Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 January 2013

ALERT: Wonga phish

Strange choice of companies to impersonate in a phishing scam if you ask me, but never the less, this just arrived in my inbox;

Customer Satisfaction Survey 2013
At Wonga.com, we sincerely value your opinions.
As part of our continuous improvement process, we're conducting a survey to benchmark the opinions of our customers.

We will use the resulting information to better serve the needs of
our customers.

We kindly ask you to take part in our quick and easy 3 questions customer survey. In return, we won't charge you ANY INTEREST on your next loan application!

Here is how you proceed:
• Download your personal survey attached to this email.
• Select the desired answers on your survey.
• Log in to your Wonga.com account to validate your survey.
We thank you in advance for your time and effort in making Wonga the best payday lender in the United Kingdom.

Sincerely,
Wonga.com Customer Service
Message ID:


This came with an attachment that housed the phish itself;



With the stolen details being sent to;

URL: hxxp://190.90.23.130/recordings/misc/wongalogin.php
ASN: 28032 190.90.23.0/24 INTERNEXA S.A.

Email headers:

Return-Path: <sharecash_org_donotreply@wonga.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 2.937
X-Spam-Level: **
X-Spam-Status: Yes, score=2.937 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, MIME_QP_LONG_LINE=0.001, TO_IN_SUBJ=3.01,
T_OBFU_HTML_ATTACH=0.01] autolearn=no
Received: from mail.dfsv51.com (mail.dfsv51.com [91.103.216.32])
by [REMOVED] (Postfix) with ESMTP id 45B043598600
for <[REMOVED]>; Thu, 31 Jan 2013 06:26:44 +0000 (GMT)
Received: from wonga.com ([200.5.118.70]) by dfsv51.com with MailEnable ESMTP; Thu, 31 Jan 2013 06:26:30 +0000
From: "Wonga.com" <sharecash_org_donotreply@wonga.com>
To: [REMOVED]
Subject: [SPAM] Customer Satisfaction Survey for [REMOVED]
Date: 31 Jan 2013 03:26:38 -0300
Message-ID: <20130131032638.3E188E97ABA81272@wonga.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_9040D09C.54545B51"



Owner of the IP housing the phish has been notified, as have the owners of the IPs the email originated from (Telefonica) and went through (Dataflame Internet Services Ltd)

No comments: