[nsp-sec] Yahoo! to the WCP
Daniel Robert Adinolfi
dra1 at cornell.edu
Tue Sep 6 11:40:54 EDT 2011
Yahoo! Folks,
Please take a look at this phish. The site taxview-irs.com points to 67.195.140.36, which is in Yahoo! address space. The victim is redirected to something in co.cc if they follow this link, but it seems to be bouncing off of Yahoo!.
Thanks.
-Dan
AS 26
Begin forwarded message:
> - ---------- Forwarded message ----------
> MIME-Version: 1.0
> Received: from CASHUB02.exchange.cornell.edu (10.16.197.21) by
> CASHUB09.exchange.cornell.edu (10.16.197.28) with Microsoft SMTP Server (TLS)
> id 14.1.323.3; Tue, 6 Sep 2011 01:48:52 -0400
> Received: from orchid.mail.cornell.edu (132.236.56.61) by
> CASHUB02.exchange.cornell.edu (10.16.197.21) with Microsoft SMTP Server id
> 8.3.159.3; Tue, 6 Sep 2011 01:48:52 -0400
> Received: from localhost.localdomain (poppy.mail.cornell.edu [132.236.56.48])
> by orchid.mail.cornell.edu (8.14.4/8.14.4) with ESMTP id p865mqHN024113
> <gl89 at cornell.edu>; Tue, 6 Sep 2011 01:48:52 -0400 (EDT)
> Date: Tue, 6 Sep 2011 01:48:52 -0400
> Message-ID: <201109060548.p865mqHN024113 at orchid.mail.cornell.edu>
> Received: from poppy.mail.cornell.edu by poppy with queue id 234110176-10
> gl89 at cornell.edu; Tue, 06 Sep 2011 05:47:59 GMT
> Received: from [59.95.172.79] ([59.95.172.79]) by poppy.mail.cornell.edu with
> SMTP id p865ls7q027282; Tue, 06 Sep 2011 05:47:59 GMT (envelope-from
> usirc at antifraud.irs.gov)
> From: US_IRS <USIRS at service.irs.gov>
> To: <ghr1 at cornell.edu>, <gj53 at cornell.edu>, <gjb1 at cornell.edu>,
> <gjc52 at cornell.edu>, <gjd24 at cornell.edu>, <gjl7 at cornell.edu>,
> <gjs25 at cornell.edu>, <gkw1 at cornell.edu>, <gl288 at cornell.edu>,
> <gl89 at cornell.edu>, <gl94 at cornell.edu>, <glc23 at cornell.edu>,
> <glf5 at cornell.edu>
> Subject: Tax report IRS.gov
> Content-Type: text/html
> X-PMX-CORNELL-SPAM-CHECKED: Poppy
> X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379,
> Antispam-Data: 2011.9.6.53314
> X-Original-Sender: usirc at antifraud.irs.gov - Tue Sep 6 01:48:00 2011
> X-PMX-CORNELL-REASON: CU_User_Override User Opted Out
> Return-Path: usirc at antifraud.irs.gov
> X-Additional-Recipients-Added: 1
> X-MS-Exchange-Organization-AuthSource: CASHUB02.exchange.cornell.edu
> X-MS-Exchange-Organization-AuthAs: Anonymous
> X-Additional-Recipients-Added: 1
> X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
> Importance: high
> X-Priority: 1
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META content="text/html; charset=unicode" http-equiv=Content-Type>
> <META name=GENERATOR content="MSHTML 8.00.6001.18939">
> </HEAD>
> <BODY><p>Taxpayer ID: commensurate-00000700955060US<br>
> Tax Type: INCOME TAX<br>
> Issue: Unreported/Underreported Income (Fraud Application)<br>
> <br>
> Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):<br>
> <br>
> <p><a rel="nofollow" target="_blank" href="http://taxview-irs.com"><span class="yshortcuts" id="lw_1306514506_4">download tax statement: report-00000700951260US.DOC</p>
> <br>
> <a target="_blank" href="http://www.irs.gov"><span class="yshortcuts" id="lw_1306514506_6">http://www.irs.gov</span></a>. <br>
> </p>
> </BODY></HTML>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
>
> iD4DBQFOZjxALyw7nZwiKgQRAjBRAJjzJGaCJVAMGd2GL33A4TQYYmRtAKCZmQ0F
> ZCSGRwV0g6vM05RSCAYKiA==
> =zPlo
> -----END PGP SIGNATURE-----
More information about the nsp-security
mailing list