[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Amazon Phishing Scam - Tech Details


--- DAN MORRILL <dan_20407@xxxxxxx> wrote:

> Ran across a very nice phishing scam from amazon
> this morning. Technical 
> details follow as suggested black list for this
> domain. It was really nice, 
> very authentic looking, and would suck in a lot of
> folks because it really 
> looked very good. It has been reported to Amazon,
> but thought I would 
> include the technical details to this group.
> 

Hi Dan,

What's the point in posting this to the list? How is
it different from the zillion other phishing emails?
It doesn't seem to use any new techniques from what I
could gather from your post. If it does, you haven't
mentioned it.

--
SG Masood





> Cheers/r/Dan
> 
> 
> This is a header from an authentic e-mail from
> Amazon.
> 
> Received: from mail-store-1001.amazon.com
> ([207.171.164.43]) by 
> bay0-mc8-f3.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.211); Thu, 15 
> Dec 2005 21:03:11 -0800
> Received: from ae-app-2102.iad2.amazon.com by
> mail-store-1001.amazon.com 
> with ESMTP (peer crosscheck:
> ae-app-2102.iad2.amazon.com)
> Received: by ae-app-2102.iad2.amazon.comid
> AAA06388,375; 15 Dec 2005 
> 21:03:08 -0800
> X-Message-Info:
> JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo=
> X-Amazon-Corporate-Relay:
> mail-store-1001.vdc.amazon.com
> X-AMAZON-TRACK: default
> Bounce-to:
> VarzeaEmailSender+4-61129391@xxxxxxxxxxxxxxxxxx
> Return-Path:
> VarzeaEmailSender+4-61129391@xxxxxxxxxxxxxxxxxx
> X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815
> (UTC) 
> FILETIME=[0377ED70:01C601FE]
> 
> This is the email header from the suspected phishing
> e-mail
> 
> Received: from thebe.jtan.com ([207.106.84.138]) by 
> bay0-mc7-f17.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.211); Thu, 15 
> Dec 2005 12:34:48 -0800
> Received: from thebe.jtan.com (localhost
> [127.0.0.1])by thebe.jtan.com 
> (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for
> <dan_XXXX7@xxxxxxx>; Thu, 15 
> Dec 2005 15:34:46 -0500
> Received: (from apache@localhost)by thebe.jtan.com
> (8.13.3/8.13.3/Submit) id 
> jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500
> X-Message-Info:
> JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4=
> Return-Path: apache@xxxxxxxxxxxxxx
> X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333
> (UTC) 
> FILETIME=[FDF9F3D0:01C601B6]
> 
> So the phishing e-mail came from here:
> http://www.uslec.com/
> 
> OrgName:    USLEC Corp.
> OrgID:      USLC
> Address:    6801 Morrison Blvd
> City:       Charlotte
> StateProv:  NC
> PostalCode: 28211
> Country:    US
> 
> With an eventual owner here (Suspected hacked site
> http://thebe.jtan.com/) 
> with the owner http://www.jtan.com which is a
> service provider under uslec.
> 
> J. Thomas Associates
> 1302 Diamond St
> Sellersville, PA 18960
> US
> Domain Name: JTAN.COM
> 
> Administrative Contact, Technical Contact:
> Nadovich, Chris T             chris@xxxxxxxx
> 1302 DIAMOND ST
> SELLERSVILLE, PA 18960-2906
> US 215-257-8708 fax: 123 123 1234
> 
> 
> 
> 
> 
> Sometimes MSN E-mail will indicate that the mesasge
> failed to be delivered. 
> Please resend when you get those, it does not mean
> that the mail box is bad, 
> merely that MSN mail is over worked at the time.
> 
>
_________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar ? get
> it now! 
>
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/