Trev's place

Tag: scam

  • Scam SMS from legitimate Qantas SMS number

    Scam SMS from legitimate Qantas SMS number

    Just received a scam message from what appeared to be Qantas (as the same number had legitimate boarding messages from previous flights). The message read:

    , you’ve won our mystery box this week – please use the link to schedule the delivery. http://www.b7.ai/s/2xl0lc/4uf BBL.

    Using a tool that sniffs these sorts of links to see if they are harmful before actually clicking on them results in a number of re-directions and finally a page that asks you to do a survey first which requires entering your details.

    WARNING: If it’s really Qantas, they already know who you are. Why do they need any of your details again for the survey? DONT PARTICIPATE!

    Anyway here is the log of where it goes along with the contents of the file it finally downloads.

    log showing what it does

    --2018-11-07 11:56:53--  http://www.b7.ai/s/2xl0lc/4uf
Resolving www.b7.ai (www.b7.ai)... 109.207.77.88
Connecting to www.b7.ai (www.b7.ai)|109.207.77.88|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://go.batophor.com/ts3089-sms-qantas-au-5 [following]
--2018-11-07 11:56:54--  http://go.batophor.com/ts3089-sms-qantas-au-5
Resolving go.batophor.com (go.batophor.com)... 198.13.62.193
Connecting to go.batophor.com (go.batophor.com)|198.13.62.193|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://go.batophor.com/ts3089-sms-qantas-revs-au [following]
--2018-11-07 11:56:54--  http://go.batophor.com/ts3089-sms-qantas-revs-au
Connecting to go.batophor.com (go.batophor.com)|198.13.62.193|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://x.newsmouse.club/go/f65a8fd5-383d-47dc-8ed0-59450453dbb5?cpv=&clickid=1541554015.53-153741405-24909&camp=XX684&keyword=ts3089-sms-qantas-revs-au&category=&systarget=ts3089-sms-qantas-revs-au&sid=153741405&cid=&geo=AU&source=HT-EC [following]
--2018-11-07 11:56:55--  https://x.newsmouse.club/go/f65a8fd5-383d-47dc-8ed0-59450453dbb5?cpv=&clickid=1541554015.53-153741405-24909&camp=XX684&keyword=ts3089-sms-qantas-revs-au&category=&systarget=ts3089-sms-qantas-revs-au&sid=153741405&cid=&geo=AU&source=HT-EC
Resolving x.newsmouse.club (x.newsmouse.club)... 104.27.166.1, 104.27.167.1, 2606:4700:30::681b:a601, ...
Connecting to x.newsmouse.club (x.newsmouse.club)|104.27.166.1|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://talongo.com/go/run-gojs.php?url=https://talongo.com/in-v8-au-bem-go.php&tracker=x.newsmouse.club&keyword=ts3089-sms-qantas-revs-au&region=&carrier=%7Bcarrier%7D&model=%7Bmodel%7D&brand=%7Bbrand%7D&camp=XX684&cc=au&wid=genx01-au&sound=silent&xid=eyJ0aW1lc3RhbXAiOiIxNTQxNTU0MDE3IiwiaGFzaCI6IjdlMzVmY2IzM2NkNDVkMDY1OTMyZGViMTBhOTEzN2NjMjE5ZmU1NmQifQ%3D%3D&bemobdata=c%3Df65a8fd5-383d-47dc-8ed0-59450453dbb5..f%3D14fde457-a775-4548-b5e1-bd449e0afc95..a%3D0..b%3D0..e%3D1541554015.53-153741405-24909..c1%3DXX684..c2%3Dts3089-sms-qantas-revs-au..c4%3Dts3089-sms-qantas-revs-au..c5%3D153741405..c7%3DAU..c8%3DHT-EC..c10%3Dx.newsmouse.club [following]
--2018-11-07 11:56:57--  https://talongo.com/go/run-gojs.php?url=https://talongo.com/in-v8-au-bem-go.php&tracker=x.newsmouse.club&keyword=ts3089-sms-qantas-revs-au&region=&carrier=%7Bcarrier%7D&model=%7Bmodel%7D&brand=%7Bbrand%7D&camp=XX684&cc=au&wid=genx01-au&sound=silent&xid=eyJ0aW1lc3RhbXAiOiIxNTQxNTU0MDE3IiwiaGFzaCI6IjdlMzVmY2IzM2NkNDVkMDY1OTMyZGViMTBhOTEzN2NjMjE5ZmU1NmQifQ%3D%3D&bemobdata=c%3Df65a8fd5-383d-47dc-8ed0-59450453dbb5..f%3D14fde457-a775-4548-b5e1-bd449e0afc95..a%3D0..b%3D0..e%3D1541554015.53-153741405-24909..c1%3DXX684..c2%3Dts3089-sms-qantas-revs-au..c4%3Dts3089-sms-qantas-revs-au..c5%3D153741405..c7%3DAU..c8%3DHT-EC..c10%3Dx.newsmouse.club
Resolving talongo.com (talongo.com)... 104.24.119.246, 104.24.118.246, 2606:4700:30::6818:76f6, ...
Connecting to talongo.com (talongo.com)|104.24.119.246|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘4uf’

4uf                     [ <=>                ]   1.13K  --.-KB/s    in 0s     

2018-11-07 11:56:58 (3.94 MB/s) - ‘4uf’ saved [1154]

    Contents of the file ‘4uf’:

