INTERNAL FAX - CryptoWall 2.0 E-mail Example

I finally tracked down an example of one of the many variants of the CryptoWall 2.0 RansomWare / MalWare / Virus e-mails. This is not the only version out there so be aware!

As a general rule of thumb, never open a zip file attachment from someone you don't know. Even then scan it for viruses before opening it.

Here's what to look out for;

The e-mail subject was INTERNAL FAX

The attachment name I received was FAX827-482-9123.zip . The infectious software is contained inside the zip file. It also contained an attachment named ATT00001.txt (which is not a virus).

RansomWare message body text;

You have received fax from EPSON09964727 at sidsolve.com

Scan date: Wed, 26 Nov 2014 10:18:44 -0500

Number of page(s): 61

Resolution: 400x400 DPI

Name: FAX827-482-9123.pdf

_________________________________
Attached file is scanned image in PDF format.

The message came from XTLAMJHEK (74.252.107.66) around the Orlando, Florida area. The sender's address was 8GEGBYXZ.4384595@bleuit.com . The return path is cidejilk@bleuit.com . The sender spoofed a fake address named fax@sidsolve.com. This would likely be customized to the victim's domain. The company that owns the domain is based on Guernsey in the Channel Islands.

Shipping Info for you@yourdomain.com

The SPAM filter picked up this one today and I've had a couple of recent client calls about this type of e-mail and another one that claims there is a "New Fax Waiting". The e-mail contains an embedded link that will attempt to compromise any system that visits it.

The message originated in Provo, Utah on an ISP called Unified Layer. The IP Address that sent it was 162.144.32.106. The claimed sender's address is saadi@ihc.com.sa . The company at ihc.com.sa is an insurance broker that has likely been compromised.

Don't believe this. It is an attempt to infect you!

Delete it and move on with your day!


SPAM MAIL CONTENTS:

Purchase Notice
Please see the shipping information Date ordered: October 13/ 2014
For your information that the item is being shipped to you.
We also included delivery file to specified address.
Order No: 104213335
Order total: 1779.07 USD
Processed date: Oct 13 2014.

Help !!!!!!!!!!!!!! Cathleen and Mark

I haven't received one of these in a long time due to our filter capturing the vast majority of all the SPAM that hits our servers. This one made it through because it came from as client's personal account on AOL that we have whitelisted. Someone, somewhere, got hold of their password as is sending out spam. If you get one of these, they aren't really where the e-mail claims.

Although it claims to be from Simferopol, Ukraine, the message originates at IP Address 64.12.231.63 in Ashburn, Virginia. It was sent on an MCI network. It routed through AOL in New York City.

Delete the e-mail, Don't read it, don't respond.

Do contact your friend and tell them that they've been compromised. A heavy scan and password changes are in order.

SPAM EMAIL TEXT:

Hello ,
Sorry to bother you this time but this seems to me more than a dreadful ill-luck for me and my family.I am in Simferopol (UKRAINE) right now for a short vacation and unfortunately i ran out of cash, i have tried to access my credit card from the cash machines here but it keeps saying network errors.
I also tried to withdraw funds from my own bank account here but the lady at the paid desk informed me that i can't withdraw from my account here in a foreign country,wondering if i could get a quick loan of ($2,900 USD)  from you to clear some little things here and also take a cab to the airport i promise to refund it as soon as i get back home later this week.
I anticipate your response .
Cathleen and Mark

The Stocktip Of The Year

Uh... no... I think not. Maybe another candidate for scam of the year?

This scam, pump and dump, attempt to infect your systems, comes courtesy of pete25a2@bistrita.astral.ro a Romanian ISP. The message came in from the IP address 83.103.156.27 in Harghita, Romania.

The message is definitely not from TheStreet, Inc. at 63 South Main Street, Newtown CT 06470.

Don't click the links, don't read it, don't believe it. Delete and move on with your day!

Spam e-mail text;

TheStreet Daily
Your newsletter from
TheStreet, Inc.. Trouble viewing?
You've been patient for a while now and finally
it's time.
Confederation MineraIs (CNRMF)
is on the verge of exploding.Thats because they
have hundreds ofmillions of precious metals on their
property and they are weeks away from beginning to dig
it out and selling it up the distribution chain.It is
trading at such a bargain right now that
CNRMF is a no-brainer.
Snap up as many shares of it as you can today before it
goes up too high.Everyone is certain that we
will see it hit past 40cents before month's end.
63 South Main Street, Newtown CT 06470
The
TheStreet, Inc. Press
| Customer Service
| Privacy Policy

You received this message because you are a
TheStreet, Inc. customer or have registered at
TheStreet.com.
This email was sent to you by The  TheStreet, Inc..

Click here
to update your email preferences.

Your PC Has Critical Errors - Fix Now!

UPDATE! UPDATE! - 10-15-2014
This is the first time this has happened since I started this little blog. I got word from the guys at HOST1PLUS in Santiago, Chile and they have shut down the spammer on their systems!  You should keep an eye out for this bad message because it is still out there and showing up from other sources, but won't be coming from this host anymore. It is awesome that someone out there is on top of their systems! Props to HOST1PLUS!

Original post -

Here's a little scam I was just notified about. This came in to a client's e-mail account and they called us right away about it. If they had followed the e-mail's advice they'd likely be infected with a nasty piece of MalWare and a handful of Trojans.

The entire e-mail is a massive image link! Don't click it, don't follow the links, don't try to visit their site. It is a SCAM!

The link in the e-mail leads to http://images.reviewfacilitate.co/RWn6saYa6xELa9ss9 a non-responsive website. The e-mail that claims sending it is info@reviewfacilitate.co . In reality the message references the domain handleinsure.net and originates from IP Address 181.214.149.76 located in Santiago, Chile. The ISP is either Host1plus Hosting Services or Digital Energy Technologies.

