Re: Amazon Phishing Scam - Tech Details

[S G Masood <sgmasood () yahoo com>]

--- DAN MORRILL <dan_20407 () msn com> wrote:

> Ran across a very nice phishing scam from amazon
> this morning. Technical 
> details follow as suggested black list for this
> domain. It was really nice, 
> very authentic looking, and would suck in a lot of
> folks because it really 
> looked very good. It has been reported to Amazon,
> but thought I would 
> include the technical details to this group.

Hi Dan,

What's the point in posting this to the list? How is
it different from the zillion other phishing emails?
It doesn't seem to use any new techniques from what I
could gather from your post. If it does, you haven't
mentioned it.

--
SG Masood





> Cheers/r/Dan
>
>
> This is a header from an authentic e-mail from
> Amazon.
>
> Received: from mail-store-1001.amazon.com
> ([207.171.164.43]) by 
> bay0-mc8-f3.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.211); Thu, 15 
> Dec 2005 21:03:11 -0800
> Received: from ae-app-2102.iad2.amazon.com by
> mail-store-1001.amazon.com 
> with ESMTP (peer crosscheck:
> ae-app-2102.iad2.amazon.com)
> Received: by ae-app-2102.iad2.amazon.comid
> AAA06388,375; 15 Dec 2005 
> 21:03:08 -0800
> X-Message-Info:
> JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo=
> X-Amazon-Corporate-Relay:
> mail-store-1001.vdc.amazon.com
> X-AMAZON-TRACK: default
> Bounce-to:
> VarzeaEmailSender+4-61129391 () bounces amazon com
> Return-Path:
> VarzeaEmailSender+4-61129391 () bounces amazon com
> X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815
> (UTC) 
> FILETIME=[0377ED70:01C601FE]
>
> This is the email header from the suspected phishing
> e-mail
>
> Received: from thebe.jtan.com ([207.106.84.138]) by 
> bay0-mc7-f17.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.211); Thu, 15 
> Dec 2005 12:34:48 -0800
> Received: from thebe.jtan.com (localhost
> [127.0.0.1])by thebe.jtan.com 
> (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for
> <dan_XXXX7 () msn com>; Thu, 15 
> Dec 2005 15:34:46 -0500
> Received: (from apache@localhost)by thebe.jtan.com
> (8.13.3/8.13.3/Submit) id 
> jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500
> X-Message-Info:
> JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4=
> Return-Path: apache () thebe jtan com
> X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333
> (UTC) 
> FILETIME=[FDF9F3D0:01C601B6]
>
> So the phishing e-mail came from here:
> http://www.uslec.com/
>
> OrgName:    USLEC Corp.
> OrgID:      USLC
> Address:    6801 Morrison Blvd
> City:       Charlotte
> StateProv:  NC
> PostalCode: 28211
> Country:    US
>
> With an eventual owner here (Suspected hacked site
> http://thebe.jtan.com/) 
> with the owner http://www.jtan.com which is a
> service provider under uslec.
>
> J. Thomas Associates
> 1302 Diamond St
> Sellersville, PA 18960
> US
> Domain Name: JTAN.COM
>
> Administrative Contact, Technical Contact:
> Nadovich, Chris T             chris () JTAN COM
> 1302 DIAMOND ST
> SELLERSVILLE, PA 18960-2906
> US 215-257-8708 fax: 123 123 1234
>
>
>
>
>
> Sometimes MSN E-mail will indicate that the mesasge
> failed to be delivered. 
> Please resend when you get those, it does not mean
> that the mail box is bad, 
> merely that MSN mail is over worked at the time.
_________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar – get
> it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/