Sunday 21 August 2011

Gumtree, Paypal and Other Phishing Attempts

I received this email recently, which is obviously an attempt to gain personal information. Funnily enough, the link doesn't actually go anywhere, so pretty pointless!!



Your ad has been flagged for removal

Gumtree.com donotreply@gumtree.com to me



show details 13:41 (5 hours ago)


We have flagged your ad, we believe to be in violation of Gumtree guidelines:
fraud - violates Gumtree Terms of Use or other posted guidelines.
spam/overpost - posted too frequently, in multiple cities/categories, or is too commercial




You will need to Verify your identity!


or click on the link bellow:
http://gumtree.com/form.cgi.htm

You won't be charged for your confirmation but if you don't do it your ad will be removed and your ip address will be blocked from Gumtree.

Thanks for using Gumtree and good luck with your ad!

Copyright © 2005-2011 Gumtree.com


----------------------------------------------------------------------------

Today I received a text apparently from Gumtree:

Hello
Gumtree is giving away £500 Argos Gift Cards. Your phone number was elected as winner. Enter www.gumtreegiftcard.com to receive it.
Gumtree Team.


The address goes to a webpage that looks very similar to a Gumtree page. Even the links redirect ot the right pages, however, the whois data for the site shows it as being registered in Russia. The page requests personal information. I have reported it to Gumtree and am awaiting their response, but it is definitely another phishing attempt, so please do not be tempted to enter your details.
----------------------------------------------------------------------------


www.gumtreegiftcard.com was taken down very quickly, but I have today received another attempt at a Gumtree Phishing Scam. Again, the sender displays as Gumtree, which covers the sms number 4868733. The text reads as follows:
Hello,
Gumtree is giving away £500 Argos Gift Cards. Your phone number was elected as winner. Enter www.gumtreeoffer.com to receive it.
Gumtree Team

Again, a blatant phishing scam - do NOT be tempted to enter any details. A whois check shows Russian registration again - updated today! Registered to Hector Bonam.

Whois details below:
REGISTRY WHOIS FOR GUMTREEOFFER.COM
Domain Name: gumtreeoffer.com
Updated: 6 hours ago - Refresh

Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Status: clientTransferProhibited

Expiration Date: 2012-11-05
Creation Date: 2011-11-05
Last Update Date: 2011-11-05

Name Servers:
ns1.gratisdns.dk
ns2.gratisdns.dk
ns3.gratisdns.dk
See gumtreeoffer.com DNS Records

Information Updated: Sun, 6 Nov 2011 06:21:28 UTC
GUMTREEOFFER.COM SITE INFORMATION
IP: 92.38.226.4
IP Location: Moscow, Russian Federation
Website Status: active
Server Type: nginx

GUMTREEOFFER.COM WHOIS
Updated: 6 hours ago
% By submitting a query to RU-CENTER's Whois Service
% you agree to abide by the following terms of use:
% http://www.nic.ru/about/servpol.html (in Russian)
% http://www.nic.ru/about/en/servpol.html (in English).

Domain name: GUMTREEOFFER.COM
Name Server: ns1.gratisdns.dk
Name Server: ns2.gratisdns.dk
Name Server: ns3.gratisdns.dk
Creation Date: 2011.11.06

Status: DELEGATED

Registrant ID: HEMLZCB-RU
Registrant Name: Hector Bonam
Registrant Organization: Hector Bonam
Registrant Street1: 56
Registrant City: Limavady
Registrant Postal Code: BT490SW
Registrant Country: GB

Administrative, Technical Contact
Contact ID: HEMLZCB-RU
Contact Name: Hector Bonam
Contact Organization: Hector Bonam
Contact Street1: 56
Contact City: Limavady
Contact Postal Code: BT490SW
Contact Country: GB
Contact Phone: +44 783968486
Contact E-mail: @gmail.com

