phishing

Aggressive phishing against Strato.de customers

Strato.de (now belonging to 1&1) is one of the biggests hosters in Germany. Since a few weeks we see a lot of emails containing various texts that try to convince the user to login to his strato.de account and perform some actions. Strato published on their blog also a post about these fake emails: https://strato.de/blog/achtung-aktuell-wieder-phishing-mails-im-namen-von-strato-im-umlauf/   Fortunately, the phishing email is very simple and it just hides the target URL with the official strato.de URL. Pretty much all phishing filters detect it and block it.   The subject of the email is very aggressive: Last notification before judicial recovery The email says that the customer has one more day to pay. But now comes the funny part. The email says that the payment should be done via credit card, in order to make it “easy” for the customer. 🙂 To may this even more credible, they write that the introduction of a new payment method costs 1€. After that, they even communicate the name of the company that will try to retrieve the money from the customer: Intrum (www.intrum.de)   The problem I can’t stop to wonder how are the phishers obtaining all domains from Strato. I have all my…


Targeted phishing for Amazon Credit Cards

This time, there is a phishing for Amazon Credit Cards, which are served by LBB Bank. The user is redirected twice to some URLs, which are reported as “DECEPTIVE” by Chrome. Unfortunately, the final pages were deleted, so I can’t take screenshots.   Hallo Sie haben (1) wichtige Nachricht auf Ihrem Konto LandesBank Berlin AG. Um es zu sehen, klicken Sie bitte auf den Link unten: https://kreditkarten-banking.lbb.de/lbb/cas/dispatch.do?bt_PRELON=do&ref=1200_LBB&service=COS Herzliche Grüße Ihre Beraterin LandesBank Berlin AG


Targeted phishing on customers of Strato.de

My domain mustaca.com is hosted at Strato.de. I received several such emails, showing that somebody really scrapes the next for finding targets of various ISPs. Lieber Kunde, Wir informieren Sie, dass die Domain mustaca.com ausläuft. Wie kann man sich erneuern ? Der Erneuerungs Vorgang ist schnell und einfach: bestellen Sie einfach online und bezahlen Sie dafür. https://rechnung.strato.de Um die Bestellübersicht und den Betrag, den Sie bezahlen möchten, zu sehen, können Sie sich von dieser Seite erneuern. Was passiert, wenn ich mich nicht erneuere ? Im Falle einer Nichterneuerung werden die Dienste am Tag nach dem Ablauf deaktiviert und die Domain wird nicht mehr sichtbar. Herzliche Grüße STRATO AG Pascalstrae 10 10587 Berlin ———————————————————————— Vorsitzender des Aufsichtsrates: René Obermann Vorstand: Dr. Christian Being (Vorsitz), Christoph Steffens, René Wienholtz Amtsgericht Berlin-Charlottenburg HRB 79450 And this is how the page looks like:


Targeted Phishing against Strato.de

We have ta lot of phishing attempts in German against Strato.de:   Subject: Wir haben ein Abrechnungsproblem festgestellt. Sehr geehrter Kunde, Wir haben ein Abrechnungsproblem festgestellt. Diese Art von Fehlern zeigt normalerweise an, dass die Kreditkarte abgelaufen ist oder Ihre Rechnungsadresse ist ungültig. Klicken Sie auf den folgenden Link, um Ihre Informationen zu aktualisieren: https://www.strato.de/apps/CustomerService#/skl Herzliche Grüße ___________________________ Kundenbetreuung Strato S.p.A. www.strato.de ___________________________   Subject:Du hast eine Schuld von 5,00 € Strato Kundendienst BP 438 – 75366 Berlin CEDEX 08 Germaney Sehr geehrter Kunde, Du hast eine Schuld von 5,00 € Ein Betrag von 5,00 € ist für die Erneuerung Ihrer Dienstleistungen fällig. Informationen : Um die Unterbrechung Ihrer Strato-Dienste zu vermeiden, möchten wir Sie bitten, Ihre Situation so schnell wie möglich zu regeln und Ihre Zahlung per Kreditkarte 24/7 zu tätigen. Greifen Sie auf Ihr Zahlungsformular zu. Herzliche Grüße ___________________________ Kundenbetreuung Strato S.p.A. www.strato.de ___________________________     They are using shorteners at http://t.co  


Dropbox phishing: someone is interested in your corporate files

I wrote before about the Target Malware. Now I can also write about Phishing. Here is one for Dropbox:     What is wrong with this email ? the contact me by extracting the user part in the email address (smustaca) The “Verify your email” goes directly to a phishing website. The text is rather unusual, as Dropbox will never send anything like this. Dropbox adds some personalized links at the end of the emails. Emails from Dropbox come from “Dropboxmail.com” and not from “dropbox.com”     Why would anyone phish Dropbox? In order to get your files!   Why would anyone want to get your files? In order to have something possibly secret, interesting, to gain a competitive advantage, to blackmail you.   What can you do? Don’t click on those emails. Look careful at the links, and if you clicked, look that the website is legitimate. When you visit Dropbox.com, you must check the seal (the small lock) by clicking on it:


Is eBay actually supporting phishing?