Image of the spam scam;

Spam Scam e-mail text;

Windows PC Repair

Diagnose @ Fix Your PC Problems in 3 simple steps:

1. Download Windows Repair Tool

2. Doubleclick on teh Setup file and Follow teh On-Screen Instructions to Install the Procuct.

3 Runa Scan and Fix the Detected Errors by Clicking teh "Fix All" Button.

Ratings: *****

Total Downloads: 103,500,697

Download File Size: 4.1 MB

Download Time: sec on dsl, 2min on dialup

Compatibility; Windows 8, Windows 7, Windows Vista, Windows XP, Windows ME, Windows 2000 32Bit & 64Bit OS Systems

Support: Yes

Upgrade option: Yes

Download Now 

Pay For Driving On Toll Road - EZ Pass Trojan

We just ran into this nasty little surprise at a client site yesterday. It's a virus posing as an overdue bill from E-Z Pass. The "Get Invoice" link will attempt to install a Trojan on the system. We happened to catch it right away so no harm was done.

It was delivered to our end-user's personal e-mail account on Comcast so our filtering system never had a chance to take care of the issue. We attempted to forward the message through our filtering system and it was denied immediately.

Watch out for this one, it is a very convincing e-mail. It is well built and appears graphically legitimate . However, the English language used in the message is poorly constructed and is the first clue that something is out of place. Also notable are the links pointing to a bogus trojan downloading site when hovering the mouse over them.

Be careful out there!

Screenshot of virus/trojan;

Trojan spam mail text:

Dear Customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly, please service your debt in the shortest possible time.




Here's a link to an article on the BBB about the same scam; Scammers Pose as E-ZPass to Collect ‘Unpaid Tolls’

Thanks for shopping with our company now! Your purchase will be processed shortly.

I just had this one get caught in our SPAM filter. The subject line will be your personal e-mail address. It's a bad one, do not open it! The link in the message leads to a zipped file that will infect your system!

The sender is listed as info@madeca.ph . Madeca is a restaurant in Manila, Philippines whose e-mail address has either been hacked or spoofed. The message was routed through the pesocruncher.com domain and hit IP Addresses 107.144.198.44 (Pinellas Park, Florida) and 70.32.121.166 (Culver City, California) before making its way into our filter.

Do not respond to the e-mail, don't open it. Just delete it and go on with your day.

Virus e-mail text;

Thanks for shopping with our company now! Your purchase will be processed shortly.

ORDER DETAILS

Order Number: BRJ457002144
Purchase Date: 14.19 Thu, September 25, 2014
Customer Email: youremail@yourdomain.com

Amount: 6073 US Dollars

Download an order file

Please click the link given at the top to have more info about your order.

Statament August 2014 ID: 5463709.xls - Statement August 2014 ID: 5463709.xls

OOPS! An unwanted e-mail slipped through our SPAM filter today. This is entirely possible and illustrates that not every filter is perfect.

How'd they get through? Well, a recently hacked or created e-mail account may not have a history of sending SPAM/viruses and  a new threat that hasn't been found in the wild and it was sent to an address that is forwarded to my main e-mail. Tough circumstances, but if everything lines up right a SPAM message can get through. In theses situations remember the old rule; Never open an e-mail from someone you don't know.

This e-mail that originated from the IP address 14.3.195.1 in Tokyo, Japan on the ISP Asahi Net Inc. It claims to be from Deirdre Silva <Lourdes@avflakkee.nl> in the Netherlands and contains a zip file named August_ID_5463709.zip that is likely loaded with a virus.

Watch out for this one!

New Job - Up to $85,000 + Bonus

The spam filter picked up this job scam recently; pretty low, going after the unemployed. After searching for the sender I found that the address alvertaegelrepollins@outlook.com is routinely being used to send employment scams. on this one the message body was completely blanked out so I can't offer up copy of the scammer's text. The IP address of the sender was 39.48.149.41 and hails from Islamabad, Pakistan. The ISP it was sent through is Pakistan Telecommuication Company Limited

IT Service Desk

This is a recent phishing attempt we discovered at a client site. The link contained in the message will lead the user to a web site that will attempt to steal their personal information. Do not open these e-mails. Do not follow the links. Do not visit the site listed below!

This message sourced from John.Meier@calpine.com; a domain not related to the link contained in the original e-mail. This is a spoofed e-mail address or the perpetrators hacked the mail server at Calpine.

Phishing E-Mail Text;

Your Mailbox has exceeded it's louted Quota as set by your IT Service Admin. All emails sent from your account will no longer be deliver and you can no longer receive all emails. Your email account has been schedule for maintenance and to reset your email account, you are to use the link below.

www.view360.nl/accupgrade/1/

IT Service Admin


CONFIDENTIALITY NOTICE:The information in this e-mail may be confidential and/or privileged and protected by work product immunity or other legal rules. No confidentiality or privilege is waived or lost by mistransmission. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any review, dissemination, or copying of this e-mail and its attachments, if any, or the information contained herein is prohibited. If you have received this e-mail in error, please immediately notify the sender by return e-mail and delete this e-mail from your computer system. Thank you.

FW: IT ServiceDesk

This is a recent phishing attempt we discovered at a client site. The link contained in the message will lead the user to a web site that will attempt to steal their personal information. Do not open these e-mails. Do not follow the links. Do not visit the site listed below!

This message sourced from Karyn.Lucas2@GenesisHCC.com; a domain not related to the link contained in the original e-mail; http://www.publi-style.be/accs/ . This is a spoofed e-mail address or the perpetrators hacked the mail server at Genesis Health Care. 

Phishing E-Mail Text;

Your account has exceeded its storage limit. You will not be able to receive or send message, in order to restore your account please Click Here and submit required information.
Thanks.
IT ServiceDesk.
This e-mail and any attachments may contain information which is confidential, proprietary, privileged or otherwise protected by law. The information is solely intended for the named addressee (or a person responsible for delivering it to the addressee). If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete it from your computer.

