number X was cancelled and please click on the below file for more information". Because I order so much on amazon, I almost thought it was real and clicked on it but then went to the amazon site and looked at "my open orders". It always pays to goto the site, not believe email.
-----Original Message----- From: Nick Olsen [mailto:nick@flhsi.com] Sent: Monday, June 11, 2012 2:06 PM To: Brandt, Ralph; nanog@nanog.org Subject: re: EBAY and AMAZON
I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books.
Nick Olsen Network Operations (855) FLSPEED x106
---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON
I have received bogus emails from both of the above on Friday.
These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either.
I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay.
How this information could get to someone spoofing is a little disconcerting.
I have changed EBAY and Paypal Passwords as instructed.
Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
Security Settings in the Trust Center: "Read as Plain Text" "Even Signed Messages as Plain Text" "Never Download Images" "Require Confirmation when Forwarding or Replying will Download Anything at all" Disable the AutoInfect options: "Turn off the Preview" "Turn off the Reading Pain" You will never fall for a phishing scam or other malicious e-mail message ever again. I could never quite understand how anyone could get "phished" by e-mail since I have never ever seen a "phishing" or other malicious message that was not obviously so, even when I don't have me spectacles on! And for everyone who sends you a web-page-by-email, tear them a new a**hole. If they do not mend their ways, get rid of em. Banish them to bh0 where they belong. If routing them to bh0 doesn't work, then at least send their drivel to /dev/nul. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
-----Original Message----- From: Blake Pfankuch [mailto:blake@pfankuch.me] Sent: Monday, 11 June, 2012 14:51 To: Kain, Rebecca (.); nick@flhsi.com; Brandt, Ralph; nanog@nanog.org Subject: RE: EBAY and AMAZON
I have a spam pit email address which I monitor for trends to have a little bit of jump on the possible things users might touch at work. I started seeing the amazon, ebay and paypal ones a few weeks back. The other one I have started to see a lot of is the "Free or cheaper home phone service through magic jack" ones. Again as expected they link to some .ru domain and look just like the normal sign up page. Also my handy dandy virtual machine was instantly owned with malware just by loading the page. The VM runs Windows 7 as a non administrative user, UAC cranked up and IE9. Something like 10 installed apps showed up including "Adobe Flash Player Latest."
The other cool one I have been seeing is along the lines of "How to better utilize your office phone system" or "New Business Phone systems" with supposed links to "popular new phone system trends". This one is rather crafty as it has an embedded image which is a nice weblink to an infected jpg. So you click show picture in outlook, or in your browser and you get another installed piece of nastyware.
-----Original Message----- From: Kain, Rebecca (.) [mailto:bkain1@ford.com] Sent: Monday, June 11, 2012 12:40 PM To: nick@flhsi.com; Brandt, Ralph; nanog@nanog.org Subject: RE: EBAY and AMAZON
I have gotten them from "amazon" stating "order number X was cancelled and please click on the below file for more information". Because I order so much on amazon, I almost thought it was real and clicked on it but then went to the amazon site and looked at "my open orders". It always pays to goto the site, not believe email.
-----Original Message----- From: Nick Olsen [mailto:nick@flhsi.com] Sent: Monday, June 11, 2012 2:06 PM To: Brandt, Ralph; nanog@nanog.org Subject: re: EBAY and AMAZON
I think it might just be coincidence. I've gotten about 10 of them and haven't been to ebay or amazon in months. Most of them have been for >60 dollar books.
Nick Olsen Network Operations (855) FLSPEED x106
---------------------------------------- From: "Brandt, Ralph" <ralph.brandt@pateam.com> Sent: Monday, June 11, 2012 1:28 PM To: nanog@nanog.org Subject: EBAY and AMAZON
I have received bogus emails from both of the above on Friday.
These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either.
I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay.
How this information could get to someone spoofing is a little disconcerting.
I have changed EBAY and Paypal Passwords as instructed.
Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email Ralph.Brandt@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055
Not too long ago I received 3 phone calls, with a strong Indian accent and broken english, claiming to be a computer support firm that has noticed virus activities on my Windows computer. First time I told them I don't have any Windows machines. They then hung up. The second time, I asked them what IP they saw this from. They didn't know. Then they hung up. The third time, I told them I had 15 machines, and asked which one. They hung up again. The calls came from different Los Angeles area codes, but had to be VoIP. On 06/11/12 13:51, Blake Pfankuch wrote:
I have a spam pit email address which I monitor for trends to have a little bit of jump on the possible things users might touch at work. I started seeing the amazon, ebay and paypal ones a few weeks back. The other one I have started to see a lot of is the "Free or cheaper home phone service through magic jack" ones. Again as expected they link to some .ru domain and look just like the normal sign up page. Also my handy dandy virtual machine was instantly owned with malware just by loading the page. The VM runs Windows 7 as a non administrative user, UAC cranked up and IE9. Something like 10 installed apps showed up including "Adobe Flash Player Latest."
The other cool one I have been seeing is along the lines of "How to better utilize your office phone system" or "New Business Phone systems" with supposed links to "popular new phone system trends". This one is rather crafty as it has an embedded image which is a nice weblink to an infected jpg. So you click show picture in outlook, or in your browser and you get another installed piece of nastyware.
-- Mr. Flibble King of the Potato People
On Mon, Jun 11, 2012 at 06:39:44PM +0000, Kain, Rebecca (.) wrote:
It always pays to goto the site, not believe email.
1. This is why (particularly when dealing with older and/or non-technical people who are incredibly easy to scam) I recommend (a) bookmarking their critical sites, such as banks, and (b) training them to never, ever, EVER use anything but those bookmarks to get to those sites. 2. Of course, many of those same critical sites have been ardently training their customers to be phish victims by their appallingly stupid insistence on HTML markup in email, which is why (1) is necessary. ---rsk
participants (11)
-
Blake Pfankuch
-
Bryan Irvine
-
Cutler James R
-
goemon@anime.net
-
Joel Esler
-
Kain, Rebecca (.)
-
Keith Medcalf
-
Nick Olsen
-
Rich Kulawiec
-
Robert Hajime Lanning
-
Scott Brim