PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : IMPORTANT BANKING MAIL FROM HSBC BANK



Spacetaxi
08.10.2004, 22:54
Received: from [69.201.151.119] (helo=69-201-151-119.nyc.rr.com)
by mx23.web.de with smtp (WEB.DE 4.101 #87)
ID: [ID filtered]
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: mailbox://techsupp.ref.num928007779462607 [at] hsbc.com/Sent
X-Identity-Key: id1
Date: Fri, 08 Oct 2004 xx:xx:xx -0200
From: HSBC bank <techsupp.ref.num928007779462607 [at] hsbc.com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: xxx
Subject: IMPORTANT BANKING MAIL FROM HSBC BANK [Fri, 08 Oct 2004 xx:xx:xx -0200]
Content-Type: multipart/related;
boundary="------------080203040808060204020005"
Message-ID: [ID filtered]
Sender: techsupp.ref.num928007779462607 [at] hsbc.com

kjz1
21.06.2010, 14:09
Adresse aus dem Usenet gefischt:

Received: from nit.zju.edu.cn (eyougw.nit.zju.edu.cn [61.153.148.235])
by spammotel.com (Postfix) with SMTP ID: [ID filtered]
for xxxxx; Mon, 21 Jun 2010 xx:xx:xx -0400 (EDT)

dpil.gr/form1/fwd/

IP: 87.117.255.131 ---> EUKHOST Ltd., UK

Erstaunlicherweise taucht im Quelltext dann 'www.bankofamerica.com', sprich: Phiski ist zu blöde, seine Ratware richtig zu bedienen....

Obiger Link leitet dann aber nur weiter auf:

http://pharmacypanormou.gr/forum/

IP: 87.117.255.131

Also auf demselben Server. Was mich dann aber auch nicht mehr wundert: auf der Kiste läuft Plesk, aber wohl in einer gecrackten Form...


- kjz

kjz1
25.06.2010, 10:27
Und wieder HSBC:

Received: from mail-node-04.i-55.com (mail-node-04.i-55.com
[206.251.171.104])
by xxxxx (Postfix) with SMTP ID: [ID filtered]
for xxxxx; Fri, 25 Jun 2010 xx:xx:xx +0200 (CEST)
Received: (qmail 8908 invoked from network); 24 Jun 2010 xx:xx:xx -0000
Received: from 74-84-98-22.client.mchsi.com (HELO User)
(nancy [at] fastband.com@74.84.98.22)
by mail.fastband.com with SMTP; 24 Jun 2010 xx:xx:xx -0000

Phishing Mail mit HTML-Anhang, darin dann:



<FORM
action="http://omegamissions . org/File_Upload/mnews/20100623/index.php"
method="POST"
name="PC_7_1_5PF_cam10To30Form" autocomplete="off">

http://omegamissions.org/File_Upload/mnews/20100623/index.php

IP: 211.233.89.213 ---> KIDC-INFRA, KR



- kjz

kjz1
14.07.2010, 15:30
Die Dreckskiste scheint immer noch am Netz zu sein:

Received: from graveyard.sksyu.net (graveyard.sksyu.net [95.168.64.6])
by xxxxx (Postfix) with ESMTP ID: [ID filtered]
for xxxxx; Tue, 13 Jul 2010 xx:xx:xx +0200 (CEST)
Received: from mail.sksyu.net (relay1.sksyu.net [95.168.64.11])
by graveyard.sksyu.net (Postfix) with ESMTP ID: [ID filtered]
for xxxxx; Tue, 13 Jul 2010 xx:xx:xx +0200 (CEST)
Received: from User (74-84-98-22.client.mchsi.com [74.84.98.22])
(Authenticated sender: painkilla [at] sksyu.net)
by mail.sksyu.net (Postfix) with ESMTP ID: [ID filtered]
Tue, 13 Jul 2010 xx:xx:xx +0200 (CEST)

http://omegamissions.org/File_Upload/Today/20100518/logo.php

IP: 211.233.89.213 ---> KIDC, KR

painkilla [at] sksyu.net

omegamission [at] empal.com

Na ja, ist halt Korea, da gehört Kriminalität wohl zum Teil des Systems....


- kjz

kjz1
04.08.2010, 19:46
Wieder mal per HTML-Anhang:

Received: from du14.3essentials.com (EHLO mail.factorysupply.net)
[65.99.201.251]
by mx0.gmx.net (mx066) with SMTP; 04 Aug 2010 xx:xx:xx +0200
Received: from User ([62.172.163.253]) by factorysupply.net with
MailEnable ESMTP; Wed, 4 Aug 2010 xx:xx:xx -0500

IP: 62.172.163.253 ---> BTnet UK Core

http://202.126.38.149/complete.php ---> AyalaPort Makati, Inc., PH

Putzi kann man anscheinend auch per Mail erreichen:

hqmkkz [at] yahoo.com


- kjz