Coffee First Thing 112 Posted February 3, 2014 Share Posted February 3, 2014 I received a phishing attempt today that purported to be from Evernote. The subject line of the email was "Image has been corrupted" along with part of my name in the subject line. The scam came from "Evernote Share." The body of the email read in part, "Image has been corrupted. DSC_76284927.jpg 884 Kbytes." I've attached a screen shot of this email. The email contained two clickable links. Link to comment
Level 5* GrumpyMonkey 4,320 Posted February 3, 2014 Level 5* Share Posted February 3, 2014 I received a phishing attempt today that purported to be from Evernote. The subject line of the email was "Image has been corrupted" along with part of my name in the subject line. The scam came from "Evernote Share." The body of the email read in part, "Image has been corrupted. DSC_76284927.jpg 884 Kbytes." I've attached a screen shot of this email. The email contained two clickable links. Evernote Phishing.jpg Thanks for reporting this. I've flagged it for the staff. We all need to keep take care with phishing scams -- don't click on links in emails. Go to the site directly from your browser. As for the content of the email, I've never heard of Evernote sending a message like this to any user. Link to comment
gbarry 2,659 Posted February 4, 2014 Share Posted February 4, 2014 Thanks--we’re aware of this spam campaign, and it definitely isn’t from Evernote. Link to comment
JohnnyGeek 0 Posted February 5, 2014 Share Posted February 5, 2014 I got it too - pretty clearly spam as soon as I opened it, mainly because the address it was sent to isn't connected to my Evernote account, but also because it's just REALLY obviously fake. In any case, here's the full source of the phishing bait in question, if it helps your geeks chase down, castrate, and exsanguinate the responsible parties.X-Antivirus: avast! (VPS 14020400)X-Antivirus-Status: CleanReturn-path: <headen@ecredit.com>Received: from nk11p00mm-smtpin005.mac.com ([17.158.164.134]) by ms01573.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTP id <0N0H00EIARGTVL40@ms01573.mac.com> for (REDACTED)@mac.com; Tue, 04 Feb 2014 21:53:17 +0000 (GMT)Original-recipient: rfc822;(REDACTED)@mac.comReceived: from 216-241-32-215.static.forethought.net ([216.241.32.215]) by nk11p00mm-smtpin005.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with SMTP id <0N0H006E9RGSHVH0@nk11p00mm-smtpin005.mac.com> for (REDACTED)@mac.com (ORCPT (REDACTED)@mac.com); Tue, 04 Feb 2014 21:53:17 +0000 (GMT)Received-SPF: none (nk11p00mm-spfmilter010.mac.com: headen@ecredit.com does not designate permitted sender hosts) receiver=nk11p00mm-spfmilter010.mac.com; client-ip=216.241.32.215; helo=216-241-32-215.static.forethought.net; envelope-from=headen@ecredit.com; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf-unknown;Date: Tue, 04 Feb 2014 14:53:17 +0000To: "(REDACTED)@mac.com" <(REDACTED)@mac.com>From: EvernoteCloud <headen@ecredit.com>Subject: (REDACTED) Image has been corruptedX-Priority: 1Message-id: <31e5a878.daae382abeab5b9cdc9fd19@ecredit.com>MIME-version: 1.0Content-type: text/html; charset=utf-8Content-transfer-encoding: 7bitAuthentication-results: nk11p00mm-smtpin005.mac.com; dkim=none reason="no signature"; dkim-adsp=nonex-icloud-spam-score: 30022 f=ecredit.com;e=ecredit.com;pp=ham;spf=?;dkim=?;wl=absent;pwl=absentX-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87,1.0.14,0.0.0000 definitions=2014-02-04_06:2014-02-04,2014-02-04,1970-01-01 signatures=0X-Proofpoint-Spam-Details: rule=notspam policy=default score=7 spamscore=7 suspectscore=66 phishscore=1 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1308280000 definitions=main-1402040125<html> <head> <title></title> </head> <body> <div style="padding:17px;color:#222222;font-family:arial;font-size:14px;width:620px"><br>(REDACTED)<br><br><b>Image has been corrupted.