Announcement: Would you be surprised to learn you have the ???American Parasite????

The American Parasite is making the rounds. Who knows you might even have it!

This is an advertising scam complete with fancy videos from Keybiotics and uses fear tactics to try to convince people that common yeast (Candida) is some new thing that will kill/maim/bloat, etc. the population of the United States. Guess what? There's a big advertising pitch waiting at the end of the day.

Don't fall for it. Delete and move on!

This one came in from IP address 208.94.245.140 in Charleston, South Carolina via Joe's Datacenter LLC.

Spam E-Mail text;

<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type" />
<meta http-equiv="Content-Language" content="en-us"/>
</head>
<body>
<P><br /><A href="http://check.whoop-dangerous-parasite.me">You have to see this - are you infected with the "American Parasite???? </A><br /><br />
<A href="http://check.whoop-dangerous-parasite.me"><img src="http://image.whoop-dangerous-parasite.me" /></A></P>
<p><font size="3px" color="#F8F8F7">
</font></p>
<P><br><br><br><A href="http://stop.whoop-dangerous-parasite.me"><img src="http://bye.whoop-dangerous-parasite.me" /></A></P>
</body>
</html>

Re: Reduced numbness and tingling in hands, feet and legs

Nice touch; the RE: in the subject line. Like I ever had an e-mail exchange with these guys.

This is another email our spam filter caught in a recent flood of messages from ".me" domains. I don't know what it is about these, but look for more ad scams from."me.". I have yet to receive a legit e-mail from a .me. domain.

The jist is that the spammers have cornered the market on "rare ingredients" that reduce nerve pain. Nice, prey on people that have nervous system disorders; sweet guys.

Delete this spam scam and move on with your day.

The message sources from 178.33.194.67 Roubaix,France from the ISP Ovh Sas

Neuropathy Support News
======================================================

Studies indicate these rare ingredients reduce Neuropathy nerve pain.

Reduce the numbness and tingling in hands, feet and legs.

Neuropathy Support Formula can also:
*Improve balance & coordination
*Support & strengthen nerves & nerve linings
*Lessen the pain and burning sensations
*Reduce stress & anxiety

Go here to Relieve Your Pain TODAY: http://check.nerve-pain-down.me

optoff_admail: http://stop.nerve-pain-down.me

POBOX No. 5192
47 Rue Au Maire_75003Paris
France

Another Big Report this Monday at the open!

Here's a hazardous little phishing e-mail complete with a bunch of Flak. The random words at the end of the message are supposed to fool spam filters; it doesn't fool ours.

Claiming to come from TD Ameritrade the message originated from 469@ashcakefamilyphysicians.com, a bogus address at a legitimate domain. Ashcake Family Physicians is either being spoofed or their mail server may have been compromised. The IP address of the sender is 1.171.49.80 and hails from Taipei, Taiwan, China on the ISP Data Communication Business Group.

The attached link leads to a phishing site that will attempt to steal visitors personal information. Don't give them your TD Ameritrade user info. Delete this message and continue with your day!

Phishing spam text;

Open your account https://www.pete.B4D6E19.com/A35B3D60EEF8D9BEB80C42BAEF29A72DD4FE today in just minutes  |  View online https://www.pete.9F486.com/D22594D3D24FF85B215160A608891D4EB4CB50B59D343CAE1056EC9DD74

You’ve already taken the first step toward your financial goals by starting your application for a TD Ameritrade account. Take the next step and start trade today.

It’s quick and easy. And as a client, you’ll have access to the tools and resources you need to trade and invest with more confidence, including our top stocks picks:

Esopus Valley than anywhere else in the Catskills. Factor, but later returned to Magneto. Columbia River Highway in 1913. There they both became ill with severe cases of malaria. Financial distress in companies can lead to problems that can reduce the efficiency of management. Founding Conference, Chicago, IL, Feb. The show is split in two parts. Hubert Turcotte and Virginie Blagdon. Jimmy offers to buy Kelly a house and support Elliot financially. In the end, she is destroyed by Nanami. Frisia, but she died in 1044, following a Caesarean section. The study of language and gender has developed greatly since the 1970s. He later argued that this explanation might not apply only to the Exeter case, but to many other UFO reports. John Goodwin, who settled here in 1905. Daltrey found himself unable to sing and left midsong. I have nothing against card playing. Following the relocation of the Nanibas, the bluff came to be settled by early European settlers. By 1980, White was insolvent, despite importing Semon E. He was an education major at Nebraska. Another problem of news organizations in China, especially in the 1910s is the heavy dependence on foreign news agencies. They move out from the blood into tissues and organs upon infection or damage. She was executed after a failed uprising and today is considered a heroine in China. He successfully ran for the same position in 1928. This Young Jeezy mixtapes does not include any features and all of the tracks use samples. After the transfer of the Chapter all the Bishop's remains with their tombstones have been moved to Neisse. However, Viktor had a plan. In the example, 2 is the whole number part and 3 is the numerator of the fractional part. Assembly Member Barbara Lifton Receives Top Honors in 2011 Environmental Report Card. The Diaz Brothers are only mentioned in the film but never seen. List of television and radio shows hosted by individuals holding a libertarian viewpoint. Cookbook, with Greta Hilb. There is a children's educational garden and an herb garden. II consists of buildings of special architectural or historical interest. Cathedral's consecration, in its present form, is dated to 1916. The fourth and final stage was when the movement started to lose its drive. This flexibility and connection between internal and external makes virtue epistemology more accessible. Tate N, Rebrikova NL. John Harris becomes Bishop of Llandaff. HDZ was accused of complicity. He later became chief engineer of the Baltimore and Ohio Railroad. Coxe is now coaching one of the most notorious high school hockey teams, The Petoskey Northmen. However, as of the July 2008 sweeps period, WWLP continues its longtime dominance with WGGB stabilizing to a strong second. A dumbstruck Kabita prepares to sacrifice everything. Roman beat Prieur 7,590 votes to 6,782. During drought seasons many elephants damage agricultural land for food. The Pardes Rimmonim is composed of thirteen gates or sections, subdivided into chapters. CD ROM interface could be purchased without a CD ROM drive. Newton has released four recordings of his solo improvisations for flute. The Pantathian race have a nature that most beings find entirely alien, and are known to be born knowing hatred. The Patriots went on to win the historic, controversial contest in overtime. You can often visit him here. The merger was completed on December 14, 2011. A comedy tent, kid's tent, main arena, fair, craft market and green space attracts families as well as the m

Invest today. Cash Out next month

Another pump and dump scam showed up in the spam filter the other day. This one isn't particularly well crafted but I though it was humorous.

