lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY115-F1445950D27D49C91C2F875C03A0@phx.gbl>
Date: Fri Dec 16 14:08:19 2005
From: dan_20407 at msn.com (DAN MORRILL)
Subject: Amazon Phishing Scam - Tech Details

Ran across a very nice phishing scam from amazon this morning. Technical 
details follow as suggested black list for this domain. It was really nice, 
very authentic looking, and would suck in a lot of folks because it really 
looked very good. It has been reported to Amazon, but thought I would 
include the technical details to this group.

Cheers/r/Dan


This is a header from an authentic e-mail from Amazon.

Received: from mail-store-1001.amazon.com ([207.171.164.43]) by 
bay0-mc8-f3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 15 
Dec 2005 21:03:11 -0800
Received: from ae-app-2102.iad2.amazon.com by mail-store-1001.amazon.com 
with ESMTP (peer crosscheck: ae-app-2102.iad2.amazon.com)
Received: by ae-app-2102.iad2.amazon.comid AAA06388,375; 15 Dec 2005 
21:03:08 -0800
X-Message-Info: JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo=
X-Amazon-Corporate-Relay: mail-store-1001.vdc.amazon.com
X-AMAZON-TRACK: default
Bounce-to: VarzeaEmailSender+4-61129391@...nces.amazon.com
Return-Path: VarzeaEmailSender+4-61129391@...nces.amazon.com
X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815 (UTC) 
FILETIME=[0377ED70:01C601FE]

This is the email header from the suspected phishing e-mail

Received: from thebe.jtan.com ([207.106.84.138]) by 
bay0-mc7-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 15 
Dec 2005 12:34:48 -0800
Received: from thebe.jtan.com (localhost [127.0.0.1])by thebe.jtan.com 
(8.13.3/8.12.9) with ESMTP id jBFKYki2014108for <dan_XXXX7@....com>; Thu, 15 
Dec 2005 15:34:46 -0500
Received: (from apache@...alhost)by thebe.jtan.com (8.13.3/8.13.3/Submit) id 
jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500
X-Message-Info: JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4=
Return-Path: apache@...be.jtan.com
X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333 (UTC) 
FILETIME=[FDF9F3D0:01C601B6]

So the phishing e-mail came from here: http://www.uslec.com/

OrgName:    USLEC Corp.
OrgID:      USLC
Address:    6801 Morrison Blvd
City:       Charlotte
StateProv:  NC
PostalCode: 28211
Country:    US

With an eventual owner here (Suspected hacked site http://thebe.jtan.com/) 
with the owner http://www.jtan.com which is a service provider under uslec.

J. Thomas Associates
1302 Diamond St
Sellersville, PA 18960
US
Domain Name: JTAN.COM

Administrative Contact, Technical Contact:
Nadovich, Chris T		chris@...N.COM
1302 DIAMOND ST
SELLERSVILLE, PA 18960-2906
US 215-257-8708 fax: 123 123 1234





Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