</b> <br> <br><a href="http://178.254.8.46/swahili.php" style="color:#3a7eee">DCIM_5886.jpg</a><br>33 Kbytes<br> <br> <br> <a href="http://178.254.8.46/swahili.php" style="border-radius:24px;-webkit-border-radius:24px;-moz-border-radius:24px;border:solid 1px #3a7eee;background:#3a7eee;padding:10px 30px;text-decoration:none;color:#ffffff;font-family:arial;font-size:14px">Go to Evernote</a><br> <br> </div> <div style="padding:17px;color:#888888;font-family:arial;font-size:11px"> © 2014 Evernote. Privacy policy provides our policies and procedures for collecting, using, and disclosing your information.<br> Users can access the Evernote service (the "Service") through our website, applications on Devices, through APIs, and through third-parties.<br> A "Device" is any computer used to access the Evernote Service, including without limitation a desktop, laptop, mobile phone, tablet, or other<br> consumer electronic device. </div> </body></html> Link to comment
swhansen 0 Posted February 17, 2014 Share Posted February 17, 2014 I received a pretty poor phishing attempt today "Evernote service" (note the poor capitalization) with a stolen yahoo email as the sender. Two links, one to a image and another to "Go TO Evernote" The only thing interesting is it showed up about an hour after I emailed a link from my tablet. Here is the html of the email body <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><STYLE></STYLE></HEAD><BODY>Image has been sent sw_hansen . <br><br> <a href="http://ateslihikayeler.org/1.html">DSC_990341.jpg</a> 29 Kbytes<br><br> <a href="http://ateslihikayeler.org/1.html">Go To Evernote </a><br> Copyright 2014 Evernote Corporation. All rights reserved<br></BODY></HTML> and the header...... Return-Path: <brahmas82@yahoo.com>Delivered-To:MYEMAILADDRESS.orgReceived: from smtp14.gate.ord1b (smtp14.gate.ord1b.rsapps.net [10.130.68.14])by store91a.mail.ord1b (SMTP Server) with ESMTP id B6281258116for <MYEMAILADDRESS.org>; Mon, 17 Feb 2014 11:09:01 -0500 (EST)X-Spam-Threshold: 95X-Spam-Score: 0X-Spam-Flag: NOX-Virus-Scanned: OKX-MessageSniffer-Scan-Result: 0X-MessageSniffer-Rules: 0-0-0-2904-cX-CMAE-Scan-Result: 0X-CNFS-Analysis: v=2.1 cv=H8rinYoi c=1 sm=0 tr=0 a=lseV5MUcN8s4nmTkdXqXZw==:117 a=lseV5MUcN8s4nmTkdXqXZw==:17 a=f8_S3n9t2uQA:10 a=19JV7Xr7ILwA:10 a=CjxXgO3LAAAA:8 a=5_leKWkFAAAA:8 a=pGLkceISAAAA:8 a=jwirVGO0AAAA:8 a=xRfjoxBpAAAA:8 a=4_ptEIX1mLIA:10 a=x_wmQmMSP1xzT1wtyFkA:9 a=wPNLvfGTeEIA:10 a=7p0oKJhOEDUA:10 a=A6EXbJRr-uEA:10 a=fuIoJ7JRAAAA:8 a=DvWyHT0hQoVTa99lUvAA:9 a=_W_S_7VecoQA:10 a=UvkaW4O6csoA:10 a=W0v8j6zjiZIA:10 a=NpOfH3mKLEoA:10X-Orig-To: MYEMAILADDRESS.orgX-Originating-Ip: [96.56.88.114]Received: from [96.56.88.114] ([96.56.88.114:47162] helo=ool-60385872.static.optonline.net)by smtp14.gate.ord1b.rsapps.net (envelope-from <brahmas82@yahoo.com>)(ecelerity 2.2.3.49 r(42060/42061)) with ESMTPid 34/8C-20522-D1432035; Mon, 17 Feb 2014 11:09:01 -0500Received: from [182.76.120.183] (account unionizationric29@gmail.com HELO ipzxakwrklhjr.syovxgdfdiaww.biz)by ool-60385872.static.optonline.net (CommuniGate Pro SMTP 5.2.3)with ESMTPA id 505252484 for MYEMAILADDRESS.org; Mon, 17 Feb 2014 11:08:58 -0500From: "Evernote service" <brahmas82@yahoo.com>To: <MYEMAILADDRESS.org>Subject: Image has been sent sw_hansenDate: Mon, 17 Feb 2014 11:08:58 -0500MIME-Version: 1.0Content-Type: multipart/alternative;boundary="----=_wqlikg_96_22_85"X-Priority: 3X-Mailer: aiagshx-55Message-ID: <5934251174.AHWEYMF3103607@zmxpy.aikldpasoqeis.com>X-Brightmail-Tracker: AAAAAQAAAlk= Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.