Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New round of fake E mails?

  • Please log in to reply
3 replies to this topic

#1 Nawtheasta


  • Members
  • 403 posts
  • Location:New England, USA
  • Local time:12:52 PM

Posted 03 May 2012 - 07:50 PM

I thought I would post this as I saw some one in the "Am I infected" post a problem with a fake E mail.
For the last couple of weeks I have been getting E-Mails in my Yahoo spam folder
from Facebook, My Space, and You Tube. These are all in various ways advising the my account needs attention. They look very real and official. I use that computer for business. I have no accounts with any of these social media sites. Pretty sure they are malware traps.
Don't know if there is someone new out there generating these but thought I would pass this on as a warning.

BC AdBot (Login to Remove)


#2 Union_Thug


    Bleeps with the fishes...

  • Members
  • 2,355 posts
  • Gender:Male
  • Location:is everything
  • Local time:12:52 PM

Posted 03 May 2012 - 07:58 PM

Related (?) info: http://blog.trendmicro.com/persistent-black-hole-spam-runs-underway/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trend+Micro+Malware+Blog%29

Over the past month we've been investigating several high-volume spam runs that sent users to websites compromised with the Black Hole exploit kit. Some of the spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we've seen that was part of this wave of attacks used the name of CareerBuilder


As we mentioned earlier, this particular campaign was not the only spam run we investigated. We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs were used by multiple spam runs. This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether.

More @ link

Edited by Union_Thug, 03 May 2012 - 07:59 PM.

#3 Nawtheasta

  • Topic Starter

  • Members
  • 403 posts
  • Location:New England, USA
  • Local time:12:52 PM

Posted 08 May 2012 - 05:18 PM

Just a quick update.
Had two "Amazon order cancellation" fakes try to get in over the weekend.
Yahoo spam filter caught one. The other made it through to the inbox.
These fakes look so real I have to believe that it is going to be affecting legitimate internet business communications soon.
Also saw a Linkedln fake that Union Thug mentioned

#4 Guest_Xircal_*


  • Guests

Posted 09 May 2012 - 07:41 AM

Here's another one to add to your collection. It purports to come from Western Union and I've been receiving them on a daily basis for the past week, each time with a different link. I started making a note of the links today to see where they lead (purely for my own amusement) and that's why you see two of them in the main body of the email.

Return-Path: support@westernunion.nl
Received: from mx04.back.prod.mail.xxxxxxxx (LHLO mx04.xxxxxxxxxxxx)
 ( by mailstore11.back.prod.mail.xxxxxxxxxx with LMTP; Tue, 8
 May 2012 19:55:58 +0200 (CEST)
Received: from localhost (filterin04.back.prod.mail.xxxxxxxx [])
        by mx04.xxxxxxxxxx (Postfix) with ESMTP id 80FF38200B
        for xxxxxxxxxxxxxxxxxxx Tue,  8 May 2012 19:55:58 +0200 (CEST)
Received: from mx01.xxxxxxx ([])
        by localhost (filterin04.back.prod.mail.xxxxxxxxxx []) (amavisd-new, port 10024)
        with ESMTP id HjgeMeK-5LNa for xxxxxxxxxxxx
        Tue,  8 May 2012 19:55:58 +0200 (CEST)
Received: from mx01.xxxxxxx (localhost [])
        by mx01.xxxxxxxx (Postfix) with ESMTP id 5354F86217
        for xxxxxxxxxxxxxxx Tue,  8 May 2012 19:55:58 +0200 (CEST)
Received: from procamserver.com (procamserver.com []) <---------------------------
        by mx01.xxxxxxxxxxxxxxxx (Postfix) with ESMTP
        for xxxxxxxxxxxx Tue,  8 May 2012 19:55:58 +0200 (CEST)
Received: from USER (ip-94-242-219-26.as5577.net [] <---------------------------
        (authenticated bits=0)
        by procamserver.com ( with ESMTP id q48HtFZ0088139;
        Wed, 9 May 2012 03:55:16 +1000 (EST)
Date: Wed, 9 May 2012 03:55:16 +1000 (EST)
Message-Id: <201205081755.q48HtFZ0088139@procamserver.com>
Content-Type: text/html
SUBJECT: Limited Account Access
FROM: Western Union<support@westernunion.nl>
To: undisclosed-recipients:;
X-Scanned: by Cloudmark authority (on mx01.xxxxxxxxxx)
X-CMAE-Analyze: .v=2.0 cv=Ee9/toaC c=1 sm=0 p=R7FwDDW0AtINHl2Gip0A:9 a=8EU9Q7FnrCoA:10 a=tmcq72v-AAA:5 a=bRIPQUuPj2w3UAjUXPIA:7 a=_W_S_7VecoQA:10 a=YBqNEKVEs08JbnI0:21 a=VIYFME_NS8jtHh6l:32
X-CMAE-Score: .100

Dear Western Union valued customer,

 You received this email as a notice for the database update for this month. This update is designed by our IT engineers to provide higher security to our customers online accounts, prevent unauthorized account access and other types of online fraud.

 You are required to update your online profile by clicking on the following link:

Click here to access your online profile  [links to: account53334514.bpostaleonline.com/wueurope/?signInAction=do]
Click here to access your online profile  [links to: account4808wu6102.ijuwele-online.com/account/?profile.update=yes]

Please note that this a one-time task that will take only 3-5 minutes of your precious time. However, failure in updating your profile will result in limiting your account access. We appologize for any inconvenience.

 Thank you,
 William J. Lucas,
 IT Assistant,
 Western Union Europe.

The user with IP (which I've identified with an arrow) appears to belong to a certain Andy Bierlair. I looked him up on Google and came across this blog which seems to portray him as a discourteous individual to say the least: http://www.jareds-blog.com/?p=768

He has a Twitter account by the looks of it - same guy because his email addy belongs to as5577.net which is the same as the IP mentioned in the headers - and I'm wondering now if his account is included in the list which was hacked a couple of days ago. For that story, see: Thousands of Twitter passwords allegedly exposed

As regards the message, it never changes. But it's obviously been written by someone who doesn't have any notion about how business letters are written and the style of writing is a dead giveaway.

The "xxxxxxxx" in the headers are mine and have been used to obscure personal info like my email addy.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users