Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 18 November 2009

Interesting phishing scam: Marius wants your help

I've received two of these so far, both pointing to two different domains of course, and find them rather intruiging given it's the first time I've seen this method used.

The e-mails start off pretty typical of the 419'ers, but then proceed with a link to ask for a donation - and so far, there's no additional infection involved that I can see;

E-mail 1:

Hello,

My name is Marius and I am a student at Technical University of Civil Engineering Bucharest. It is very difficult for me here because of the big amount of money needed to pay my rent. All I am requesting for you is to take 3 minutes of your time and help me with a small amount of money if it is possible and I can design a website for you if you request this.

To access my website and donate me 1 USD via PayPal click on the following link:


Access my website <http://www.cosmote.md/helpme>

Thank you,
Your help will be very much appreciated,

Marius


E-mail 2:

Dear friend,

My name is Marius and I am a student at Technical University of Civil Engineering at Bucharest. It is very difficult for me here because of the big amount of money needed to pay my rent. All I am requesting for you is to take 3 minutes of your time and help me with a small amount of money if it is possible and, in exchange for your help I can design a website for you if you request this.

To access my website and donate me 1 USD via PayPal click on the following link:


Click here to access my website <http://www.softhaven.com/helpme>
Thank you!
Your support will be very much appreciated,
Marius


Obviously the "Click here to access my website" would normally be the link, but given I only allow plain text, it's never linkified automagically ;o)

Getting back to the sites themselves, cosmote.md is actually owned by Marius Apostol according to WhoIs records, but softhaven.com looks like a hacked website (given it's hosted by BlueHost, this isn't surprising).

The actual content is as shown in the following screenshots;

cosmote.md and cosmote.md/helpme


softhaven.com/helpme


In both cases, the source code shows the payment goes to Marius Apostol at ebagabontu@yahoo.com. Whether or not this is a compromised account or his own, is at this point, unknown.

WhoIs records for cosmote.md are annoyingly, vague as far as registrant information, but do of course, give us the owners name (or at least, the name they gave to the registrar);

Checking server [whois.nic.md]
Results:
Domain name: cosmote.md
Registrant: Marius Apostol
Created: 2008-01-10
Expiration date: 2010-01-10
Name server: ns1.sqweebs.com 174.36.230.4
Name server: ns2.sqweebs.com 174.36.230.6
DNS update: 2009-09-28 18:37


I double checked the WhoIs using various different sources, to try and get more information, but alas, nic.md is returning only the above it seems.

It's currently hosted at SoftLayer;

IP: 174.36.230.6
IP PTR: 174.36.230.6-static.reverse.softlayer.com
ASN: 36351 174.36.192.0/18 SOFTLAYER - SoftLayer Technologies Inc

Needless to say, if you receive one of these, DELETE IT!

2 comments:

Chris said...

Just got one of these myself today... I know better than to click it, and a quick google search yielded your blog reference. I figured as much. Thanks !

MysteryFCM said...

My pleasure :)