Password phishing emails originating from West Africa

[coolbreeze1975]

Microsoft Digital Crimes

email addy = microsoftsupport@mailservermicrosoft.com

IP Address: 66.225.214.217
IP Country: Saudi Arabia
Guessed City: Jeddah
Organization: HostForWeb
ISP Provider: Server Central Network

header =

Received: from krios.omogenia.us (unknown [66.225.214.217])

email sent =

Sent: Sat, Oct 20, 2012 8:48 pm
Subject: Validate Your Account Information


Dear User,
Due to a new vulnerability which is exploited hackers to steal your passwords. Microsoft Digital Crimes Unit has hereby developed a new security measure. All users of the Internet and Microsoft products are hereby required to validate there email account information irregardless of their Internet service provider or Host company.
To validate your email account and prevent hackers from exploiting the new vulnerability. Please click on the validation link below and supplied the required information.
Validation Link.
Please note that if your email is not validated, your email will be delete to avoid hackers getting into your personal or business email account there by getting access to classified or privileged information.
2012 Microsoft Digital Crimes Unit


CB1975

[Lioness1]

Hotmail

CONFIRMATION DE VOTRE COMPTE‏

11:24

An Julie Daraîche

Dear User account


CONFIRM YOUR WINDOWS LIVE ACCOUNT SERIVICES. VERIFY YOUR FREE HOTMAIL ACCOUNT NOW !!!




Chers Membres ,



Nos principes de confidentialité restent inchangés. Jamais nous ne vendrons ni ne partagerons vos données personnelles sans votre autorisation (sauf dans de rares cas, comme les demandes d'ordre

juridique).



Nous effectuons actuellement une mise à jour des règles de confidentialité de Hotmail.

Ces nouvelles règles illustrent notre volonté de vous garantir une sécurité homogène, avec d'autres personnes, nous voulons faciliter votre utilisation quotidienne de Hotmail.


*Adresse Windows live Hotmail :……………………
*Mot de Passe :……………………………………….

*Nom et Prénom :……………………………………..

*Date de Naissance :…………………………………

*Pays ou territoire :……………………………………



Si vous êtes connecté à Hotmail, veuillez confirmer votre identité en remplissant le formulaire ci-dessus.

Notre objectif : vous garantir une transparence et une liberté.



Après avoir suivi les instructions ci-dessus, votre compte ne courra plus aucun risque dêtre interrompu. Merci de votre attention à cette demande.

Attention : Tout utilisateur de Hotmail qui n'aurait pas mis son compte à jour après deux semaines de la réception de cet avertissement perdra son compte en permanence.



Cordialement,

L'équipe de Windows Live Hotmail®.


IP address: 41.207.211.69
Provider: Cote D`ivoire Telekom
City: Abidjan
Country: Cote D´Ivoire

[Lioness1]

Hotmail
ROM M. ABU USMAN
 15:52

Von:

Usman Abu (usmanabu61@gmail.com)



Gesendet:

Freitag, 26. Oktober 2012 15:52:42

Un:

Diese E-Mail wurde von Microsoft SmartScreen als Junk-E-Mail eingestuft und wird nach zehn Tagen gelöscht.
Als sicher markieren

ROM M. ABU USMAN
PROJETS DE LOI ET GESTIONNAIRE DE CHANGE,
BANK OF AFRICA (B.O.A)
OUAGADOUGOU BURKINA FASO.
EN AFRIQUE DE L'OUEST
 

Cher ami,
 

Permettez-moi de commencer par me présenter, je suis M. ABU USMAN de la Bank Of Africa Burkina faso.
 
Je suis d'écriture vous cette lettre basées sur les derniers développements dans mon ministère que je tiens à porter à votre édification personnelle. (18,5 millions de demandes de transfert de Dollars US).
 
Il s'agit d'une transaction légitime et j'ai accepté de vous offrir 40% de cet argent que mon partenaire étranger après la confirmation du fonds dans votre compte bancaire, si vous êtes intéressé, revenir à moi avec les détails suivants ci-dessous.
 
