[Full-disclosure] Amazon Phishing Scam - Tech Details
- From: "DAN MORRILL" <dan_20407@xxxxxxx>
- Date: Fri, 16 Dec 2005 14:08:09 +0000
Ran across a very nice phishing scam from amazon this morning. Technical details follow as suggested black list for this domain. It was really nice, very authentic looking, and would suck in a lot of folks because it really looked very good. It has been reported to Amazon, but thought I would include the technical details to this group.
Cheers/r/Dan
This is a header from an authentic e-mail from Amazon.
Received: from mail-store-1001.amazon.com ([207.171.164.43]) by bay0-mc8-f3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 15 Dec 2005 21:03:11 -0800
Received: from ae-app-2102.iad2.amazon.com by mail-store-1001.amazon.com with ESMTP (peer crosscheck: ae-app-2102.iad2.amazon.com)
Received: by ae-app-2102.iad2.amazon.comid AAA06388,375; 15 Dec 2005 21:03:08 -0800
X-Message-Info: JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo=
X-Amazon-Corporate-Relay: mail-store-1001.vdc.amazon.com
X-AMAZON-TRACK: default
Bounce-to: VarzeaEmailSender+4-61129391@xxxxxxxxxxxxxxxxxx
Return-Path: VarzeaEmailSender+4-61129391@xxxxxxxxxxxxxxxxxx
X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815 (UTC) FILETIME=[0377ED70:01C601FE]
This is the email header from the suspected phishing e-mail
Received: from thebe.jtan.com ([207.106.84.138]) by bay0-mc7-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 15 Dec 2005 12:34:48 -0800
Received: from thebe.jtan.com (localhost [127.0.0.1])by thebe.jtan.com (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for <dan_XXXX7@xxxxxxx>; Thu, 15 Dec 2005 15:34:46 -0500
Received: (from apache@localhost)by thebe.jtan.com (8.13.3/8.13.3/Submit) id jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500
X-Message-Info: JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4=
Return-Path: apache@xxxxxxxxxxxxxx
X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333 (UTC) FILETIME=[FDF9F3D0:01C601B6]
So the phishing e-mail came from here: http://www.uslec.com/
OrgName: USLEC Corp. OrgID: USLC Address: 6801 Morrison Blvd City: Charlotte StateProv: NC PostalCode: 28211 Country: US
With an eventual owner here (Suspected hacked site http://thebe.jtan.com/) with the owner http://www.jtan.com which is a service provider under uslec.
J. Thomas Associates 1302 Diamond St Sellersville, PA 18960 US Domain Name: JTAN.COM
Administrative Contact, Technical Contact: Nadovich, Chris T chris@xxxxxxxx 1302 DIAMOND ST SELLERSVILLE, PA 18960-2906 US 215-257-8708 fax: 123 123 1234
Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time.
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- [Full-disclosure] Re: Amazon Phishing Scam - Tech Details
- From: Dave Korn
- Re: [Full-disclosure] Amazon Phishing Scam - Tech Details
- From: S G Masood
- [Full-disclosure] Re: Amazon Phishing Scam - Tech Details
- Prev by Date: Re: [Full-disclosure] InfoSecBOFH and other trouble makers
- Next by Date: Re: [Full-disclosure] Amazon Phishing Scam - Tech Details
- Previous by thread: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
- Next by thread: Re: [Full-disclosure] Amazon Phishing Scam - Tech Details
- Index(es):
Relevant Pages
|
