Spam & Phishing

Aggressive phishing against customers (now belonging to 1&1) is one of the biggests hosters in Germany. Since a few weeks we see a lot of emails containing various texts that try to convince the user to login to his account and perform some actions. Strato published on their blog also a post about these fake emails:   Fortunately, the phishing email is very simple and it just hides the target URL with the official URL. Pretty much all phishing filters detect it and block it.   The subject of the email is very aggressive: Last notification before judicial recovery The email says that the customer has one more day to pay. But now comes the funny part. The email says that the payment should be done via credit card, in order to make it “easy” for the customer. 🙂 To may this even more credible, they write that the introduction of a new payment method costs 1€. After that, they even communicate the name of the company that will try to retrieve the money from the customer: Intrum (   The problem I can’t stop to wonder how are the phishers obtaining all domains from Strato. I have all my…

Read More

Nigerian Scam ? No, COVID-19 scam, from China

I sometimes can’t stop to ask myself if the scammers are actually human beings with feelings of loss and tragedy and if they have the same concerns as the normal citizens. I guess they are not, because otherwise you can’t explain this:   Hello friend, I intend to give out some portion of my wealth as a free-will Financial donation to you for the ongoing COVID-19 that was cause by China because am a good citizen of china. Respond to partake. Regards Wang Jianlin CEO: Wanda Group And they even write the name of the virus wrong in the subject : CONVID instead of COVID The email contains also some tracking pixel in the HTML content, pointing to

Bitcoin scam related to the Corona virus

As I mentioned before, there is a lot going on in the cyberspace related to the Corona virus. Unfortunately, many of the things circulating are scams or information that direct to malware. This is an email circulating currently in massive waves in various languages (here in German):   Hallo Sorin Mustaca Falls Sie es noch nicht gehört haben – Bitcoin wird voraussichtlich vor Ende des Jahres über 100.000 Euro erreichen! Das ist 5mal höher als der Höchststand von 2017. Die Prognosen beruhen auf der Ankündigung großer Unternehmen wie Facebook und Uber, dass sie dieses Jahr in die Krypto-Arena einsteigen werden. Wir bieten Ihnen einen Platz auf unserer privaten Anlageplattform – Sie können Ihr kostenloses Konto sofort registrieren und Ihre Reise noch heute beginnen. Ihre Investitionskosten: 250$ Erstellen Sie ein kostenloses Konto   Freundliche Grüße BTC-Era Unsubscribe   They are requesting me to invest 250$ in BTC with the promise that by the end of the year a BTC will be 100K EUR worth. Stay away from such platforms … 🙂

“Ha‌sta‌xla‌lyvi‌sta‌” says a “ha‌cke‌r” who tries to blackmail me using an obfuscated mail

We’ve seen millions of emails with blackmailing texts containing some username/email address and a password harvested from some hacked website. This one would be just another one, except that the text is obfuscated 🙂 It looks interesting but it is tiresome to try to read it. And why the effort, in the end ? Below is the email. This son of a b** who sent the email took good care to not obfuscate the BTC wallet. Unfortunately, somebody actually paid on 27.2.2020, but I am not sure if this is a victim or not. Here is the relevant part of the header of the email: Received: from ([]) by with SMTP id d3si5673968oia.236.2020. for <>; Mon, 02 Mar 2020 07:13:21 -0800 (PST) Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=; Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of X-K: live Received: from unknown ( by with NNFMP; Mon, 02 Mar 2020 10:11:17 -0500 Received: from unknown (HELO (Mon, 02 Mar 2020 09:53:27 -0500) by with NNFMP; Mon, 02 Mar 2020 09:53:27 -0500 Received: from…

Malicious emails sent in German on behalf of the Post

German users are receiving a lot of such spams these days: It is about a package which allegedly it has its transport costs not paid. (2 €). The user is invited to visit a page where he can be pay this. Verfolgen Sie Ihr Paket: DE3428632-19 STATUS: BEARBEITUNG – VERTEILERZENTRUM BERLIN – Transportkosten VON 2,00 € wurden nicht bezahlt LIEFERUNG ERFOLGT NACH BEZAHLUNG LIEFERKOSTEN BEZAHLEN Useless to say, this is not the usual way to deal with packages, so those which sent the spam have no idea how things work. The link goes to a page delivering a malicious payload.   This is how the email looks like:   Observe the blue marked items. The spammers are either lacking skills, or they think that the users are idiots, or are themselves idiots. The body of the email is one single line of Base64 encoded text. It appears to be sent from an AWS account.     Received: from ( []) by with ESMTP id d8si40042704pgv.61.2019. for ; Fri, 24 Jan 2020 12:43:25 -0500 (EST) Received: from ( ) by with ESMTP id t6si5997511qvm.25.2019. for ; Fri, 24 Jan 2020 12:43:25 -0500 (EST) Received: from (HELO…

Sextorsion with “real” data – Do not pay!

If you have received an email with the subject “Yuor password – ”, don’t freak out immediately. Yes, the “yuor” is written wrong, but this is how the fraudsters wrote it, not the author of this article. The fraudsters have used a dump with the email addresses and passwords from some hacked website, where you have registered with that email address and password. So, yes, they are real. The email is pretty convincing, and if you don’t think a bit, some people might be inclined to actually believe that it is true. But, it isn’t… it is just an automated email, created from the list of recent dumps made public. You can see for yourself here more details: I recommend to enter your email address there as well, and you will receive notifications if your email appears in some dumps. How to recognize these scams Let’s have a short look at this email, so that you know in the future how to recognize them: 1. No fraudster would write his/her real name and email address. A simple search on the “From” of this email shows a normal person, who might have his/her email hacked. 2. Look at the language:…

When Nikola Tesla in person writes you about your high electricity bills :)

Sometimes, looking after spams is also fun, not just research work. This is what I found today: Dear Energy User, If you pay for electricity, you`ve been hit hard by high energy prices. And, if you`re like most people, you`re thinking there`s got to be a better way. A better way to heat your home a better way to use electricity without spending a fortune a better way to get save on your electricity bill…. >> Watch this F-R-E-E Video Take Note: This video will last only 24 hours, it’s up to you. Yours Truly, Nikola Tesla Click here to unsubscribe   But then you click to see this: and you see this hosted on     What a joke, right ? 🙂 Bu the film about Nikola Tesla is good, even if it is 23 minutes long. :))) Btw, all those things are just bullshit… Wrong interpretation of real facts. All this trouble to buy a book :

Targeted Phishing against

We have ta lot of phishing attempts in German against   Subject: Wir haben ein Abrechnungsproblem festgestellt. Sehr geehrter Kunde, Wir haben ein Abrechnungsproblem festgestellt. Diese Art von Fehlern zeigt normalerweise an, dass die Kreditkarte abgelaufen ist oder Ihre Rechnungsadresse ist ungültig. Klicken Sie auf den folgenden Link, um Ihre Informationen zu aktualisieren: Herzliche Grüße ___________________________ Kundenbetreuung Strato S.p.A. ___________________________   Subject:Du hast eine Schuld von 5,00 € Strato Kundendienst BP 438 – 75366 Berlin CEDEX 08 Germaney Sehr geehrter Kunde, Du hast eine Schuld von 5,00 € Ein Betrag von 5,00 € ist für die Erneuerung Ihrer Dienstleistungen fällig. Informationen : Um die Unterbrechung Ihrer Strato-Dienste zu vermeiden, möchten wir Sie bitten, Ihre Situation so schnell wie möglich zu regeln und Ihre Zahlung per Kreditkarte 24/7 zu tätigen. Greifen Sie auf Ihr Zahlungsformular zu. Herzliche Grüße ___________________________ Kundenbetreuung Strato S.p.A. ___________________________     They are using shorteners at  

Digital blackmailing – Sextorsion

We are used to see ransomware encrypting files and requesting money (bitcoin) to decrypt them. I received now a new email on a corporate address, which is a black-e-mail … in digital form. I have to say, that the amount of thoughts expressed in the email is interesting. Somebody, with some basic knowledge and bad English knowledge has put some infos together. 🙂   Here is the plain text, so that it is easier to index: Hello. I do not want to judge anyone, but as a result of several occasions, we have point of contact from now. I do not think that caress oneself is very bad, but when all your relatives, colleagues and friend see it- its obviously awful. So, closer to the point. You visited the website with роrn, which I’ve adjusted with the deleterious soft. Then you chose video, virus started working and your device became working as dedicated desktop immediately. Naturally, all cams and screen started recording instantly and then my virus collected all contacts from your device. I text you on this e-mail address, because I got it it with my soft, and I guess you for sure check this work address. The most…

Targeted Malware on the rise

  Ever wondered what a “spear phishing” is ? Or a “targeted malware” ? See below: It is an email targeted to a member of an organization, which is made to look as legitimate as possible. The difference between normal phishing and malware emails and a targeted one is that the contents of the emails are referring to locations or persons of the organization being targeted. In this case, Avira: as you can see below, there are apparent links to internal locations. Of course, they are all fake (like in phishing). In reality, they point to malicious documents and locations which have nothing to do with the company.   The interesting part here is that the email is made to look as if I send the first email and this “Cameron” is replying to my email. This is social engineering to its best. Avira will block the content as W2000M/Dldr.Agent.CG and the URLs.  

%d bloggers like this: