Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Phishing Scam NEST Pensions


  • Please log in to reply
10 replies to this topic

#1 evilbunny

evilbunny

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 10 July 2017 - 06:12 AM

I have received the following alarming emaii:

Return-Path: <message@nestpensions52.top>
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	 by sloti27t02 (Cyrus fastmail-fmjessie44416-15275-git-fastmail-15275) with LMTPA;
	 Wed, 05 Jul 2017 20:05:18 -0400
X-Cyrus-Session-Id: sloti27t02-1847331-1499299518-2-7902621334515718164
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-score: 5.9
X-Spam-hits: BAYES_00 -1.9, DCC_CHECK 1.1, RCVD_IN_BRBL_LASTEXT 1.449,
  RCVD_IN_INVALUEMENT24 2, RCVD_IN_SBL_CSS 3.335, SPF_HELO_PASS -0.001,
  SPF_PASS -0.001, T_RP_MATCHES_RCVD -0.01, LANGUAGES en,
  BAYES_USED global, SA_VERSION 3.4.0
X-Spam-source: IP='185.154.23.184', Host='nestpensions52.top', Country='CN',
  FromHeader='top', MailFrom='top'
X-Spam-charsets: plain='windows-1251'
X-Attached: SecureMessageNEST.doc
X-Resolved-to: [redacted]
X-Delivered-to: [redacted]
X-Mail-from: message@nestpensions52.top
Received: from mx4 ([10.202.2.203])
  by compute5.internal (LMTPProxy); Wed, 05 Jul 2017 20:05:18 -0400
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
	by mailmx.nyi.internal (Postfix) with ESMTP id 3A237C865A
	for <[redacted]>; Wed,  5 Jul 2017 20:05:18 -0400 (EDT)
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
    by mx4.messagingengine.com (Authentication Milter) with ESMTP
    id 0F871A439AE;
    Wed, 5 Jul 2017 20:05:18 -0400
Authentication-Results: mx4.messagingengine.com;
    dkim-adsp=pass (ADSP policy from nestpensions52.top);
    dkim=pass (1024-bit rsa key) header.d=nestpensions52.top header.i=message@nestpensions52.top header.b=gmZf+wD3;
    dmarc=pass header.from=nestpensions52.top;
    spf=pass smtp.mailfrom=message@nestpensions52.top smtp.helo=nestpensions52.top
Received-SPF: pass
    (nestpensions52.top: 185.154.23.184 is authorized to use 'message@nestpensions52.top' in 'mfrom' identity (mechanism 'ip4:185.154.23.184' matched))
    receiver=mx4.messagingengine.com;
    identity=mailfrom;
    envelope-from="message@nestpensions52.top";
    helo=nestpensions52.top;
    client-ip=185.154.23.184
Received: from nestpensions52.top (nestpensions52.top [185.154.23.184])
	by mx4.messagingengine.com (Postfix) with ESMTP
	for <[redacted]>; Wed,  5 Jul 2017 20:05:16 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=nestpensions52.top;
 h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type; i=message@nestpensions52.top;
 bh=IwyE9/XNOjUwIUfUXoZbDXNKyMg=;
 b=gmZf+wD3Mvi9pF9UAMV2FYjieiZqYw5D1DN9LhQf24LHUxhlMjBzf6WGX1jxJMvNdbKwI01dvDZw
   pQZ6k3qHokOGSayVCrrHgzV+TWfkKfOBmapiVDkGXrI3a/pCFxak6/J8pfS8L/exQfIAzeXWiyzi
   sHH6151X/FaKiBXpXC8=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=nestpensions52.top;
 b=d9eb5262Skvh+m8vBl12AWlZXBmMjs+E1Kv85Fe2mHvLIW54fOhP6kHWZs6QBZfPWpoE8wMqHmDp
   gyjPb6Bvkac57H2fc31XfFJA7pRl+5/gp4lt2K2aNyjYNLZt/ACLBWXJwreiZg05NZf1GdVxFmuD
   q+V2qe2GC2qzhGPpw0E=;
Message-ID: <3AC0B8D55286A80BD7D29B25F1B91D8F@nestpensions52.top>
From: "do_not_reply@nestpensions.org.uk" <message@nestpensions52.top>
To: <[redacted]>
Subject: You've got a new message in your NEST mailbox
Date: Thu, 6 Jul 2017 02:05:05 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="549852d9c89408885e72dcb50b0a"

This is a multi-part message in MIME format.

--549852d9c89408885e72dcb50b0a
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

There's a new message in your NEST mailbox.

We're confirming that payment of 1479.67 will be taken by Direct Debit in=
 accordance with your agreed terms.=20
Please see the details in attached file.
[rest of message omitted]

NEST Pensions are (as the fake "From" address, which is the real address of the real organization, indicates) a pension-scheme provider in the UK, but the X-Spam-Source header seems to indicate that the true sender (message@nestpensions52.top, the real "From" address) is in China.

 

Unfortunately, I don't have a NEST account (which is one "this is phishing" indicator, another is that a message from an unknown source is asking me to open an attachment), hence I have no way to inform NEST of this spammer as their site doesn't list a contact email address for urgent enquiries such as this, which is why I'm posting it to here instead of sending it to them. (I hope posting this isn't against the rules.)