I feel so much better that Horace is looking out for me...

The spam scam sources from 186.195.148.47 in Jundia, Brazil. Fox Telecomunicacao E Internet Ltda.

is the ISP of the sender.

Spam email text:

Dear friend,

I was very furious when I listened to your voicemail last night.

You know, I didtell you about last month but you’re the one who was not interested inbuying at the time. It was trading for just 10 or 15 cents if I remembercorrectly. You cannot now blame me by saying I didn’t tell you.

Anyway bullshit aside if you are still angry about missing the first wave I’mtelling you its not too late but you need to listen to me now and buy as manys.h.a.r.es of as you can on Monday morning before they get too expensive and ifyou don’t it’s your own fault I don’t want you calling me again and leaving meanother nasty voicemail.

I spoke with my analyst buddy who is working on this specific stock-analysis andhe told me we should expect to see shares hit past a dollar within the next 30days. Do what you must.

Take care
Your bud
Horace

IT ServiceDesk

This is a recent phishing attempt we discovered at a client site. The link contained in the message will lead the user to a web site that will attempt to steal their personal information. Do not open these e-mails. Do not follow the links. Do not visit the site listed below!

This message sourced from alchavez@stewartaz.com; a domain not related to the link contained in the original e-mail; storageacct.webs.com/ . This is a spoofed e-mail address or the perpetrators hacked the mail server at Stewart Title in Arizona. 

Phishing E-Mail Text;

Your account has exceeded its storage limit. You will not be able to receive or send message, in order to restore your account please Click Here and submit required information. 

Thanks.

IT ServiceDesk.

Millions infected with the "American Parasite" - are you?

Here's a new spam advertising scheme that is making the rounds. This one is claiming that Candida (yeast) is a parasite that is attacking Americans due to poor diets. It is a bogus scam like Green Coffee. Don't click it, don't visit; just delete it and move on with your day.

Bogus advertising spam text:

<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type" />
<meta http-equiv="Content-Language" content="en-us"/>
</head>
<body>
<P><br /><A href="http://view.keen-unsafe-organism.me">How much of the "American Parasite" are you eating every day?
</A><br /><br />
<A href="http://view.keen-unsafe-organism.me"><img src="http://image.keen-unsafe-organism.me" /></A></P>
<p><font size="3px" color="#F8F8F7">
</font></p>
<P><br><br><br><A href="http://end.keen-unsafe-organism.me"><img src="http://bye.keen-unsafe-organism.me" /></A></P>
</body>
</html>

You have received a secure message

Looks like Bank of America has something important to tell me... OR maybe it's just another attempt to hack a computer?

This is one of the most official looking attempts I've seen in a long time, to infect a computer. The e-mail appears comes from a legitimate BAML.COM e-mail address. The link in the message body is a real BofA website. However, the link in the PDF file that Effie Velasquez attached leads to a site that will download an infected .SCR file onto your system. Don't be fooled!

The spoofed e-mail originates from stressful8@roycollc.com and came from IP Address 81.255.204.34 in France Choisy-le-roi. The ISP is Orange S.a.

VIRUS E_MAIL TEXT:

You have received a secure message from Bank of America Merrill Lynch

Read your secure message by opening the attachment, SecureMessage.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.bankofamerica.com/websafe/ml/help?topic=RegEnvelope

Updated - Microsoft Warning Pop Up on XP Systems - End of Support

---UPDATED---

This is what the pop up looks like. This is the only version I have seen thus far. It shows up this way in Google's Chrome browser. I haven't seen up yet anywhere else on the few XP platforms we have left on client sites.

---UPDATED---

Starting tomorrow, March 8th 2014, Microsoft will begin pushing out warnings to Windows XP users that the OS will no longer be supported after April 8th this year. The pop-up will appear on all systems as part of normal patching. The message should read “Windows XP End of Support is on April 8th, 2014. Click Here to learn more”.  Here is an article on the subject; http://techwindowz.com/windows-xp-end-of-support-message-to-start-popping-up-on-saturday/

Although this looks like a scary pop up it isn’t an immediate or major issue for many Win XP users. What this means to XP users is that MS will no longer supply security and Operating System patches for this OS. It won’t just stop working overnight. Over the next few months to a year it will render your systems more vulnerable to attack by hackers, viruses, and malware. Although it may not be necessary to update now, it will be in the near future so start planning ahead.

However, if you are in the medical industry or accepting credit cards on an XP computer you will need to update your systems right away. Credit card companies, Point of Sale systems, and industry standards for financial and health systems will be required to leave Windows XP behind. There is still time to get the more familiar Windows 7 OS to replace them.

This is a pop up message from Microsoft, it is not a scam. That said, the potential for abuse is massive. It will not be long before malware/virus writers and hackers begin making phony versions of this pop-up. My suggestion is that, when and if this comes up, click the “Don’t show this message again” check box and make a physical note on each machine you've updated. It is unlikely that Microsoft will send this out multiple times so if you've noted the machines its addressed you can hopefully avoid clicking on a fake pop-up in the future.