Nom ............
Pays ..........
Numéro de téléphone ....
Télécopieur ..............
Votre âge .........
Occupation .......
Adresse ..........
Nom de la banque ........
Adresse de la banque .....
Numéro de compte ...
Nom du compte .....
Bancaire swift code ..
 
Dès que je reçois ces données de, je vais vous faire parvenir le formulaire de demande que vous enverrez à la banque.
 
Best Regard
M. ABU USMAN

IP address: 41.138.101.216
Provider: Onatel
City: Ouagadougou
Country: Burkina Faso

Originating Email address: usmanabu61@gmail.com

[Lioness1]

Hotmail
DE M. ABU USMAN

 16:05
Von:

usman abu (usmanabu61@gmail.com)
Gesendet:

Freitag, 26. Oktober 2012 16:05:54



Un:

Diese E-Mail wurde von Microsoft SmartScreen als Junk-E-Mail eingestuft und wird nach zehn Tagen gelöscht.
Als sicher markieren


DE M. ABU USMAN
PROJETS DE LOI ET GESTIONNAIRE DE CHANGE,
BANK OF AFRICA (B.O.A)
OUAGADOUGOU BURKINA FASO.
EN AFRIQUE DE L'OUEST


Cher ami,


Permettez-moi de commencer par me présenter, je suis M. ABU USMAN de la Bank Of Africa Burkina faso.

Je suis d'écriture vous cette lettre basées sur les derniers développements dans mon ministère que je tiens à porter à votre édification personnelle. (18,5 millions de demandes de transfert de Dollars US).

Il s'agit d'une transaction légitime et j'ai accepté de vous offrir 40% de cet argent que mon partenaire étranger après la confirmation du fonds dans votre compte bancaire, si vous êtes intéressé, revenir à moi avec les détails suivants ci-dessous.

Nom ............
Pays ..........
Numéro de téléphone ....
Télécopieur ..............
Votre âge .........
Occupation .......
Adresse ..........
Nom de la banque ........
Adresse de la banque .....
Numéro de compte ...
Nom du compte .....
Bancaire swift code ..

Dès que je reçois ces données de, je vais vous faire parvenir le formulaire de demande que vous enverrez à la banque.

Best Regard
M. ABU USMAN


IP address: 41.138.101.216
Provider: Onatel
City: Ouagadougou
Country: Burkina Faso

Originating Email address: usmanabu61@gmail.com

[Marisa]

got this phishing email on one of my emails that don't even have a PayPal account. Looked at the message source code, and there were no links inside to click, and NO form attached, strange.... maybe mugus forgot, lousy job, or my server automatically deleted an unsafe attachment.

From - Sat Nov 17 14:03:24 2012
X-Account-Key: account6
X-UIDL: UID108-1338965788
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <IdentityTheftProtection@pp.com>
Envelope-to: xxxx
Delivery-date: Sat, 17 Nov 2012 14:05:03 -0500
Received: from cpanel.africa-insites.com ([38.126.9.175]:39739)
by xxxx with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80)
(envelope-from <IdentityTheftProtection@pp.com>)
id 1TZnhO-0005un-Vg
for xxx; Sat, 17 Nov 2012 14:05:02 -0500
Received: from 216-14-13-114.static-ip.telepacific.net ([216.14.13.114]:19404 helo=User)
by cpanel.africa-insites.com with esmtpa (Exim 4.80)
(envelope-from <IdentityTheftProtection@pp.com>)
id 1TZnhL-0002jj-OJ; Sat, 17 Nov 2012 13:04:59 -0600
Reply-To: <No.Reply@Thank.You>
From: "Identity Theft Protection"<IdentityTheftProtection@pp.com>
Subject: Identity Theft Protection
Date: Sat, 17 Nov 2012 11:04:11 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel.africa-insites.com
X-AntiAbuse: Original Domain - xxxxx <--- that was my domain
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - pp.com
X-Get-Message-Sender-Via: cpanel.africa-insites.com: authenticated_id: test@kasanka.com
X-Source:
X-Source-Args:
X-Source-Dir:


Dear PayPal Customer, --- real PayPal will always address you by name!!

You have added angelina1974@comcast.com as a new email address for your Paypal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.

NOTE: The form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9)

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely, PayPal Account Review Department.

