2017-12-18 - A WEEKEND'S WORTH OF PHISHING EMAILS FROM MY INBOX

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-12-18-phishing-malspam-examples.zip   31.9 kB (31,936 bytes)

NOTES:

• I saw several related phishing emails this past weekend, so I decived to santize 'em and share.
• Most had links to phishing websites, but a few had HTML attachments that posted data to some of the same servers.
• I should probably find someone to handle these phishing emails...

Shown above:  Maybe I'll get the "Leave hime alone" guy to talk to these phishers.

 

WEB TRAFFIC BLOCK LIST

These are some URLs to phishing sitesI found from the emails.  Many have already been taken off-line.

• hxxp://hotelrecantodosguardioes.com.br/templates/crypt/login.php
• hxxp://hydrosan.net/media/-/crypt/login.php
• hxxp://hydrosan.net/plugins/-/dhl202/dhl202/index.php
• hxxps://jsbc.biz/-/po.htm
• hxxp://jsbc.biz/language/upgrade/aut.php
• hxxp://jsbc.biz/templates/Counter/index.php
• hxxp://jsbc.biz/templates/online20PDF/NewPdf.html
• hxxps://www.ozelmedical.com/wp-content/=/engauto189/mailbox/mailbox/index.php
• hxxp://piecbud.net.pl/-/admin/crypt/index.html
• hxxp://piecbud.net.pl/-/webmail/webadminpage.htm

 

EMAILS

EMAIL DATA:

• Date: Fri, 15 Dec 2017 16:55 UTC
• Date: Sat, 16 Dec 2017 22:33 UTC
• Date: Sun, 17 Dec 2017 07:07 UTC
• Date: Sun, 17 Dec 2017 07:21 UTC
• Date: Sun, 17 Dec 2017 09:03 UTC
• Date: Sun, 17 Dec 2017 12:19 UTC
• Date: Sun, 17 Dec 2017 16:33 UTC
• Date: Sun, 17 Dec 2017 17:36 UTC
• Date: Sun, 17 Dec 2017 22:49 UTC
• Date: Mon, 18 Dec 2017 00:08 UTC

• Received: from [185.138.223.181] ([185.138.223.181:42114] helo=auit.onice.io)
• Received: from [130.185.182.216] ([130.185.182.216:36322] helo=salepr.onice.io)
• Received: from [130.185.182.216] ([130.185.182.216:35647] helo=salepr.onice.io)
• Received: from [130.185.182.216] ([130.185.182.216:44038] helo=salepr.onice.io)
• Received: from [130.185.182.216] ([130.185.182.216:45700] helo=salepr.onice.io)
• Received: from [130.185.182.18] ([130.185.182.18:37770] helo=mrpat.onice.io)
• Received: from [185.138.223.181] ([185.138.223.181:43221] helo=auit.onice.io)
• Received: from [130.185.182.195] ([130.185.182.195:46566] helo=iquit.onice.io)
• Received: from [130.185.182.168] ([130.185.182.168:36325] helo=eewrwe.onice.io)
• Received: from [130.185.182.168] ([130.185.182.168:35839] helo=eewrwe.onice.io)

• From: "Sale Grace_Sese" <sese_report@auit.onice.io>
• From: "E-Mail Service" <support@salepr.onice.io>
• From: "Linkedin Message" <linkedinmesage@salepr.onice.io>
• From: "Mail Service" <suppor@salepr.onice.io>
• From: "OneDrive" <sendingdoc@salepr.onice.io>
• From: "DHL Express" <sendingdoc@mrpat.onice.io>
• From: "Rechele trade sec" <saletrade@auit.onice.io>
• From: "E-Mail Service" <irullin@iquit.onice.io>
• From: "E-Mail Service" <iua@eewrwe.onice.io>
• From: "Sale Grace" <sale@eewrwe.onice.io>

• Subject: Urgent Purchase Oder
• Subject: Your email account is at risk and will been Terminated
• Subject: Rpaul I'll like to do business with you via LinkedIn. Kindly accept invite.
• Subject: Email IMPORTANT NOTICE (Do Not Ignore)
• Subject: Someone sent you a Document via OneDrive.
• Subject: DHL Shipment Arrival Notice (final Notice!)
• Subject: Re: Re: Advance payment slip ##PO/ORDER
• Subject: Warning: Your Mail-Box Will Be Blocked Soon
• Subject: Warning: Your Mail-Box Will Be Blocked Soon
• Subject: NEW ORDER for December No. 30267

 

Shown above:  Screenshot of an email with a link to the phishing site.

 

Shown above:  Clicking a link from the above email.

 

Shown above:  Screenshot of an email with an HTML attachment for the phishing site.

 

Shown above:  Opening the HTML attachment from the above email.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-12-18-phishing-malspam-examples.zip   31.9 kB (31,936 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.