2017-12-18 - A WEEKEND'S WORTH OF PHISHING EMAILS FROM MY INBOX

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• "2017-12-18-phishing-emails-10-examples.zip   33.1 kB (33,062 bytes)

NOTES:

• I saw several related phishing emails this past weekend, so I decived to santize 'em and share.
• Most had links to phishing websites, but a few had HTML attachments that posted data to some of the same servers.

Shown above:  Maybe I'll get the "Leave hime alone" guy to talk to these phishers.

 

WEB TRAFFIC BLOCK LIST

These are some URLs to phishing sitesI found from the emails.  Many have already been taken off-line.

• hxxp[:]//hotelrecantodosguardioes[.]com[.]br/templates/crypt/login.php
• hxxp[:]//hydrosan[.]net/media/-/crypt/login.php
• hxxp[:]//hydrosan[.]net/plugins/-/dhl202/dhl202/index.php
• hxxps[:]//jsbc[.]biz/-/po.htm
• hxxp[:]//jsbc[.]biz/language/upgrade/aut.php
• hxxp[:]//jsbc[.]biz/templates/Counter/index.php
• hxxp[:]//jsbc[.]biz/templates/online20PDF/NewPdf.html
• hxxps[:]//www.ozelmedical[.]com/wp-content/=/engauto189/mailbox/mailbox/index.php
• hxxp[:]//piecbud.net[.]pl/-/admin/crypt/index.html
• hxxp[:]//piecbud.net[.]pl/-/webmail/webadminpage.htm

 

EMAILS

EMAIL DATA:

• Date: Fri, 15 Dec 2017 16:55 UTC
• Date: Sat, 16 Dec 2017 22:33 UTC
• Date: Sun, 17 Dec 2017 07:07 UTC
• Date: Sun, 17 Dec 2017 07:21 UTC
• Date: Sun, 17 Dec 2017 09:03 UTC
• Date: Sun, 17 Dec 2017 12:19 UTC
• Date: Sun, 17 Dec 2017 16:33 UTC
• Date: Sun, 17 Dec 2017 17:36 UTC
• Date: Sun, 17 Dec 2017 22:49 UTC
• Date: Mon, 18 Dec 2017 00:08 UTC

• Received: from [185.138.223[.]181] ([185.138.223[.]181:42114] helo=auit.onice.io)
• Received: from [130.185.182[.]216] ([130.185.182[.]216:36322] helo=salepr.onice.io)
• Received: from [130.185.182[.]216] ([130.185.182[.]216:35647] helo=salepr.onice.io)
• Received: from [130.185.182[.]216] ([130.185.182[.]216:44038] helo=salepr.onice.io)
• Received: from [130.185.182[.]216] ([130.185.182[.]216:45700] helo=salepr.onice.io)
• Received: from [130.185.182[.]18] ([130.185.182[.]18:37770] helo=mrpat.onice.io)
• Received: from [185.138.223[.]181] ([185.138.223[.]181:43221] helo=auit.onice.io)
• Received: from [130.185.182[.]195] ([130.185.182[.]195:46566] helo=iquit.onice.io)
• Received: from [130.185.182[.]168] ([130.185.182[.]168:36325] helo=eewrwe.onice.io)
• Received: from [130.185.182[.]168] ([130.185.182[.]168:35839] helo=eewrwe.onice.io)

• From: "Sale Grace_Sese" <sese_report@auit.onice[.]io>
• From: "E-Mail Service" <support@salepr.onice[.]io>
• From: "Linkedin Message" <linkedinmesage@salepr.onice[.]io>
• From: "Mail Service" <suppor@salepr.onice[.]io>
• From: "OneDrive" <sendingdoc@salepr.onice[.]io>
• From: "DHL Express" <sendingdoc@mrpat.onice[.]io>
• From: "Rechele trade sec" <saletrade@auit.onice[.]io>
• From: "E-Mail Service" <irullin@iquit.onice[.]io>
• From: "E-Mail Service" <iua@eewrwe.onice[.]io>
• From: "Sale Grace" <sale@eewrwe.onice[.]io>

• Subject: Urgent Purchase Oder
• Subject: Your email account is at risk and will been Terminated
• Subject: Rpaul I'll like to do business with you via LinkedIn. Kindly accept invite.
• Subject: Email IMPORTANT NOTICE (Do Not Ignore)
• Subject: Someone sent you a Document via OneDrive.
• Subject: DHL Shipment Arrival Notice (final Notice!)
• Subject: Re: Re: Advance payment slip ##PO/ORDER
• Subject: Warning: Your Mail-Box Will Be Blocked Soon
• Subject: Warning: Your Mail-Box Will Be Blocked Soon
• Subject: NEW ORDER for December No. 30267

 

Shown above:  Screenshot of an email with a link to the phishing site.

 

Shown above:  Clicking a link from the above email.

 

Shown above:  Screenshot of an email with an HTML attachment for the phishing site.

 

Shown above:  Opening the HTML attachment from the above email.

 

Click here to return to the main page.