Please read this article on the subject; Windows XP end-of-support message to start popping up on Saturday

NetFlix Scam - Phishing for your data

Big NetFlix phishing scam - watch out!

Just posting this out there as a warning...

LINK:  http://bgr.com/2014/03/03/how-to-avoid-nextflix-scam-warning-alert/

FEDERAL MINISTRY OF FINANCE

Here we go again with the free money from Benin. I mean, what are we waiting for? It's there for the taking! My favorite thing about this one is that they used a Yahoo Calendar Event Invitation to send the request to over 35 recipients. The original e-mail even had the *.ics file so we could put it on our schedule.

Wouldn't want to miss this important date...

Of course this is a scam. People at a "Federal Ministry of Finance" don't use Yahoo accounts. In fact, anyone with a business or legitimate organization shouldn't use Yahoo mail, it is the most polluted "free" mail service out there.

Delete the e-mail, don't communicate with them. Move on with your day!

LINK: Warning from the Benin Embassy

Spam email text;

From: Usa Johnson <usajohnson301@yahoo.com>
Date: Thu, Dec 5, 2013 at 1:58 PM
Subject: Invitation: FEDERAL MINISTRY OF FINANCE
To:

DEC
05 "FEDERAL MINISTRY OF FINANCE"
When Thursday, 05 December 2013
08:30 PM to 09:30 PM
(GMT) Greenwich Mean Time - Dublin / Edinburgh / Lisbon / London

Where

Message FEDERAL MINISTRY OF FINANCE NATIONAL HOUSE OF ASSEMBLY COMPLEX SENATE HOUSE - UPPER CHAMBERS WUSE DISTRICT, COTONOU BENIN Our Ref: FGN /SNT/STB I have to inform you again that we are not playing over this matter that we have sent to you several times, I know my reason for the continuous sending of this notification to you, the fact is that you can't seem to trust any one again over this payment For what you have been in cantered in many months ago, but I want you to be assured that you will received your funds THROUGH THE HELP OF THIS OFFICE.I cannot scam you for $40. The bank processing of your payment which is BANK OF AFRICA (B.O.A), requested the processing fee of $40 .The requested $40 is clearly written to you before, I did not invent the bill to defraud you of $40 it is an official bank payment processing fee, and the good part of this is that you will never ever be disturbed again over any kind of payment. This is final and the forms from there becomes effective once we submit your payment application processing fee and pay the form fee of $39 I don't want you to loose this fund this time because you may never get another such good opportunity, the federal government is keen and very determined to pay your overdue debts, this is not a fluke, I would not want you to loose this fund out of ignorance, I will send you all the documents as soon as bank payment processing fee is paid, you have to trust me, you will get your fund, find a way to get $40 you will not loose it, instead it will bring your financial breakthrough, find the money and send it to our bursary. The reason why am sending you this email is because i want you to receive your USD$800,000.00 immediately, we are trying to round up for this payment program. Here Is the Payment Information through Western Union money transfer or Money Gram money transfer, finally my advice to you is not to abandon this transaction because of the requirement of ($40) Receivers Name:EMMANUEL UDALOR Address: COTONOU BENIN REPUBLIC Test Question: WHEN Answer: NOW MTCN________________ Send all the details of the MTCN direct to this email.Furthermore I am waiting for the payment details in your next urgent reply Yours in service Mrs. Mary Maduome

Invitees
35 more...

Respond
This event invitation was sent from   Yahoo Calendar

FINAL NOTIFICATION LETTER

Yet another scam out of Benin Africa. This one was enough to get a chuckle out of me. It is one of the most poorly crafted scam mails I've seen recently. Go ahead and read it. It may get a laugh.

However, I'll put this as plainly as I can. People fall for this ridiculous stuff every day, don't be one of them. I know it sounds crazy, but be wary. These over the top e-mails may sound insane to many of us, but the victims of these e-mails are often tech illiterate, elderly, and/or lonely and desperate.

LINK: Warning from the Benin Embassy

That said, there are many more scams that are very subtle and harder to detect. Just watch out!

Spam scam text:

From: DR.CHIMA <officerinchargemohammedyusufu@gmail.com>
Date: Tue, Jan 14, 2014 at 5:52 AM
Subject: FINAL NOTIFICATION LETTER
To:


INTERNATIONAL MONITORING FUND I.M.F

ATTN:

I WISH TO INFORM YOU THAT YOUR NAME HAS BEEN LISTED AMONG OTHERS THAT THERE
FUND HAS BEEN APPROVED FOR IMMEDIATE TRANSFER TO YOUR ACCOUNT.THE APPROVAL WAS
MADE POSSIBLE AFTER MEETING HELD TODAY WITH THE UNITED STATE CONGRESS ON
FINANCIAL MATTERS REGARDING BENEFICIARIES WHO'S FUNDS IN SOME BANKS AND
CONSIGNMENT THAT HAS BEEN HELD UP IN DIFFERENT AIR PORTS ALSO BANK DRAFTS AND
CHEQUES THAT IS BEEN STOPPED BY SOME DIPLOMAT.

IN THIS REGARD, INSTRUCTION WAS GIVING TO THE CREDIT CONTROLLER OF BRITISH
INTERNATIONAL FINANCIAL DEPT. TO MAKE SURE THAT YOU RECEIVE YOUR FUND WITHIN
48HRS FROM TODAY. THEREFORE, I WILL ADVISE YOU TO SEND IMMEDIATELY THE
FOLLOWING INFORMATION'S IMMEDIATELY SO THAT I WILL SUBMIT IT TO THE BANK TO
CONTACT YOU AND TELL YOU WHEN YOUR FUND WILL BE IN YOUR ACCOUNT.

1). YOUR FULL NAME AND ADDRESS:

2). YOUR PRIVATE TELEPHONE AND FAX NUMBERS :

3). YOUR AGE ND OCCUPATION

NOTE THAT AS SOON AS WE RECEIVE THESE INFORMATION, THEN YOUR FUND WILL BE
APPROVED AND TRANSFER TO YOUR ACCOUNT AND A TELEX CONFIRMATION SLIP WILL BE
SEND TO YOUR BANK AND COPY WILL BE SEND TO YOU FOR YOU TO START MAKING
WITHDRAWAL. YOU ARE REQUIRED TO UPDATE THIS OFFICE AND FIRM YOUR FULL BANKING
INFORMATION AND CONTACT DETAILS FOR THE ONWARD TRANSFER.IT IS IMPERATIVE FOR
YOU TO MAKE THIS PAYMENT OF $109 USD FOR THE ACTIVATION AND THE WITHDRAW CODE

THIS IS THE INFORMATION TO SEND US THIS MONEY TRU OUR SERVICE WESTERN UNION
MONEY TRANSFER

SENDER'S NAME
RECEIVER'S NAME: INNOCENT ONUORAH
ADDRESS: IMF Central District,OWANDO
COUNTRY: BENIN REPUBLIC
AMOUNT: $109 USD
MTCN MONEY CONTROL #:
EXT QUESTIONS : what is your color
TEXT ANSWER :White

Below Is the Transfer Details

Date: 7/1/2014 11:58: 24 Am
Reference No: D3a63-5e02f-885e
Account Code: QW-21905-AZ
Withdrawing Code: **************
From: Corresponded dollars account no: 46587921354
Format: Standard Top World Bank
Issuing Bank: Bank OFFICE
Current Status: Pending Transfer
Activation and the with drawer code (Charge): $109 USD
Additional Fee: Zero
Total Amount: USD 35. 5 Million
Currency: USD
Interest: Zero (0.0%)

As soon as our A/c Officer confirm your payment of $109 USD, the activation
and the drawers code would be forwarded to the transfer department for onward
telegraphic transfer. A login and the password to our Online-Bank account
would be created at the receipt of the activation code

YOURS FAITHFULLY
HUHU KUKU
FINANCIAL CONTROLLER
INTERNATIONAL MONITORING FUND (IMF)

Are you a smart investor? Let me show you how to triple

More Random text SPAM e-mails... Flak... Spam. Curious about what it means? Visit my other post here; FLAK MAIL OR RANDOM TEXT MAIL EXPLAINED.

This spam message originated on the Mega Cable S.a. De C.v. network somewhere near Los Mochis, Sinaloa, Mexico.

Flak mail text;

I have sworn to fight to the death to protect my family, but somehow the memory of my family makes it hard to keep that promise. These attributes can be enhanced using special items found in the game, or by visiting the in game swordsmith. June 4, 1936, p. LiveCloud, focusing on bands and music. The transmitters are designed and placed so as to avoid inadvertent triggering of the automated shutoffs. He was a prolific author, although his literary researches were sometimes lacking in method. Daniel was signed to the Atlanta Braves in 2005 before being released. Luba Cherbakov et al. As the name suggests, it is a collection of cover versions, focusing on songs that have influenced and inspired the band. Meanwhile in Paris, Louis Philippe assumed the post of Lieutenant General of the Kingdom. King Denamunda IV by different mothers. Pierce Granger and Clarissa Trumbull. Mahayana texts, which often generalize monastic norms to laity, require this of lay people as well. Dabs, the balloon contestant, has his body replaced after being inadvertently popped. Museum of Modern Art, formerly collection Lillie P. The last occupants left in 1684. Many in use but becoming difficult on support and parts. On February 16, 2010, Attorney General Kenneth T. A touch of convenient thunder rumbles in the sky. But it's the kids who provide the highlights in this one, with their antics at Duff Gardens. Their reign consisted of five emperors from 1491 till 1570. Plan of Studies, of the Jesuits. The Talk time and other validity will be terminated during porting. Early experiments used the existing theories of the movement of charged particles through an electrical conductor. Final Olympic Qualification Tournament at just 17 years of age, making him the youngest player to play for Australia. It was created for snowboarders who suffered snow withdrawal during the summer. They will also sometimes lick people for similar reasons. How the cartographer displays the data in different hues can greatly affect the understanding or feel of the map. Drew, who ends up with her best friend, Katie. Chip Douglas and released on his own label in 1976. During the second world war, the Young Building was converted into a military hospital. In the episode, senior citizens are running over people in the city of South Park, causing them to lose their driver's licenses. Midhe vol 6 pt1 1975 p. Government Gazette 2007, No. On July 13, the Pike County venue will host glam rockers KISS in its first show since 2007. Passenger trains were reinstated in 1936. Muvattupuzha river is the prime victim of river pollution nowadays. Cicero and continuing in German philosophy until present, and some English philosophers prefer this in English too. Deerfield High School was in the top 500 public U. Occupy key tactical zones around the map to score points.

Invest in PRFC and watch your portfolio at least quadruple

Here is another piece of Flak Email. Our SPAM filter is blocking a lot of these nonsense emails lately. This points to an increase in attempts by spammers to circumvent SPAM filtering solutions. The random words in the e-mail are meant to confuse spam filters. More info about these random word e-mails here; Flak Mail

This one came from I.P. address 151.61.210.166 on Wind Telecomunicazioni S.p.a located somewhere near Milano, Italy. The IP Locator cam up with Castel San Pietro and Bologna as possible locations as well.

If you receive one of these don't reply, you will just verify that you are a live address. Delete it and block the sender.

Spam mail text;

Interactive Global Composite Weather Satellite Images. Johann Wilhelm Gruban, who had come to England in 1893 to work for an engineering company, Haigh and Company. Tamizh and Thulasi still do not know whether to believe Charu or not as they have guilty feelings towards Charu. During the fight, an accidental clash of heads caused a cut and Ayala was deducted a point. The set design at Big Thunder Ranch included a 50 Mickey icon on Santa's chair when Santa took over the Ranch. After a long day of hard labor, his cabin would have to be heated with chopped wood and water melted for drinking and cooking.

