Re: [mailop] spearphishing

[Marc Ballarin via mailop]

Hi,

please report issues like this to the abuse contact given in WHOIS, i.e. 
ab...@1and1.com. Please always include complete headers or the complete 
mail as an attachment and clearly mention that this is phishing.


You could also report this to Oracle's cloud abuse contact for the URL.

perfora.net is part of our large, shared mail system for US customers. 
This mail was sent through a compromised mailbox that has now been locked.


Regards,
Marc

Am 10.08.2020 um 20:11 schrieb Eric Henson via mailop:
Slightly sanitized headers: https://pastebin.com/w2JJj8TJ 



Email pretends to be a Microsoft voicemail, with an attachment that uses 
javascript to open a URLEncoded page.


Image of page for the more cautious: https://imgur.com/WOpva4Q 



broken hyperlink for the more adventurous:

ttps://objectstorage.us-sanjose-1.oraclecloud.com/n/axcdfbfimho2/b/bucket-dreamland20200806-0427/o/index.html#u...@example.com

You can edit the email address at the end to be whatever you like.

Microsoft has started putting the emails in the “Junk” folder, but 
Barracuda just lets them right on through. I’m opening a case with 
Barracuda as to why they can’t catch this, but I’m open to suggestions 
on other activities I can do.


I’ve seen about a dozen of these, targeting 3 finance-related employees. 
All are routed through perfora.net, which apparently has an open relay? 
Anyone know anything about that domain? I’m putting in a rule to block 
anything that has perfora.net in the header.




*Eric Henson*

Windows Server Team Manager

PFSweb, Inc.

*m:*972.948.3424

www.pfsweb.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



--
Marc Ballarin

Senior Anti-Abuse Software Engineer
Hosting Security

1&1 IONOS Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141

Geschäftsführer: Michael Fromm, Christoph Steger


Member of United Internet

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] spearphishing

[Suresh Ramasubramanian via mailop]

Perfora is the mail platform for 1&1 - probably the largest webhost in Europe

They appear to provide outbound mail relays for their hosted servers instead of 
allowing all of them to send directly over smtp

--srs

From: mailop  on behalf of Eric Henson via mailop 

Sent: Monday, August 10, 2020 11:41:26 PM
To: mailop@mailop.org 
Subject: [mailop] spearphishing


Slightly sanitized headers: https://pastebin.com/w2JJj8TJ



Email pretends to be a Microsoft voicemail, with an attachment that uses 
javascript to open a URLEncoded page.



Image of page for the more cautious: https://imgur.com/WOpva4Q



broken hyperlink for the more adventurous:

ttps://objectstorage.us-sanjose-1.oraclecloud.com/n/axcdfbfimho2/b/bucket-dreamland20200806-0427/o/index.html#u...@example.com



You can edit the email address at the end to be whatever you like.



Microsoft has started putting the emails in the “Junk” folder, but Barracuda 
just lets them right on through. I’m opening a case with Barracuda as to why 
they can’t catch this, but I’m open to suggestions on other activities I can do.



I’ve seen about a dozen of these, targeting 3 finance-related employees. All 
are routed through perfora.net, which apparently has an open relay? Anyone know 
anything about that domain? I’m putting in a rule to block anything that has 
perfora.net in the header.









Eric Henson

Windows Server Team Manager

PFSweb, Inc.

m: 972.948.3424

www.pfsweb.com


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] spearphishing

[Eric Henson via mailop]

Slightly sanitized headers: https://pastebin.com/w2JJj8TJ

Email pretends to be a Microsoft voicemail, with an attachment that uses 
javascript to open a URLEncoded page.

Image of page for the more cautious: https://imgur.com/WOpva4Q

broken hyperlink for the more adventurous:
ttps://objectstorage.us-sanjose-1.oraclecloud.com/n/axcdfbfimho2/b/bucket-dreamland20200806-0427/o/index.html#u...@example.com

You can edit the email address at the end to be whatever you like.

Microsoft has started putting the emails in the "Junk" folder, but Barracuda 
just lets them right on through. I'm opening a case with Barracuda as to why 
they can't catch this, but I'm open to suggestions on other activities I can do.

I've seen about a dozen of these, targeting 3 finance-related employees. All 
are routed through perfora.net, which apparently has an open relay? Anyone know 
anything about that domain? I'm putting in a rule to block anything that has 
perfora.net in the header.




Eric Henson
Windows Server Team Manager
PFSweb, Inc.
m: 972.948.3424
www.pfsweb.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop