Analysis of the Email header
Analysis of original
ip
Content-Transfer-Encoding: 7bit
X-Originating-IP:
[105.200.97.33]
X-Mailer: Zimbra 7.1.4_GA_2555 (ZimbraWebClient - GC28
(Win)/7.1.4_GA_2555)
Content-Length: 2063
A cisco service is used to analyze the domain reparation and
the black listed activities of the domain
The domain is black listed in the CBL because it's
participating in a botnet. (kelihos spambot)
IP Address 105.200.97.114 is listed in the CBL. It appears
to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-08-15 13:00 GMT (+/- 30
minutes), approximately 5 days, 16 hours, 59 minutes ago.
This IP is infected (or NATting for a computer that is
infected) with the kelihos spambot. In other words, it's participating in a
botnet.
The Kelihos botnet was first discovered around December
2010.[2] Researchers originally suspected having found a new version of either
the Storm or Waledac botnet, due to similarities in the modus operandi and
source code of the bot,[3][4] but analysis of the botnet showed it was instead
a new, 45,000-infected-computer-strong, botnet that was capable of sending an
estimated 4 billion spam messages a day.[5][6] In September 2011[7] Microsoft
took down the botnet in an operation codenamed "Operation b79".[5][8]
At the same time, Microsoft filed civil charges against Dominique Alexander
Piatti, dotFREE Group SRO and 22 John Doe defendants for suspected involvement
in the botnet for issuing 3,700 subdomains that were used by the botnet.[8][9]
These charges were later dropped when Microsoft determined that the named
defendants did not intentionally aid the botnet controllers.[10][11]
In January 2012 a new version of the botnet was discovered,
one sometimes referred to as Kelihos.b or Version 2,[1][6][7] consisting of an
estimated 110,000 infected computers.[1][12] During this same month Microsoft
pressed charges against Russian citizen Andrey Sabelnikov, a former IT security
professional, for being the alleged creator of the Kelihos Botnet
sourcecode.[11][13][14] The second version of the botnet itself was shut down
by it in March 2012 by several privately owned firms by sinkholing it – a
technique which gave the companies control over the botnet while cutting off
the original controllers.[2][15]
Following the shutdown of the second version of the botnet,
a new version surfaced as early as 2 April, though there is some disagreement
between research groups whether the botnet is simply the remnants of the
disabled Version 2 botnet, or a new version altogether.[16][17] This version of
the botnet currently consists of an estimated 70,000 infected computers. The
Kelihos.c version mostly infects computers through Facebook by sending users of
the website malicious download links. Once clicked, a Trojan horse named
Fifesoc is downloaded, which turns the computer into a zombie, which is part of
the botnet.[18]
Analysis of the domain
This enables you to send a mail by manipulating the mail
server if the mail server is configured as a relay.
So the send have manipulate the shaw.ca(Return-Path: <njmedley@shaw.ca>) mail server to hide
his identity and also have the motive to either spread a botnet or it might
just be a scam which he intend to carry out. But by the looks of the origin of
the mail and the originated email address I suspect the intention is to use my
pc as a bot net.
Rebecca Brown <rebecca_brown47@yahoo.com.ph>
: ph stands for Philippine
X-Originating-IP: [105.200.97.33]
21 August 2013
105.200.97.33
ISP: Etisalat Misr
Misr, Al Qahirah (11), Egypt
Lat: 30.05 Lon: 31.25
105.200.97.33
ISP: Etisalat Misr
Misr, Al Qahirah (11), Egypt
Lat: 30.05 Lon: 31.25
I have receive it from njmedley@shaw.ca but the return path have been altered to rebecca_brown47@yahoo.com.p so when i reply the mail will b received by this yahoo account.
Return-Path: <njmedley@shaw.ca>
Reply-To: Rebecca Brown <rebecca_brown47@yahoo.com.ph>
So looking at the facts my conclusion will be this
Dear Friend,
Sir, My name is Eng. Rebecca Brown. I am from a state called Texas in US; I am indeed a single mother. I am a petroleum engineer with Shell Petroleum, US government contracted me few years ago and I was posted from Mexico ocean to Iraq, this is my 5nd year here in Baghdad IRAQ. I am the engineer testing and checking the oil given to the white house by Iraqi government. My signature and reports play a vital role between USA and Iraqi government in the area of crude oil.