Punk later added the stipulation that if Mysterio were to lose at WrestleMania, he would be forced to join the SES. Due to this involvement with a terrorist organization, Chiquita's board members have even been requested in extradition. This commemorates 10 years of performing on Beale Street. Locomotives were commonly sandwiched between a pair of autocoaches, allowing a maximum of four to be used. Moisten the soil pots regularly. She said she was retiring because of her young daughter, Emma, her family and that she did not have the motivation to continue.Added Murray's point that he was presumably a member of the learned society. It was acquired by May in the wake of Federated's 1988 acquisition by Campeau Corp. Maria Branwell, the headmaster's niece. Rebecca, Hunter, Clemens, and Beckwith descend through the interior of the planetary crust toward the metropolis.
It was here that Billy Sing began in earnest his lethal occupation. Also in 1935 he was nominated as deputy head of the technical department and starting in March 1939 as head. There are sizable number of scheduled tribes, who constitute an integral part of Hindu community. However it was not until after August 1945 that you saw the level of research increase in engineering psychology. The primary school in Culloden is named Duncan Forbes Primary, after the family. The industrial buildings that house the center were constructed in 1919 by the municipal architects Casariego and Bustelo. Consequently they react to loads along their own length, in tension and compression, but not in bending. They made up only 3.
Nakayama became very famous in Japan, and would eventually boost the sport of bowling. The appeals were narrowly rejected when the SNP National Council debated the report of the Appeals Committee. The more the opponent coated in it moves, the more difficult it becomes to move freely. In 1778, this mountain was connected with the poem from the Shijing and Chaoyang was given its current name. Crops were grown on a small scale in the 19th and early 20th century. Streetscape on Massachusetts Street between Woodward and John R. They disbanded in early 1969 to pursue other professional interests. Belgian Shepherd Malinois on top of tank.
An Historical Gazetteer of Butler County, Pennsylvania, pp. He remains silent about his pain, knowing that Senator Roark would execute anyone who ever found out the truth. Current weather conditions for both the summit and base of the mountain at the town of Cass are available below. The district has four elementary sites, a middle school, and high school. Martin architectural firm, which had also designed the original church structure in 1920. Gore rules north of the border. To introduce a system of measures for management. The D4 U series was fitted with the more powerful D315 engine. Named after George Moses Horton who was a slave in Chatham County who taught himself how to read and write. Earthshine picture gallery on SkyTrip. Switzerland, and 28 or 5. DB was to acquire all the shares in EWS as soon as contracts were signed.
In 2005, Bright FM launched a second transmitter on 106. The mirror is placed at a 45 degree angle above the wheel so that you can see the front and top of the wheel at the same time. It rented space in several houses and other locations for the year it took to build the new library. San Michele starting from 1914.

Very important information. Please read

More of what I call Flak Mail, also know as Random Word Spam, and Nonsense Email Spam.

This was intercepted by our SPAM filter from it's origin address 200.115.189.50 (Velco Globalnetwork) in SAN PEDRO SULA, CORTES, HONDURAS.

If you receive one of these delete it right away. Don't respond.

Why are we getting these? Follow THIS LINK to another post about these and find out! It's a bit like poking around to find a soft spot.

I like the absolute random word mash represented in this particular one.

Flak Mail Content;

Below is a list of few Jola instruments. May, 1958, preparing for her next deployment to the Mediterranean. In the 1960s and 1970s they performed regularly together on Dutch TV. Follows the investigation of two U. In doubles, he and Pajkowski lost in the first round. November 1, 1938, photographer Alfred Eisenstaedt.
Bureau, of the Army General Staff. Lad's name, earning the collie the Honorary Crosses of both groups. Meanwhile Oscar and Hank invest imaginary money in the stock market and try not to lose their imaginary shirts. West ham essex 1961.
Very frequently these were characterized by impatience, sarcasm, and frequent quipping to give them personality. Not that they are more prominent than other award programs, but they are no less than others mentioned here either. I have hitherto lived in. April as she had to return to Japan for permanent repairs after hitting a rock in February. Over time, all of the anchors with the exception JCPenney and Montgomery Ward would be changed several times. In 1888 Georges Head was chosen as the best place to observe and fire underwater mines, the latest in harbour defences. Leah Quimby left in May 2006. The present pattern is that two meetings of the Board take place each term.
Pulver countered the technique and followed with his trademark left hook which landed flush on Hallman's chin. Sands Station 1939604 ceb64412. In 1876 it was transformed into a city park. Sixth Council of Arles, 813, can.
Political Handbook of the world, 1991. Cadets assist with community service events, parades, crowd control, security, and other special details. Only one of Ruth's seven siblings, his sister Mamie, survived past infancy. RASD Plan Phase Activities.
In August of that year 5000 students aged between 15 and 35 left madrassas in Pakistan to join the Taliban. German and largely abandoned patriotic topics, leaving only articles concerning general news and religious matters. Chief Architect of the project. Innerferrera has an average of 118.
Established users can send a Wikipedia message. He then proceeds to go into detail of how she stole his brothers car and saved her drunk cousin. The new sandwiches include the Spartan, Quatro, Giza, Titan, Erupter, and Pompeii. Bush stated that he had no inside knowledge and that his financial advisor had recommended the trades. Her words are direct. The deal was delayed until the next day, when Greer completed his move to the Albion. I am shamed, lying naked on the floor. IIHF Championship Silver Medal.
Don Finlayson in the show. Testing of this type of memory has been used when researching the effect of emotion and context on memory.
He was apprehended on April 8, 1955 after killing six people. Momiji and Rachel TGS 09 cosplayers.