    <head>
<script type='text/javascript'>
function forward(){
window.location.replace('https://talongo.com/in-v8-au-bem-go.php?eps=8mgsTi6ekAuQ70TL7yZEd7dc6BxvuGCISTUX9vp0%2BqX2PSdhDuk4koSXd%2FHX4h9luAH%2BvvaKHmwAE1Je2%2BxWrB4ors1vKP%2F95MZhdgsQDvbSFG66C8%2BQgi27V76YW9qZbrcRJHgb1ywOhR1A2xU%2F5%2FxzYIni7EqFJ7eW0Pbe22TEpCPCIysOhDz8d3u4dUpDIQpCJ%2FSJX%2FmKCQJJ0lbyhgzix%2FpHXzYcRlwx9AaWOmAX1hv1XRYRoce5288Kh9kfjY5THMCexvncqYNGiABXNcrPEPvJtivFrhm956MBGwMQro%2B905SGjRkNfmR42QfnoTVp9SrqHQUm2%2BLnMR9llKivTAVbyVMdi9QLBw18fHrK5IRSRKDsyftDZWCVuCypqxbtTL0lmB3XEquKarGGU28qW%2F36boQu7T2EJg0XEJ9EsG%2FwCqJ2t0GPPljsuv4RFDIqVsiNvrHSZ08m9DWUg4oH4n2%2FTTVcteEXd0BgZkyB3S06Y%2FoIzrEj6CG4%2FhwZkWX7nNoTtZjTSjyqHQx2uSoW6fyzD8g2%2BGWqLJRxRhBVC2qRtPfy8NoCd2LhxwG6%2B2W6PTaPsqJxmWGMsCGfv5%2BowXbez9f%2Bca4f4q6tbNhb2nNvJltUmC%2FFGeaf1JcLPJGT0T12c1dkMYoyAISIxBo%2FFj0NRcqA6o9r0mZEFsPUPTurWW7bYyCtvuuvGzJZN2YEq2fO7IhmMmgITNdz%2FARKd16N3puAGmUXLCWSnb%2BWdESTpcdd6h0eBz6ARPBcH3m9QYYfOZVoyBiXwVQQtOzxCtxVmD1igyChXOR2SU%2B3IybUx0sU6UYdcl7ONYBKgRGUeBJTEPKwuJYSKqrOQM3S%2FVBFgs%2F6CEyRNCDBojM9olfSjn6dYqlNfMYGHSBd');
}
</script>
</head>
<body onload='setTimeout(forward, 0);'>
</body>

    Qantas logo

  • robertwarner1965@gmail.com – Gumtree / Paypal buyer scam

    We’re selling our Ford Focus on Gumtree and got an SMS which we replied to as requested.

    NOTE: Didn’t check the phone number the SMS came from. It was +16786617688. Obviously not an Australian phone number which for anyone reading this, is the first hint that they are about to get a scammer trying them.

    SMS Message from +16786617688:

    Is the car still available for sale and whats your final price email me robertwarner1965@gmail.com my battery is flat so we can talk better  – Sent from iPhone4

    So sent the reply via email

    On Thu, Mar 15, 2012 at 1:27 PM, name_removed <mailto:address_removed> wrote:

    Hi Robert, just organising some pics for you

    Recieved

    From: Robert Warner [mailto:robertwarner1965@gmail.com] Sent: Thursday, 15 March 2012 3:58 PM To: Name_Removed Subject: Re: ford focus

    May i know your asking price please?

    Sent

    On Thu, Mar 15, 2012 at 1:33 PM, name_removed <mailto:address_removed> wrote:

    As advertised at $7000  , if you wish to negotiate would like it to be done in person

    and recieved

    From: Robert Warner [mailto:robertwarner1965@gmail.com]
    Sent: Thursday, 15 March 2012 4:14 PM
    To: name_removed
    Subject:Re: ford focus
    Thank you for the message, i will take it for that amount since i am interested in the purchase for my daughter who just moved to Malaysia where this is needed and due to my inability to walk i will be making use of a shipping company to have this picked up from you and have it delivered to her. Further arrangements will be made with you in regards to the pick up once i have paid you.
    I would appreciate if you email me with more pictures (if available) too since i won’t be be able to see this in person, what’s the Paypal email to send funds to in order for me to pay you.

    Anyway:

    If your wondering, no we stopped responding to Robert at this point as it became very obvious very quickly that it’s a scam. But did want to post it on-line so when someone google’s Roberts email or any part, hopefully they will see Robert does this a lot. Well I say Robert, we all know he’s not using his real name.
    Detail summary of the scammer:

    The phone number comes up at http://cidlookup.com/lookup/6786617688/ with the following:

    • CIDLookup for 678-661-7688
    • Current Telephone Company: Bandwidth.com Wireless – Syniverse
    • Original Telephone Company: Charter Fiberlink “Georgia Llc“ Ga
    • Original Telephone Company Type: Competitive Local Exchange Carrier (CLEC)
    • Estimated City: Bogart
    • Estimated Region: Georgia
    • Estimated Postal Code: 30622
    • Equipment Location Code: ATHNGAIJCM1

    Another scammer email – mi.richie540@gmail.com from the same number.

    We recieved a few messages from the same phone number just with different email addresses, but same text.

    For those interested in learning what sort of thing happens next (ie you send him the paypal email) one of a few things happen, but the most common can be read about at http://forums.whirlpool.net.au/forum-replies.cfm?t=1845478 or http://www.christianbiggins.com/2010/04/very-poor-scam-attempt.html.