From time to time I am wondering if these guys (I am thinking at eBay, PayPal, Amazon, some banks) are actually trying to help phishers to do their “jobs”. The email you seen in the screenshot is a 100% authentic email from eBay Germany. I am being asked, you guessed right, to “protect my eBay account”. “Dear <user>, you have not updated your personal data since more than a year. In order to have your personal data up to date, help us to protect your eBay account better”. Sounds good, right? Please check your personal ebay information and make sure that they are up to date. Please ignore this message if you have updated your data recently.”   Same as 99.99% of the phishing emails. I couldn’t believe my eyes either, so I checked the headers of the email:   Useless to say, this is against their own policies mentioned here in German http://pages.ebay.de/help/account/recognizing-spoof.html and in English here http://pages.ebay.com/help/account/recognizing-spoof.html This is the link behind the button: http://rover.ebay.com/rover/0/e13217.m.l7678/7?euid=&loc=https%3A%2F%2Freg.ebay.de%2Freg%2FUpdateContactInfo%3Fflow%3DEMAIL It is true that their email is: addressing me personally, using my eBay account is not urgent, is not threatening it doesn’t have attachments, but it has pictures but, there are some elements that make…


Major PayPal failure: sending emails following all rules of a “good” phishing email

The email below (in German) is from PayPal. It is not a phishing email or a spam email pointing to some online pharmacy. I assure you of this. I have verified the DKIM and SPF information in the headers, checked all headers of any trace of alteration and of any trace of foreign IP address or domain. It is also very correct: it informs me that my credit card behind the PayPal account is about to expire. It asks me to update the credit card by clicking on the yellow button.   At this point, I am without words. I would have never expected to receive something like this from PayPal. Their suggestions to detect phishing and to report phishing are here: https://www.paypal.com/us/webapps/mpp/security/suspicious-activity I quote: Suspicious emails Phishing and spoof emails aim to obtain your secure information, passwords, or account numbers. These emails use deceptive means to try and trick you, like forging the sender’s address. Often, they ask for the reader to reply, call a phone number, or click on a weblink to steal personal information. If you receive a suspicious email, FORWARD it to spoof@paypal.com. Our security experts can take a look to determine if it’s a fake. If…


“Apple iPhone 7 testers wanted”: Probably the most complex scam I’ve seen this year!

  This scam is sent by CHTAH.COM platform which is known to send millions of spam emails. You can see its added “value” by inserting the three colored rectangles on top of the mail. “iPhone 7 Testers Wanted!” is trying to lure the readers to a website that looks very much like the times.com website.   Hey there,   It is official. Apple stores are crazily giving out iPhone 6 for ONLY 1£.   In order to claim your iPhone 6 for 1£, please follow the instructions below: 1) Click this link to tell us what improvement you want to see in the upcoming iPhone 7 2) Send us your shipment detail   Products are limited.   Participate iPhone 7 Survey Now!   Sincerely, Apple Survey Centre           The website tries to copy the CNN’s or BBC’s website but it is not very convincing as none of them looks anymore like this.   I guess that not many notice that it is not longer about the iPhone 7 but iPhone 6. Well, it should cost £1, after all 🙂 🙂     After you click on that link, you see what is it all about: You need…


PayPal Phishing for German customers with innovative social engineering technique

  Nothing special in this phishing email in German from the “PayPal Team” asking to click in order to unlock your PayPal account. PayPal – Informationen erforderlich! Hallo Ihr PayPal-Konto ist vorübergehend gesperrt. Sie können keine weiteren Zahlungen bei PayPal tätigen. Um die Sperrung Ihres Kontos aufzuheben und die Entfernung all Ihrer aktiven Fälle sowie weitere AGB Widerrufe, müssen Sie die fehlende Informationen eintragen. Bitte gehen sie wie folgt vor. Die Seite Jetzt loslegen aufrufen und die Schritte durchführen.     The first screens ask for PayPal account and name of the owner, so all is standard for this kind of phishing. In the screen below (3rd) the fraudster ask for the standard Credit Card, for the maximum amount of money that can be paid with the credit card. What is new is that additional request for the account number ! They actually require the standard bank account behind the credit card. This way they would be able to book money twice: once from the Credit Card, once from the bank account directly.   Interesting evolution, isn’t it?


Phishing on a different level: IRS Scam

IRS(Internal Revenue Service) is the official authority in the USA to collect taxes. “Why would someone phish them?”, you may ask.   That’s why:(see red area below).   In the form they ask you to have access to your bank account. They have all needed proves to substitute you: address, tax payer ID and many others. This way they can pay with your bank account when they pretend to be you. Solution: Never answer such requests per email. Erase the email immediately.    


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close