ALERT: 123-Reg fake emails with possible malicious payload

  • 1 Replies
  • 1619 Views
*

Offline Anne

  • Administrator
  • Registered
  • *
  • 160
  • Gender: Female
    • skype:yobunny_enterprises
    • Yobunny
This one looks so much like a genuine 123-Reg email invoice / receipt that it will catch some folks out.

The clues to look for that it is fake...

1. the Hi greeting has no name, genuine ones will have your name

2. the HELO in the headers on the fake email do not show the correct source. Genuine ones come from (HELO api.123-reg.co.uk) not some odd server in Ecuador like in the fake one received here: (HELO 101.191-100-128.etapanet.net)

3. the fake email had a Word doc attached. The genuine ones do not attach Word docs, they use invoice numbered PDF files  instead.

4. if any email with an invoice or a receipt is genuine it will show up in your 123 Reg control panel
, so if you are unsure, do not open any attachment (Doc/PDF/other format) but login to your 123 Reg account - do not click a link within the email, go direct to https://www.123-reg.co.uk/ and login there and check your Control Panel >  Account Management > View all account activity and you will see any invoices raised on your account listed there.

Quote
Return-Path: <no-reply@123-reg.co.uk>
Delivered-To: <removed>@yobunny.co.uk
Received: (qmail 64053 invoked by uid 1024); 12 May 2015 13:20:29 -0000
Received: from no-reply@123-reg.co.uk by server27.donhost.co.uk by uid 1002 with qmail-scanner-1.22
 ( Clear:RC:0(191.100.128.101):.
 Processed in 11.149532 secs); 12 May 2015 13:20:29 -0000
Received: from unknown (HELO 101.191-100-128.etapanet.net) (191.100.128.101)
  by server27.lb.donhost.co.uk with SMTP; 12 May 2015 13:20:18 -0000
From: no-reply@123-reg.co.uk
To: <removed>@yobunny.co.uk
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1431164593.682CaC3.27141"; charset="us-ascii"
Subject: Copy of your 123-reg invoice ( 123-015309323 )
Message-Id: <20150509094313.C5D902C02E1@api.123-reg.co.uk>
Date: Tue, 12 May 2015 08:20:05 -0500
X-EsetId: 37303A29252362666D7462

--1431164593.682CaC3.27141
Date: Tue, 12 May 2015 08:20:05 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title></title>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
    </head>
    <body>
      <table cellpadding="0" cellspacing="0" width="100%">
        <tbody>
          <tr>
            <td align="center" valign="top">
              <table cellpadding="0" cellspacing="0" style="font-family: Arial,Helvetica,sans-serif; color: rgb(0, 0, 0); font-size: 14px; line-height: 16px; border-collapse: collapse; margin: 0px auto;" width="600">
                <!-- header -->
                <tbody>
                  <tr>
                    <td align="left" height="100" valign="middle">
                      <a href="http://www.123-reg.co.uk/?utm_source=sge&amp;utm_medium=email&amp;utm_campaign=123SGE_Ecommerce"><img alt="123-reg.co.uk" border="0" height="51" src="http://newsletters.123-reg.co.uk/images/logo.gif" width="210" /></a>
                    </td>
                  </tr>
                  <tr>
                    <td height="15" style="background-color: rgb(0, 145, 207);" valign="top">&nbsp;</td>
                  </tr>
                  <tr>
                    <td height="25" valign="top">&nbsp;</td>
                  </tr>
                  <!-- END header --><!-- START content -->
<tr>
  <td>
    <p>Hi,</p>
    <p>
      Thank you for your order.
    </p>
    <p>
      Please find attached to this email a receipt for this payment.
    </p>
    <p>
      <b>Help and support</b>
    </p>
    <p>
      If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.
    </p>
    <p>
      Thank you for choosing 123-reg.
    </p>
    <p>
      The 123-reg team.<br/>
    </p>
    <p>
      <a href="https://www.123-reg.co.uk" style="color: rgb(0, 145, 207); text-decoration: underline;">
        https://www.123-reg.co.uk
      </a>
    </p>
  </td>
</tr>
      <!-- END content --><!-- START footer -->
      <tr>
        <td align="left" style="padding: 20px 0px; border-top: 1px solid rgb(187, 215, 231);" valign="top">
          <span style="font-size: 12px; color: rgb(0, 0, 0);">
            <a href="http://www.123-reg.co.uk/about.shtml?utm_source=sge&amp;utm_medium=email&amp;utm_campaign=123SGE_Ecommerce" style="color: rgb(0, 145, 207); text-decoration: underline;">
              <font color="#0091cf">About us</font>
            </a> | <a href="http://www.123-reg.co.uk/terms/privacy.shtml?utm_source=sge&amp;utm_medium=email&amp;utm_campaign=123SGE_Ecommerce" style="color: rgb(0, 145, 207); text-decoration: underline;">
                <font color="#0091cf">Privacy policy</font>
              </a><br />
              &copy; Copyright <a href="http://www.123-reg.co.uk/?utm_source=sge&amp;utm_medium=email&amp;utm_campaign=123SGE_Ecommerce" style="color: rgb(0, 145, 207); text-decoration: underline;">
                <font color="#0091cf">123-reg</font>
              </a> - Part of Webfusion Ltd<br />
              <br />
              Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.</span></td>
      </tr>
      <!-- END footer -->
  </tbody>
    </table>
        </td>
      </tr>
  </tbody>
    </table>
    <p>
      <br />
      <br />
      &nbsp;</p>
  </body>
</html>

--1431164593.682CaC3.27141
Date: Sat, 9 May 2015 10:43:13 +0100
MIME-Version: 1.0
Content-Type: application/msword; name="123-reg-invoice.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="123-reg-invoice.doc"
 
Cheers, 
Anne, Board Admin

*

Offline Anne

  • Administrator
  • Registered
  • *
  • 160
  • Gender: Female
    • skype:yobunny_enterprises
    • Yobunny
Re: ALERT: 123-Reg fake emails with possible malicious payload
« Reply #1 on: May 14, 2015, 05:44:49 PM »
Link to alert re this on 123-Reg support page: https://www.123-reg.co.uk/support/system-status/
Cheers, 
Anne, Board Admin

 

SMF spam blocked by CleanTalk