Nonsense Random Word Email Spam - What I call Flak Mail

E-mail flak, at least that's what they used to call it, is a bunch of random words and quotes. What's most strange is that it appears to have no purpose to the recipient. However, this isn't the case.

The senders behind these e-mails, most often a botnet,  can have many agendas, from checking if they've found an active e-mail address (looking for auto-responders and people just curious enough to respond), poisoning  your spam filter, or trying to obfuscate a hack into the recipient's bank accounts. If these e-mails happen to be showing up in your inbox in large numbers, delete them and check your bank accounts and credit cards. It's possible there may be an identity theft in the works.

Some good search phrases to find more info are; random word spam , nonsense email , Bayesian poisoning , nonsense spam , random spam

Or just follow these links -

More info here.

And here.

Flak spam email content;

Subject line;
General Challe also gave himself up to the authorities on 26 April, and was immediately transferred to the metropole.

Message Body;
Under Hickinbotham's captaincy, Geelong did not lose a single game in the 1886 VFA season on their way to the premiership.

A connection to the middle school allows the sharing of some courses between schools.

However, some sources consider Madrid as his native city. France blamed the failure on personnel shortages.

Explosive weaponry caused a higher ratio of injuries to deaths than small arms. [pete.d@spardi.com]

DISH Network Scam

This is direct from DISH Network:


In the past, DISH customers have reported being contacted by people who claim to be DISH representatives collecting money for special promotions or upgrades. For example, some of these callers have offered DISH customers 50% off the normal price of service if they receive an upfront payment via Western Union or Green Dot. They may also ask for DISH account information or personal information, such as security codes, passwords or credit card numbers. These callers are not affiliated with DISH and are not authorized to provide offers.

This message is to remind you that DISH will never call you asking for this or any other information that you have already provided to us. You may be asked to provide this information when you contact DISH directly to verify that you are authorized to access the account and/or make changes.

If you receive a call requesting a payment in exchange for a promotion or upgrade, do not provide any information and disconnect the call. If you have any questions, please contact us at 800-333-DISH (800-333-3474), or chat with us online at mydish.com/chat.

IRS: Early 2013 Tax Return Report!

Tax season is upon us and the scams, viruses, ransomware, and malware guys know it. Be very wary what you open and remember that the IRS won't be sending you attachments. Good luck!

Here's the first blocked "tax" virus of the season. 

Tired of seeing this stuff in your business' E-mail Inbox? Contact Us!

Virus message body;

 Subject: IRS: Early 2013 Tax Return Report!

     From: taxrefund@irs.gov

       To: someone@somedomain.com

     Date: Thu, 09 Jan 2014 05:40:40 -0700

   Reason: virus detected (W32/Heuristic-300!Eldorado)

   Action: deny

Reason: virus detected (W32/Trojan3.HBO)

SCAM Alert - Microsoft E Support Live - SCAM

This just hit a client of ours today. The client called us to see if it was legit and we told them "NO!".

A company calling itself Microsoft E Support or Microsoft U Support Live is calling people and telling them a variety of lies to scam them. Jennifer in this case. Many of the calls will be claiming that Microsoft has detected a virus on your system (they don't do this or really care), or that an ISP detected a virus (possible but doubtful). The goal of the social engineering scam is system access and credit card charges/theft.

Regardless, they will then try to get the victim to enter commands on their system. "Please hold down the Windows Button and press the 'R' key. Now type in 'winver' in the dialog box." (or something similar, maybe inf, or another system file name). At which point  the OS version, or some files will appear, and they will exclaim that the system is infected, and how lucky the victim is that they called.

Next they will try to get the mark to install remote control software like TeamViewer or VNC (both nice software if used by someone you trust). This will give them direct access to the computer. TeamViewer and VNC can be set up for 24/7 remote access without local user authorization. Now they are in and can access the machine whenever it is on AND, maybe even when it is off via the Wake-On-LAN feature on some systems. For a mere credit card number they will happily clean up that computer and probably install a bunch of nasty malware that will grab any other cards the mark has.

Great scam.

Anyway, it is a scam, hang up the phone, tell them to get lost, move on with your day.

Or maybe mess with their heads if you are bored.

Scammer info;

Microsoft Windows Usupport Live or E-Support Live
Operator name; Jennifer
toll free number 888 514 1650 - DON'T CALL THIS NUMBER!

May be associated with this site - www.1stopearcade.com 

Domain Registration SCAM

UPDATED! See Below.

This isn't a message I received personally but it's from a client of ours. I'm posting it as a public warning!

This scam is one all domain owners should be aware of; Asian Domain Registration Service. - www.diicl.org - One look at their site tells you all you need to know about them. We've created a custom blacklist just for these guys!

Don't fall for this! This e-mail is real. They will try to get a domain name owner to register multiple domains through their service by attempting to scare you into thinking that someone else is trying to register your business/domain name. It is a scam! Any domain you like can be registered through the service you already use (GoDaddy, Directnic, etc.). There is no need to communicate with them. Don't even e-mail them back.

UPDATE! A while back I received an article from Christopher Hofman Laursen that has more info on this scam. Here's the link; http://www.europeandomaincentre.com/pages/news-room/domain-management-news/hey!-got-an-email-from-china-domain-name-registration-center-asian-domain-registration-service-in-china-the-department-of-registration-service-in-china-etc.

Bad E-mail Text follows;

On Mon, Sep 9, 2013 at 2:48 AM, Lex Ren <lex@diicl.org.cn> wrote:

(Letter to Head of Brand Business or CEO, thanks)

Dear Sir or Madam,
This is a formal email. We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on September 9,2013 that a company claimed MLSN Investment Ltd were applying to register "YOURDOMAINNAME" as their Brand Name and some domain names through our firm.
Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for that company.Looking forward to your prompt reply.
Best Regards,

Lex Ren
Tel:+86-551-6343 4624
Fax:+86-551-6343 4924
Address:Ningguo South Road 14, Hefei, Anhui, CN