BC AdBot (Login to Remove)

 


#2 evilbunny

evilbunny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 10 July 2017 - 06:45 AM

Incidentally, I have filters set on my GMail account such that messages from any .top or .xyz address are automatically deleted, as I have received plenty of (mostly phishing) spam, and nothing else, from such addresses; but this arrived at my Fastmail address. Perhaps I should set the same filters on that one?


Edited by evilbunny, 10 July 2017 - 06:45 AM.


#3 opera

opera

  • Members
  • 1,031 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 PM

Posted 10 July 2017 - 01:31 PM

evilbunny please see your pm's.



#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 10 July 2017 - 02:52 PM

Incidentally, I have filters set on my GMail account such that messages from any .top or .xyz address are automatically deleted, as I have received plenty of (mostly phishing) spam, and nothing else, from such addresses; but this arrived at my Fastmail address. Perhaps I should set the same filters on that one?

Keeping the advice on forum, you certainly can set filters on any email service you use.

 

My experience with Gmail is that they have excellent built-in spam filters, as does Outlook.com



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 PM

Posted 10 July 2017 - 03:35 PM

This is a public forum.. All advice is to be posted on site. This is for the protection of the OP and to be sure the advise provided is both accurate and safe. Continuing in PM will cost you posting privileges'.

Thank you.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 evilbunny

evilbunny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 10 July 2017 - 04:24 PM

 

Incidentally, I have filters set on my GMail account such that messages from any .top or .xyz address are automatically deleted, as I have received plenty of (mostly phishing) spam, and nothing else, from such addresses; but this arrived at my Fastmail address. Perhaps I should set the same filters on that one?

Keeping the advice on forum, you certainly can set filters on any email service you use.

 

My experience with Gmail is that they have excellent built-in spam filters, as does Outlook.com

 

Fastmail doesn't have quite as good spam filtering (at least not on the former "free" account levels, which were withdrawn for new signups nearly 10 years ago and are being withdrawn altogether at the end of this month; I haven't been using the paid service long enough to tell how good the spam filtering on that is) as GMail, but it does have the excellent Sieve filter scripting language (which I think is part of IMAP, or at least the Cyrus implementation).



#7 evilbunny

evilbunny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 10 July 2017 - 04:30 PM

evilbunny please see your pm's.

 

 

This is a public forum.. All advice is to be posted on site. This is for the protection of the OP and to be sure the advise provided is both accurate and safe. Continuing in PM will cost you posting privileges'.

Thank you.

 

I agree with the two posters who have said so, that the advice I was given by PM is really more suitable as a public reply to this thread.

 

The PM simply told me that the address for reporting this type of thing is phishing@nestpensions.org.uk; which surprised me, I was of the impression that the relevant RFC (forgotten which number) requires not only that a website have an abuse address, but that if it is other than abuse@whatever, it must be posted on the site somewhere where visitors can find it (probably the "Contact us" page).



#8 opera

opera

  • Members
  • 1,031 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 PM

Posted 10 July 2017 - 11:15 PM

I contacted NEST because I have had dealings with them, and they asked if I would ask the person to send the info to that address and advised not posting the email address on such an open public forum as this (as opposed to a dedicated financial one I guess).

 

All I did was to try and help evilbunny and others. Wasn't trying to be cute or clever, just following what they asked me to do.

 

They have received other reports I gather.



#9 evilbunny

evilbunny
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 10 July 2017 - 11:21 PM

If NEST don't want their abuse address to be public knowledge, that doesn't say much for their professionalism or integrity, to say nothing of the fact that (as I already mentioned) it also means that they're violating the RFC covering abuse addresses. (Contrary to what the name implies, RFCs are not requests but prescriptions of how things must work in order for the internet to run smoothly. Those which are requests are called "draft RFCs",)



#10 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 10 July 2017 - 11:45 PM

Received-SPF: pass
    (nestpensions52.top: 185.154.23.184 is authorized to use 'message@nestpensions52.top' in 'mfrom' identity (mechanism 'ip4:185.154.23.184' matched))
    receiver=mx4.messagingengine.com;
    identity=mailfrom;
    envelope-from="message@nestpensions52.top";
    helo=nestpensions52.top;
    client-ip=185.154.23.184
Received: from nestpensions52.top (nestpensions52.top [185.154.23.184])
    by mx4.messagingengine.com (Postfix) with ESMTP
    for <[redacted]>; Wed,  5 Jul 2017 20:05:16 -0400 (EDT)

The IP originates from the Russian Federation...

 

https://www.speedguide.net/ip/185.154.23.184


Edited by jwoods301, 10 July 2017 - 11:46 PM.


#11 opera

opera

  • Members
  • 1,031 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 PM

Posted 10 July 2017 - 11:57 PM

If NEST don't want their abuse address to be public knowledge, that doesn't say much for their professionalism or integrity, to say nothing of the fact that (as I already mentioned) it also means that they're violating the RFC covering abuse addresses. (Contrary to what the name implies, RFCs are not requests but prescriptions of how things must work in order for the internet to run smoothly. Those which are requests are called "draft RFCs",)

 

Hopefully you will have pointed that out to them in an email  !!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users