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

[Marisa]

WOW, they are determined!!! Recent it AGAIN, this time with the form attached, same headers:


NOTE: Many features on the PayPal Web site require Javascript and cookies. You can enable both via your browser's preference settings.

blah...blah...blah...real PayPal links...

Please complete the form below to update your Profile information and restore your account access.
Personal Information Profile

Email address:
PayPal password:
Full Name:
Mother Maiden Name: (Optional)
Date of Birth:
Social Security Number: -- (US only)

Home Address Profile

Home Phone Number:
Billing Address:
City:
Country:
State: (US only)
Other States:
Zip Code:

Credit/Debit Card Profile

Card Number: ---
Expiration Date:
Card Verification Number: Help finding your Card Verification Number
PIN ATM
Bank Name:
Password 3D Secure Verified By Visa:


Required Field The process normally takes about 30 seconds, but it may take longer during certain times of the day. Please click Submit Profile to update your information.

blah...blah...blah...real PayPal links...

The form action was pointing to: airaltay.ru/fckeditor/.done/.ico.php
some images stored at lavozdeltriunfo.com/shoutpro/images/pixel.gif

[Pandora]

Found this email in my spam folder. I have no idea what it means, never met this guy

Re: proove of your payment transfer to your accout

Below is a proove of your payment transfer to your accout okay, double click on the ico to see the transfer statement okay

prove of your payment.rtf
3103 K

From: Joel williams <jw469426@gmail.com>
No IP since it is gmail


google gives no hits on this email address

[Marisa]

email contains attachment - payment.rtf - with unsafe extension.
there is a virus there (probably, a keylogger), the wording of email is obviously a mugu, so this is a mugu trying to install some crap on your machine.

[FrumpyBB]

IP: 41.71.188.124 Lagos, Nigeria

IP: 74.53.28.130
Hostname: firehawk.websitewelcome.com
ISP: ThePlanet.com Internet Services
Organization: WebsiteWelcome

proxy

..................

From verification@Yahoo.com
Return-Path: <incomet1@firehawk.websitewelcome.com>
To:
Subject: VERIFY THIS EMAIL ADDRESS TO AVOID IMMEDIATE CLOSURE
X-PHP-Script: http://ww" onclick="window.open(this.href);return false; w.incometaxsolutions.co.za/en/captcha/much/dakpada/proc-verify.php for 41.71.188.124
From: <verification@Yahoo.com>
Message-Id: <E1TxYzx-0007fh-S5@firehawk.websitewelcome.com>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - firehawk.websitewelcome.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [8876 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - firehawk.websitewelcome.com
X-BWhitelist: no
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/incomet1/public_html/en/captcha/much/dakpada/proc-verify.php
X-Source-Dir: incometaxsolutions.co.za:/public_html/en/captcha/much/dakpada



VERIFY THIS EMAIL ADDRESS TO AVOID IMMEDIATE CLOSURE


You are advise to verify and re-confirm your Yahoo account, to enable us upgrade your account, Any Yahoo member who fail to respond or upgrade
his or her account will automatically loss the Yahoo account, Response to this urgent mail would enable us upgrade our data system for your security.

Initiated verification of an existing email address, TO VERIFY THAT YOUR ACCOUNT IS VALID AND ACTIVE, SIMPLY CLICK ON THE LINK BELOW.



CLICK HERE TO VERIFY YOUR ACCOUNT NOW


Verifying your email address ensures that you can securely retrieve your account information if your password is lost or stolen. You MUST verify
your email address before you can use Yahoo on services that require an email address.

For your security, please keep your email address information up-to-date. If this information changes, you can always update it by signing
to your Yahoo! account and changing it from the "My Account" option.

If you can't click the sign in button, you can verify your email address by clicking on the hyperlink below




https://edit.Yah" onclick="window.open(this.href);return false; oo.com/commchannel/verify?.intl=us&p=.FZSUVqoMWy3GcPwlpIqfxcXkcHTPXTCdEKOxgMhkgycYk2hDU_RR5SQmWCIZVgG_6nXi2qautvCHEPWLNTnTneNR89bpfSvcE.MsQA.zm3KfPgIOcs-


Warning!!! Any account owner that refuses to update his or her account before three days of receiving this warning will lose his or her account permanently.

