HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Topics » Computers & Internet » Computer Help and Support (Group) » I think I've seen a new s...

Sat Apr 17, 2021, 05:24 PM

I think I've seen a new scam

Not sure what it is but both me and the spouse received vague "delivery notifications" needing additional information and asking us to click on a URL. I checked out one of the URL's and near as I can tell, it didn't even exist. What I can't figure out is what they hoped to accomplish? Was this some attempt to collect data from the cell phone?

15 replies, 966 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread

Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:30 PM

1. Spearphishing. Any unsolicited url links, especially if the sender info does not match documement.

.

If you open up the email payload and view the IP address of the source, open a DOS window and type in the nslookup xxx.xxx.xxx.xxx command, substitution the x's with the IP address. You'll find that around 70% of them are sourced from free or $1/mo Amazon AWS accounts.

Amazon is the #1 proliferator of spam emails.

The AWS apps that run, are started on virtual servers and will link to non-AWS URLs in the emails. If you do a whois on the domain names, most won't have their mandatory ICANN registry information filled out. You can report them to ICANN and if they don't add it in a month, that hostname will get taken down. AWS will also take them down, if reported. That requires you to sign up for an AWS account to report fraud. But if campaigns are taken down, they will pop up a few days later as another campaign.

Most of those addresses will be at one of those strip mall P.O. Box places. Get a bunch of them and report them to the PO Box company and they will pull their P.O. Box.

Hosting provider 1and1 is also the primary host for these domains too. While domain hosts say they can't control what their domain holders do, send a few of those emails to them and they will yank that client. Funny thing is... no one wants to be associated with scammers.


Save off all your scam emails, log the source IP, the hostname of it, the target URL and see if there is a commonality. Once you compile a bunch, go to AWS, go to the domain host, report them to ICANN and contact their post office provider. I've taken quite a few offline for long periods by hitting them on all fronts.

.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #1)

Sat Apr 17, 2021, 05:39 PM

5. Do you have an advice on how to avoid being phished?

I am usually totally averse to clicking on any link UNLESS I know or am aware of the email author AND the link or the request being made by author makes sense. Otherwise, I send the questionable email to our IT department for a final ruling.

I had also heard that even PREVIEWING an email, depending on your email client, can be dangerous without even clicking on links. Is that true? If that's the case, that's completely debilitating, since I get 100s of emails a day at the office, and easily in the high double digits personally each day. There is no way I could process things unless I used the preview function to make a threshold determination of whether the email was relevant or not.

Any advice on this would be great!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to MerryHolidays (Reply #5)

Sat Apr 17, 2021, 05:50 PM

6. Nope. Once your name is out there, even if you block/don't reply to them, they are traded online.

.

Just like telemarketers.

I now answer telemarketing calls and waste their time. Certain ones from India have similar messages or hold scripts and I'll press 0 or 1 to get a live operator and then play Hindi music. Even if I waste 15 seconds of their time, that cuts into their human call resources and by doing that, after a few months the rate of spam calls dropped by about 80%.

Instead of being pissed, I make it into a sport to see if I can piss them off.

I'll sometimes bait the Hilton or cruise line spam calls and keep them talking for 10 minutes asking about their program, just to say that I loved wasting their time, ans will continue to do so each time they call -- poof, no more calls from them..

.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #6)

Sat Apr 17, 2021, 05:52 PM

8. TBA, your earlier advice is great! I will start doing this

However, I still have a question: can merely previewing an email without clicking any links result in a phish?

Reply to this post

Back to top Alert abuse Link here Permalink


Response to MerryHolidays (Reply #8)

Sat Apr 17, 2021, 06:16 PM

12. No, your email viewer has an option that allows you to view the email source.

Last edited Sat Apr 17, 2021, 09:05 PM - Edit history (1)

.

That is strictly a text viewer. It will have a pile of stuff in it, but once you figure out the pattern, you'll be able to grab them in a few seconds.


Embedded in there will be something like this:
Authentication-Results: spf=softfail (sender IP is 212.64.220.150)
smtp.mailfrom=inbox.foxnews.com; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=none action=none
header.from=ballaratfitness.com;compauth=fail reason=001
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
inbox.foxnews.com discourages use of 212.64.220.150 as permitted sender)


DOS Window:
PS C:WINDOWSsystem32> nslookup 212.64.220.150
Server: 83a680f2afb6
Address: 10.0.0.243

Name: roles.reposefully.com
Address: 212.64.220.150





PS C:WINDOWSsystem32> nslookup reposefully.com
Server: 83a680f2afb6
Address: 10.0.0.243

Non-authoritative answer:
Name: reposefully.com
Address: 212.64.220.146




WHOIS Lookup: https://www.whois.com/whois
https://www.whois.com/whois/reposefully.com

Now this one has the typical GMAIL email account and is using NameCheap as a Registrar. There is a reporting ability at all Registrars. But it is best to wait and compile a bunch of them that are from the same person and then they will nuke the guy's account.

The address looks to be a web developer's address: 5660 Strand Court,,# A8,Naples,FL,34110


If they are missing Registration contact information: https://www.icann.org/compliance/complaint
Rat out each domain name that isn't properly filled out.

.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #12)

Sat Apr 17, 2021, 06:26 PM

14. Thank you! n/t

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #6)

Sat Apr 17, 2021, 05:58 PM

11. I truly despise it when someone says "Google is your friend"

implying that I am too lazy to look it up for myself. My problem with the "Google is your friend" is the basic problem with the internet: there is so much useful information readily available, but there is equally a lot of shite available too.

Anyways, Google was my friend right now, and this seems to be a pretty good answer to my question: https://www.howtogeek.com/413435/is-it-safe-to-preview-your-email/

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:31 PM

2. I got one as well.

I seldom order anything on my own as my sister has prime.

I did not click the link and instead I looked up USPS. Then entered the "supposed" tracking number. Usps said it didn't exist.

Yep, some sort of scam.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:34 PM

3. They're not new.

They've been around for years and they're trying to obtain personal information, logins, and so on.

Here's a good summary with links to examples, etc.

https://www.fcc.gov/how-identify-and-avoid-package-delivery-scams

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:35 PM

4. I received a text message like that as well

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:51 PM

7. I don't do a lot of on line ordering, and as it happens I've never gotten

one of these emails. I'm always going to be aware of what I've ordered.

I do keep on getting the stupid phone call about some kind of high amount something I've ordered with Amazon. As soon as I realize that's what it is, I just hang up.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:53 PM

9. I got an email a couple weeks ago saying my

Amazon account was hacked and I was locked out. They had a link to reset my account. Instead I signed in to my Amazon account with no problem. I keep getting emails saying my Norton anti virus has expired, don't have Norton.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 05:53 PM

10. That link probably installed a virus.

You should do a thourogh cleaning.

Never click an unknown link.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 06:22 PM

13. It was a text

I wasn't clear about that. Neither of us clicked on anything. I looked up on a laptop to try and trace either the phone # or the URL. It just seems odd with all of the different operating systems in cell phones.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to zipplewrath (Original post)

Sat Apr 17, 2021, 07:09 PM

15. I have received two of those text messages.

The first one read "Dear (first name; last name). Yada, yada yada. I deleted it without opening it.

The second one said it was from USPS. Is there a place to report this within the postal service? Is it a crime to say you are the USPS when you are not?

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread