All the Perl that's Practical to Extract and Report

Latest Phish?

Purdy on 2004-09-07T03:56:35

Got this odd e-mail (spam/phish/whatever):

From: "order@freeandsafety.com" Reply-To: "order@freeandsafety.com" To: jason@purdy.info Subject: Your order # 12405 has been accepted for the amount 840.00$

Sony DSC-F828 8.0MP Digital Camera

Your order # 12405 has been accepted for the amount 840.00$ Your card will be charged in that amount .Thank you for your purchase.

You can check the order in your profile.

http://SOMEURL.com
So I check out the URL (w/ Firefox) and it tells me:
Sorry, your browser can't show this page

if you have a problem with brows this page - open this page in MS Internet Explorer
This is even with Firefox's User Agent extension that's supposed to trick the Web server into thinking it's really IE. So I'm thinking this is some kind of phish to get IE folks to go to their site and with some vulnerability, r00t the machine. That's why I'm not linking to the site & switched out the domain name above (tho you can see the domainname in the headers).

The full mail headers look suspicious:

Received: from www.journalistic.com (www.journalistic.com [207.252.75.144]) by mail.journalistic.com (Postfix) with ESMTP id 32AD0198044 for ; Mon, 6 Sep 2004 19:34:36 -0400 (EDT) Received: from pool-141-158-136-120.scr.east.verizon.net (pool-141-158-136-120.scr.east.verizon.net [141.158.136.120]) by www.journalistic.com (Postfix) with SMTP id 922674540DB for ; Mon, 6 Sep 2004 19:34:34 -0400 (EDT)

Maybe I should contact the WHOIS person?

Stewart, Cynthia 5639 Hwy 83 N FORSYTH, GA 31029 US Phone: (478) 994-9723

I'm sure she would be real helpful. I guess I'll keep an eye out for some charge on my card. I am kinda curious what the site would look like in IE and what it would do. Also, kinda funny to get a receipt for a site I couldn't use to order from the first place. Just kinda frustrating when you take these kinda things too seriously. ;)

Peace,

Jason

Your order has been... etc.

dws on 2004-09-07T05:22:04

I've gotten hundreds of these over the past week or so, including one from a partially configured version of whatever spam template they're using. Into the bit bucket they go.