Full Disclosure mailing list archives

Re: Amazon Phishing Scam - Tech Details

From: "DAN MORRILL" <dan_20407 () msn com>
Date: Fri, 16 Dec 2005 14:34:38 +0000

Oh, I don't know, maybe someone might want to block the IP addres or shunthem, maybe someone might want to put it in their exchange server as a knownbad IP, maybe someone might want to black hole them at some point, justlittle things like that, and that is why I posted this to this list.


Just a thought.
r/d



--- DAN MORRILL <dan_20407 () msn com> wrote:

> Ran across a very nice phishing scam from amazon
> this morning. Technical
> details follow as suggested black list for this
> domain. It was really nice,
> very authentic looking, and would suck in a lot of
> folks because it really
> looked very good. It has been reported to Amazon,
> but thought I would
> include the technical details to this group.
>

Hi Dan,

What's the point in posting this to the list? How is
it different from the zillion other phishing emails?
It doesn't seem to use any new techniques from what I
could gather from your post. If it does, you haven't
mentioned it.

--
SG Masood





> Cheers/r/Dan
>
>
> This is a header from an authentic e-mail from
> Amazon.
>
> Received: from mail-store-1001.amazon.com
> ([207.171.164.43]) by
> bay0-mc8-f3.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.211); Thu, 15
> Dec 2005 21:03:11 -0800
> Received: from ae-app-2102.iad2.amazon.com by
> mail-store-1001.amazon.com
> with ESMTP (peer crosscheck:
> ae-app-2102.iad2.amazon.com)
> Received: by ae-app-2102.iad2.amazon.comid
> AAA06388,375; 15 Dec 2005
> 21:03:08 -0800
> X-Message-Info:
> JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo=
> X-Amazon-Corporate-Relay:
> mail-store-1001.vdc.amazon.com
> X-AMAZON-TRACK: default
> Bounce-to:
> VarzeaEmailSender+4-61129391 () bounces amazon com
> Return-Path:
> VarzeaEmailSender+4-61129391 () bounces amazon com
> X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815
> (UTC)
> FILETIME=[0377ED70:01C601FE]
>
> This is the email header from the suspected phishing
> e-mail
>
> Received: from thebe.jtan.com ([207.106.84.138]) by
> bay0-mc7-f17.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.211); Thu, 15
> Dec 2005 12:34:48 -0800
> Received: from thebe.jtan.com (localhost
> [127.0.0.1])by thebe.jtan.com
> (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for
> <dan_XXXX7 () msn com>; Thu, 15
> Dec 2005 15:34:46 -0500
> Received: (from apache@localhost)by thebe.jtan.com
> (8.13.3/8.13.3/Submit) id
> jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500
> X-Message-Info:
> JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4=
> Return-Path: apache () thebe jtan com
> X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333
> (UTC)
> FILETIME=[FDF9F3D0:01C601B6]
>
> So the phishing e-mail came from here:
> http://www.uslec.com/
>
> OrgName:    USLEC Corp.
> OrgID:      USLC
> Address:    6801 Morrison Blvd
> City:       Charlotte
> StateProv:  NC
> PostalCode: 28211
> Country:    US
>
> With an eventual owner here (Suspected hacked site
> http://thebe.jtan.com/)
> with the owner http://www.jtan.com which is a
> service provider under uslec.
>
> J. Thomas Associates
> 1302 Diamond St
> Sellersville, PA 18960
> US
> Domain Name: JTAN.COM
>
> Administrative Contact, Technical Contact:
> Nadovich, Chris T          chris () JTAN COM
> 1302 DIAMOND ST
> SELLERSVILLE, PA 18960-2906
> US 215-257-8708 fax: 123 123 1234
>
>
>
>
>
> Sometimes MSN E-mail will indicate that the mesasge
> failed to be delivered.
> Please resend when you get those, it does not mean
> that the mail box is bad,
> merely that MSN mail is over worked at the time.
>
>
_________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar  get
> it now!
>
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_________________________________________________________________

On the road to retirement? Check out MSN Life Events for advice on how toget there! http://lifeevents.msn.com/category.aspx?cid=Retirement


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Amazon Phishing Scam - Tech Details DAN MORRILL (Dec 16)
- Re: Amazon Phishing Scam - Tech Details S G Masood (Dec 16)
  - Re: Amazon Phishing Scam - Tech Details DAN MORRILL (Dec 16)
- Re: Amazon Phishing Scam - Tech Details Dave Korn (Dec 16)
- <Possible follow-ups>
- RE: Amazon Phishing Scam - Tech Details Todd Towles (Dec 16)
  - RE: Amazon Phishing Scam - Tech Details S G Masood (Dec 16)
  - RE: Amazon Phishing Scam - Tech Details DAN MORRILL (Dec 16)