Thank you for using Yahoo.

Not your account?"
If the Yahoo! ID sk******************* does not belong to you or if you would like to permanently stop receiving messages for this Yahoo! ID at this email address, please let us know.

Copyright © 2008 Yahoo! Inc. All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we use your information, see our Privacy Policy.

[FrumpyBB]

Dear Account User,

This Email is from Yahoo!® Security Customer Care and we are sending it to
every Yahoo!® Email User Accounts Owner for safety and upgrading.

Click link and log in to Secure and Upgrade your email account now!

click here

Warning!!! Account owner that refuses to update his/her account after one
weeks of receiving this warning may lose his or her account permanently.

Sincerely,

The Yahoo!® Security Team.

From: Yahoo Service-account-us <mike_allen@q.com>
Subject: Yahoo Announcement
X-Originating-IP: [172.190.112.177]
X-Mailer: Zimbra 6.0.8_GA_2685 (ZimbraWebClient - FF3.0 (Win)/6.0.8_GA_2685)

[FrumpyBB]

Yahoo! Mail
Dear Customer,

Your E-mail account has exceeded its limit and needs to be verified, if not verified now to avoid cancellation,

Click to Update

Thanks
Yahoo!


Received: from [41.71.201.46]
From: Yahoo! <babbajiibrahim@yahoo.com>
Reply-To: Yahoo! <babbajiibrahim@yahoo.com>
Subject: Exceeded Email !!!
To: undisclosed recipients: ;

[FrumpyBB]

^^ same text.

Received: from [41.71.201.46]
From: Yahoo! <hscoach@pacbell.net>
Subject: Exceeded Email !!!
To: undisclosed recipients: ;

[FrumpyBB]

Yahoo! Mail
ACCOUNT UPDATE VERIFICATION

Dear Valid Users,

Our records indicate that your account hasn't been updated as a part of our regular account maintenance: Click Here to update your account now. If you do not verify your account now, You serve the risk of losing your account permanently. Thank you for your usual co-operation. We apologize for the inconvenience.

Sincerely,

Yahoo! Mail Product Management.
Copyright © 2013 Mail! Inc. (Co. Reg. No. 2344507D)All Rights
Reserved. Intellectual Property Rights Policy


Received: from [41.138.189.240]
From: 2013 Mail! Inc <teresitanders@yahoo.com>
Subject: Yahoo Final Warning

[FrumpyBB]

PayPal




We routinely review account activity within our network and found an issue with your account that's preventing a payment from being processed.

We need your help to resolve it and realise that you may not be able to respond immediately, so we've acted to protect your account by limiting some features, like sending payments.

This is a temporary measure until the issue's resolved. We apologise for any inconvenience.

What you need do ?

Please download the attached document to confirm that you are the account holder .

Once we've received your information we'll review it.

If the review is successful, we'll email you when the limitation is lifted and your account access restored.
Otherwise, we'll contact you for more information.

Resolution centre
Copyright 2013. All rights reserved

Return-Path: <service@nopaypal.co.uk> => clever, has an own fraudulent "almost paypal" email domain
X-Originating-IP: [95.138.169.22]
Received: from 127.0.0.1 (HELO NOUJOUM) (95.138.169.22)
From: service@paypal.co.uk <service@nopaypal.co.uk>
Subject: We cannot process your payment at this time!
X-Mailer: Spammer 2007

NOT downloaded!

[FrumpyBB]

ACCOUNT UPDATE VERIFICATION

Dear Valid Users,

Our records indicate that your account hasn't been updated as a part of our regular accountmaintenance Click Here to update your account now. If you do not verify your account now, You serve the risk of losing your account permanently. Thank you for your usual co-operation. We apologize for the inconvenience.

Sincerely,

Yahoo! Mail Product Management.
Copyright © 2013 Mail! Inc. (Co. Reg. No. 2344507D)All Rights
Reserved. Intellectual Property Rights Policy


From: "Yahoo! Inc." <martyberson@sbcglobal.net>
Subject: E-mail Exceeded