Jump to content
Coffee First Thing

Phishing: From "Evernote Share"

Recommended Posts

I received a phishing attempt today that purported to be from Evernote. The subject line of the email was "Image has been corrupted" along with part of my name in the subject line.

 

The scam came from "Evernote Share." The body of the email read in part, "Image has been corrupted. DSC_76284927.jpg 884 Kbytes." I've attached a screen shot of this email. The email contained two clickable links.

 

 

 

post-119057-0-04779700-1391395719_thumb.

Share this post


Link to post

I received a phishing attempt today that purported to be from Evernote. The subject line of the email was "Image has been corrupted" along with part of my name in the subject line.

 

The scam came from "Evernote Share." The body of the email read in part, "Image has been corrupted. DSC_76284927.jpg 884 Kbytes." I've attached a screen shot of this email. The email contained two clickable links.

 

 

 

attachicon.gifEvernote Phishing.jpg

Thanks for reporting this. I've flagged it for the staff. We all need to keep take care with phishing scams -- don't click on links in emails. Go to the site directly from your browser. As for the content of the email, I've never heard of Evernote sending a message like this to any user.

Share this post


Link to post
Thanks--we’re aware of this spam campaign, and it definitely isn’t from Evernote.

Share this post


Link to post

I got it too - pretty clearly spam as soon as I opened it, mainly because the address it was sent to isn't connected to my Evernote account, but also because it's just REALLY obviously fake.

 

In any case, here's the full source of the phishing bait in question, if it helps your geeks chase down, castrate, and exsanguinate the responsible parties.

X-Antivirus: avast! (VPS 14020400)X-Antivirus-Status: CleanReturn-path: <headen@ecredit.com>Received: from nk11p00mm-smtpin005.mac.com ([17.158.164.134]) by ms01573.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTP id <0N0H00EIARGTVL40@ms01573.mac.com> for (REDACTED)@mac.com; Tue, 04 Feb 2014 21:53:17 +0000 (GMT)Original-recipient: rfc822;(REDACTED)@mac.comReceived: from 216-241-32-215.static.forethought.net ([216.241.32.215]) by nk11p00mm-smtpin005.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with SMTP id <0N0H006E9RGSHVH0@nk11p00mm-smtpin005.mac.com> for (REDACTED)@mac.com (ORCPT (REDACTED)@mac.com); Tue, 04 Feb 2014 21:53:17 +0000 (GMT)Received-SPF: none (nk11p00mm-spfmilter010.mac.com: headen@ecredit.com does not designate permitted sender hosts) receiver=nk11p00mm-spfmilter010.mac.com; client-ip=216.241.32.215; helo=216-241-32-215.static.forethought.net; envelope-from=headen@ecredit.com; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf-unknown;Date: Tue, 04 Feb 2014 14:53:17 +0000To: "(REDACTED)@mac.com" <(REDACTED)@mac.com>From: EvernoteCloud <headen@ecredit.com>Subject: (REDACTED) Image has been corruptedX-Priority: 1Message-id: <31e5a878.daae382abeab5b9cdc9fd19@ecredit.com>MIME-version: 1.0Content-type: text/html; charset=utf-8Content-transfer-encoding: 7bitAuthentication-results: nk11p00mm-smtpin005.mac.com; dkim=none	reason="no signature"; dkim-adsp=nonex-icloud-spam-score: 30022 f=ecredit.com;e=ecredit.com;pp=ham;spf=?;dkim=?;wl=absent;pwl=absentX-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87,1.0.14,0.0.0000 definitions=2014-02-04_06:2014-02-04,2014-02-04,1970-01-01 signatures=0X-Proofpoint-Spam-Details: rule=notspam policy=default score=7 spamscore=7 suspectscore=66 phishscore=1 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1308280000 definitions=main-1402040125<html> <head>  <title></title> </head> <body>  <div style="padding:17px;color:#222222;font-family:arial;font-size:14px;width:620px"><br>(REDACTED)<br><br><b>Image has been corrupted.</b> <br>  <br><a href="http://178.254.8.46/swahili.php" style="color:#3a7eee">DCIM_5886.jpg</a><br>33 Kbytes<br>  <br>    <br>   <a href="http://178.254.8.46/swahili.php" style="border-radius:24px;-webkit-border-radius:24px;-moz-border-radius:24px;border:solid 1px #3a7eee;background:#3a7eee;padding:10px 30px;text-decoration:none;color:#ffffff;font-family:arial;font-size:14px">Go to Evernote</a><br>    <br>  </div>  <div style="padding:17px;color:#888888;font-family:arial;font-size:11px">  © 2014 Evernote. Privacy policy provides our policies and procedures for collecting, using, and disclosing your information.<br>  Users can access the Evernote service (the "Service") through our website, applications on Devices, through APIs, and through third-parties.<br>  A "Device" is any computer used to access the Evernote Service, including without limitation a desktop, laptop, mobile phone, tablet, or other<br>  consumer electronic device.  </div> </body></html>

