[nsp-sec] ATTN Google, Gmail dropboxes used in phish

RuthAnne Bevier ruthanne at caltech.edu
Thu Nov 3 13:04:29 EDT 2011 

Just got this cute phish, conveniently sent right to security.  The reply-to is "mpclaimdepartment at gmail.com".  The attachment, a Word document, references that address as well as "agentnkosi at gmail.com".  Virustotal doesn't detect anything in the Word document, the text of which seems to be a variant on a 419 scam (except that you're a "lucky winner").

Full headers below.  If anyone wants the Word document I can send it along.

     --RuthAnne


>From mcrsft032 at gmail.com Thu Nov  3 09:52:40 2011
Return-Path: <mcrsft032 at gmail.com>
X-Original-To: thanne at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 7F2DC2E50EEA;
	Thu,  3 Nov 2011 09:52:40 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level: 
X-Spam-Status: No, score=0.002 tagged_above=-10000 required=5
	tests=[DKIM_SIGNED=0.001, HTML_MESSAGE=0.001] autolearn=disabled
Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
	by fire-doxen-external (Postfix) with ESMTP id BB6222E50F18;
	Thu,  3 Nov 2011 09:52:31 -0700 (PDT)
Received: by jonola.caltech.edu (Postfix, from userid 60001)
	id 886FC17144; Thu,  3 Nov 2011 09:52:31 -0700 (PDT)
X-Original-To: security at treqs.caltech.edu
Delivered-To: security at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19])	by jonola.caltech.edu (Postfix) with ESMTP id 5E73116D15	for <security at treqs.caltech.edu>; Thu,  3 Nov 2011 09:52:29 -0700 (PDT)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])	by earth-doxen-postvirus (Postfix) with ESMTP id 045E166E03C9	for <security at treqs.caltech.edu>; Thu,  3 Nov 2011 09:52:28 -0700 (PDT)
X-Mailbox-Line: From mcrsft032 at gmail.com  Thu Nov  3 09: 52:28 2011
X-Original-To: security at caltech.edu
Delivered-To: security at caltech.edu
Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])	by earth-doxen-postvirus (Postfix) with ESMTP id A1FD866E03C2	for <security at caltech.edu>; Thu,  3 Nov 2011 09:52:28 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
Received: from nm27-vm1.access.bullet.mail.mud.yahoo.com (nm27-vm1.access.bullet.mail.mud.yahoo.com [66.94.236.228])	by earth-doxen-external (Postfix) with SMTP id C65CE66E03D2	for <security at caltech.edu>; Thu,  3 Nov 2011 09:52:25 -0700 (PDT)
Received: from [66.94.237.198] by nm27.access.bullet.mail.mud.yahoo.com with NNFMP; 03 Nov 2011 16:52:25 -0000
Received: from [66.94.237.116] by tm9.access.bullet.mail.mud.yahoo.com with NNFMP; 03 Nov 2011 16:52:25 -0000
Received: from [127.0.0.1] by omp1021.access.mail.mud.yahoo.com with NNFMP; 03 Nov 2011 16:52:25 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 328122.14020.bm at omp1021.access.mail.mud.yahoo.com
Received: (qmail 74568 invoked by uid 60001); 3 Nov 2011 16:52:24 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1320339144; bh=NWBNfpk57pONK++ZvTS9xlsUPcCdTSxovPEv/mQkMW8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=ebDjKukEQg0d3ceuPaVCYQnXeW7i5N/KrSuIiHk4CDR8V1roCt1OtaAiuGenu2VwLjPlVy1JO5e4nY0EC6vwPY2SewGUb09ZZIgC7DctfMnoW6YbN3wxy/adqIkGFJCAAuoHge/T6ACKUDostprzuvmQCIDnMQi9E8ogCy1SrkE=
X-YMail-OSG: CREIbLQVM1lVY0dBKuDP8NANgTW5LkU5QKf6kJy_D_IPEiw V82Hht_e6A2Rp0VUOY5XhY2P34Oliccsp37qnGKunQHQuI0mtXWILZcGP0gk LBgmB7ol4NGxHiIIGm_BNyiI0qhbppl9xQF2ZPCdaTRzirtorXemwIMTQUqR EiwxfNozT2..dTXFuRx1ybOyycf_TXb78fy9HdMZbqjqHsp.Sugy1yIafAnC .TZuKKnuHn_SVj4CDyjBs_jZ42x8Kb4ZNZ6ErJPjT8UF8N1Qhmq.R63x4k_Z kFRBwHV0vFZo0nCInyTOrU8fYoyA60iM5O6PERSdnVKizYjIUiyM.T4tBzHT vUJQcVR1isCkz__7Yy.eCuY4Ibbz9bpIn_lja0CZU8x67LX0cba_YhygXgnw bo0OBx8jK74Ue6JVcnEcD_tBReTm9i8FVsZGvMPfdu.r3GKGnU905RD0-
Received: from [41.122.29.68] by web181604.mail.ne1.yahoo.com via HTTP; Thu, 03 Nov 2011 09:52:24 PDT
X-RocketYMMF: webcc6090 at att.net
X-Mailer: YahooMailRC/574 YahooMailWebService/0.8.114.317681
Message-ID: <1320339144.68666.YahooMailRC at web181604.mail.ne1.yahoo.com>
Date: Thu, 3 Nov 2011 09:52:24 -0700 (PDT)
From: MICROSOFT YEARLY PROMOTIONS <mcrsft032 at gmail.com>
Reply-To: MICROSOFT YEARLY PROMOTIONS <mpclaimdepartment at gmail.com>
Subject: [TR #2291008] Your email has won a consolation prize:Open the attachment and contact your claim agent!!!!
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1101287475-1320339144=:68666"
X-TBCK-ID: 80b06df99051248a8b2f87849273236b
X-TBCK-Status: First;AllClear;0
Precedence: bulk
X-Caltech-ITS-T-Reqs-Initiated: yes
X-Caltech-ITS-T-Reqs-URL: https://treqs.caltech.edu/cgi-bin/ars-get-ticket.pl?ticket_id=2291008
X-Caltech-ITS-T-Reqs-Group: Information Security

--0-1101287475-1320339144=:68666
Content-Type: multipart/alternative; boundary="0-157237502-1320339144=:68666"

--0-157237502-1320339144=:68666
Content-Type: text/plain; charset=us-ascii



 
Please view the attached file for more details.

<snip>


-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list