Registrar: Regional Network Information Center, JSC dba RU-CENTER

Last updated on 2011.11.06 11:21:28 MSK/MSD

Information Updated: Sun, 6 Nov 2011 06:21:29 UTC
----------------------------------------------------------------------------

Latest Gumtree phishing text, exactly as above, but using the web address www.gumtreewinner.com

Hello,
Gumtree is giving away £500 Argos Gift Cards. Your phone number was elected as winner. Enter www.gumtreewinner.com to receive it.
Gumtree Team


Whois record:Registration Service Provided By: GOSSIMER
Contact: +1.8889024678
Website: http://www.gossimer.com

Domain Name: GUMTREEWINNER.COM

Registrant:
Martel Verstapel
Martel Verstapel ()
23 Essex road
Boda Kyrkby
Ballymoney,BS6 5BU
GB
Tel. +44.743059305

Creation Date: 23-Nov-2011
Expiration Date: 23-Nov-2012

Domain servers in listed order:
ns1.gratisdns.dk
ns2.gratisdns.dk
ns3.gratisdns.dk

Administrative Contact:
Martel Verstapel
Martel Verstapel ()
23 Essex road
Boda Kyrkby
Ballymoney,BS6 5BU
GB
Tel. +44.743059305

Technical Contact:
Martel Verstapel
Martel Verstapel ()
23 Essex road
Boda Kyrkby
Ballymoney,BS6 5BU
GB
Tel. +44.743059305

Billing Contact:
Martel Verstapel
Martel Verstapel ()
23 Essex road
Boda Kyrkby
Ballymoney,BS6 5BU
GB
Tel. +44.743059305

Status:LOCKED
----------------------------------------------------------------------------

This one's really convincing!!

SMS text came from 4636, with the display name INFO. According to microsoft, as well as requesting information, the website also contains malware that can harvest personal information.

INFO

Dear Customer, for your own security your credit card have been blocked, to unlock please go to:
www.cardprocedure.com and follow the necessary steps.


Whois information:
Registrant:
Domain Discreet
ATTN: cardprocedure.com
Rua Dr. Brito Camara, n 20, 1
Funchal, Madeira 9000-039
PT
Phone: 1-902-7495331
Email:

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: cardprocedure.com
Created on..............: 2011-12-03
Expires on..............: 2012-12-03

Administrative Contact:
Domain Discreet
ATTN: cardprocedure.com
Rua Dr. Brito Camara, n 20, 1
Funchal, Madeira 9000-039
PT
Phone: 1-902-7495331
Email:

Technical Contact:
Domain Discreet
ATTN: cardprocedure.com
Rua Dr. Brito Camara, n 20, 1
Funchal, Madeira 9000-039
PT
Phone: 1-902-7495331
Email:

DNS Servers:
a.ns.interland.net
b.ns.interland.net
c.ns.interland.net

----------------------------------------------------------------------------

Another one from INFO, this time posing (badly!) as Paypal:

Dear PayPal Customer, for you own security your credit card have been blocked in order to unblock please go to www.paypaluk.co and follow steps.

The would-be scammers are obviously not very clever at HTML, though as the link actually goes to the genuine Paypal website!

----------------------------------------------------------------------------

Latest INFOSMS:

Dear customer, for you own security your credit card have been blocked. In order to unblock please go to www.security-cc.net and follow steps.

Again, the link doesn't go anywhere and the website is not recognised. It would appear that these are the type of spam SMS texts that are designed to get you to respond, either charging you a premium rate for the reply, or verifying that your number exists to sell on to other spammers who will bombard your phone with the usual PPI, accident compensation claims etc. Whatever you do, just delete them - DO NOT REPLY!

----------------------------------------------------------------------------

Today, I received the following SMS:

Barclays

Barclays Alert: You have one alert regarding your Barclays account.Please click the link bellow to read it: www.barclays.mobi.login-ran.com


Please note the spelling is exactly as per the text!!

------------------------------------------------------------------------------------------------------------

No comments:

Post a Comment

ping website