Share this post


Link to post

I received a pretty poor phishing attempt today "Evernote service" (note the poor capitalization) with a stolen yahoo email as the sender.

 

Two links, one to a image and another to "Go TO Evernote"

 

The only thing interesting is it showed up about an hour after I emailed a link from my tablet.

 

 

Here is the html of the email body

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE></STYLE>
</HEAD>
<BODY>
Image has been sent sw_hansen . <br><br>
 
<a href="http://ateslihikayeler.org/1.html">DSC_990341.jpg</a> 29 Kbytes<br><br>
 
<a href="http://ateslihikayeler.org/1.html">Go To Evernote </a><br>
 
Copyright 2014 Evernote Corporation. All rights reserved<br>
</BODY></HTML>
 
and the header......
 
Return-Path: <brahmas82@yahoo.com>
Delivered-To:MYEMAILADDRESS.org
Received: from smtp14.gate.ord1b (smtp14.gate.ord1b.rsapps.net [10.130.68.14])
by store91a.mail.ord1b (SMTP Server) with ESMTP id B6281258116
for <MYEMAILADDRESS.org>; Mon, 17 Feb 2014 11:09:01 -0500 (EST)
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2904-c
X-CMAE-Scan-Result: 0
X-CNFS-Analysis: v=2.1 cv=H8rinYoi c=1 sm=0 tr=0 a=lseV5MUcN8s4nmTkdXqXZw==:117 a=lseV5MUcN8s4nmTkdXqXZw==:17 a=f8_S3n9t2uQA:10 a=19JV7Xr7ILwA:10 a=CjxXgO3LAAAA:8 a=5_leKWkFAAAA:8 a=pGLkceISAAAA:8 a=jwirVGO0AAAA:8 a=xRfjoxBpAAAA:8 a=4_ptEIX1mLIA:10 a=x_wmQmMSP1xzT1wtyFkA:9 a=wPNLvfGTeEIA:10 a=7p0oKJhOEDUA:10 a=A6EXbJRr-uEA:10 a=fuIoJ7JRAAAA:8 a=DvWyHT0hQoVTa99lUvAA:9 a=_W_S_7VecoQA:10 a=UvkaW4O6csoA:10 a=W0v8j6zjiZIA:10 a=NpOfH3mKLEoA:10
X-Orig-To: MYEMAILADDRESS.org
X-Originating-Ip: [96.56.88.114]
Received: from [96.56.88.114] ([96.56.88.114:47162] helo=ool-60385872.static.optonline.net)
by smtp14.gate.ord1b.rsapps.net (envelope-from <brahmas82@yahoo.com>)
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP
id 34/8C-20522-D1432035; Mon, 17 Feb 2014 11:09:01 -0500
Received: from [182.76.120.183] (account unionizationric29@gmail.com HELO ipzxakwrklhjr.syovxgdfdiaww.biz)
by ool-60385872.static.optonline.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 505252484 for MYEMAILADDRESS.org; Mon, 17 Feb 2014 11:08:58 -0500
From: "Evernote service" <brahmas82@yahoo.com>
To: <MYEMAILADDRESS.org>
Subject: Image has been sent sw_hansen
Date: Mon, 17 Feb 2014 11:08:58 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_wqlikg_96_22_85"
X-Priority: 3
X-Mailer: aiagshx-55
Message-ID: <5934251174.AHWEYMF3103607@zmxpy.aikldpasoqeis.com>
X-Brightmail-Tracker: AAAAAQAAAlk=
 
 

Share this post


Link to post

×
×
  • Create New...