Some US diplomats and Iraqi oil minister Abdul Karim Luaibi with some top Iraqi government officials made some crude oil deal worth hundreds of millions of dollars and my role was needed to cover up the deal. I was given a total sum of $10 million dollars the money was moved out of Iraq through Diplomatic means.
This $10 million dollars sealed and locked in a metal Box with codes known to me only was moved out of Iraq because we are not allowed by US government rules to engage in such deal, this is the reason I want you to partnership with me and stand to receive this money on my behalf in your home country. The company that moved the money out of Iraq will transfer the BOX to your desired destination.
Sir, I will offer to you a total sum of 10% of the total amount for receiving the Box and keep with you till my arrival to meet with you to discuss other possible business. You must keep this conversation as TOP SECRET between both of us.
If you accept this proposal I will only needs the followings:-
(1) Full Name
(2)Your current address
(3)Your private telephone number
(4)Your position at work place
(5)Your international passport copy or current driving license
As soon as I get all this information I will process a document and sent to you and I will send a copy to the company introducing you to the company as my only partner and to release the Box to you.
The whole process is simple and risk free but we must maintain low profile and obey rules of confidentiality.
Best Regards
Your friend & partner
Eng. Rebecca Brown
Analysis of the Email
Dear Friend,
Sir, My name is Eng. Rebecca Brown. I am from a state called Texas in US; I am indeed a single mother. I am a petroleum engineer with Shell Petroleum, US government contracted me few years ago and I was posted from Mexico ocean to Iraq, this is my 5nd year here in Baghdad IRAQ. I am the engineer testing and checking the oil given to the white house by Iraqi government. My signature and reports play a vital role between USA and Iraqi government in the area of crude oil.
Some US diplomats and Iraqi oil minister Abdul Karim Luaibi with some top Iraqi government officials made some crude oil deal worth hundreds of millions of dollars and my role was needed to cover up the deal. I was given a total sum of $10 million dollars the money was moved out of Iraq through Diplomatic means.
This $10 million dollars sealed and locked in a metal Box with codes known to me only was moved out of Iraq because we are not allowed by US government rules to engage in such deal, this is the reason I want you to partnership with me and stand to receive this money on my behalf in your home country. The company that moved the money out of Iraq will transfer the BOX to your desired destination.
Sir, I will offer to you a total sum of 10% of the total amount for receiving the Box and keep with you till my arrival to meet with you to discuss other possible business. You must keep this conversation as TOP SECRET between both of us.
If you accept this proposal I will only needs the followings:-
(1) Full Name
(2)Your current address
(3)Your private telephone number
(4)Your position at work place
(5)Your international passport copy or current driving license
As soon as I get all this information I will process a document and sent to you and I will send a copy to the company introducing you to the company as my only partner and to release the Box to you.
The whole process is simple and risk free but we must maintain low profile and obey rules of confidentiality.
Best Regards
Your friend & partner
Eng. Rebecca Brown
Looking at the above highlighted texts,
Use of unusual sentences – I am indeed a single mother
Misspell 5th as 5nd
The suspicious amount of cash been offered
Requesting your sensitive personal data such as copy of your
international passport, driving license also the other highlighted data such as
address and full name.
It’s very easy to identify such a scam by looking at its offering,
grammar and saplings mistakes. Ones you receive such an email think logically,
would anyone in the world offer such cash or valuables for free? Will this be
risk free? At this point itself you should be able to identify the scam. By
looking at the above scam mail, the simple unusual way of expressions and saplings
error clarifies us that the mail was not drafted by an American also the person
who drafted the mail is not a native English speaker. So as the ip address suggested
X-Originating-IP: [105.200.97.33]
21 August 2013
105.200.97.33
ISP: Etisalat Misr
Misr, Al Qahirah (11), Egypt
Lat: 30.05 Lon: 31.25
105.200.97.33
ISP: Etisalat Misr
Misr, Al Qahirah (11), Egypt
Lat: 30.05 Lon: 31.25
There is a possibility this mail is generated from 105.200.97.33
Egypt.
This should be either a scam to collect sensitive data to
use in a fraud such an identity thrift, Credit Card fraud or they might infect
the computer to use it as a botnet to conduct DDOS attacks and just install a key
logger to gather personal details.
This are the most possible attacks by analyzing the behavior
of the scam mail but until I gather further details I cannot pin point the
motive behind this scam mail. Hope this provide the readers an insight to avoid such attacks which are usually coupled with social engineering.
No comments:
Post a Comment