swscoobies Posted March 3, 2008 Posted March 3, 2008 Hi, I received a couple of emails today claiming i have been sending out fake emails. when i asked for the mail to be forwarded to me, it has a link to a file within my store's admin/images/graphs folder... this was linking to a FAKE us inland revenue site. http://khromagraph.com/catalog/images/Best...d=96596,00.html Received: from sbs2003.Bestlights.local (adsl-75-55-130-174.dsl.sfldmi.sbcglobal.net [75.55.130.174]) by mx.google.com with ESMTP id y64si1061810pyg.22.2008.03.03.11.48.16; Mon, 03 Mar 2008 11:48:21 -0800 (PST) Received-SPF: neutral (google.com: 75.55.130.174 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=75.55.130.174; Authentication-Results: mx.google.com; spf=neutral (google.com: 75.55.130.174 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected] Received: from User ([87.127.167.31]) by sbs2003.Bestlights.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 3 Mar 2008 14:41:36 -0500 From: "[email protected]"<[email protected]> Subject: IRS Notification - Request your refund! Date: Mon, 3 Mar 2008 19:50:16 -0000 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Return-Path: [email protected] Message-ID: <[email protected]> X-OriginalArrivalTime: 03 Mar 2008 19:41:36.0968 (UTC) FILETIME=[97F60C80:01C87D66] <br><br> <font face="Courier" size="3">After the last annual calculations of your fiscal activity we have determined that<br> you are eligible to receive a tax refund of <b>$238.59</b><br>Please submit the tax refund request and allow us 2-3 days in order to<br> process it.</font><br><br> <font size="3" face="Courier">To access the form for your tax refund, please <b><a href="http://thescoobiestore.co.uk/admin/images/graphs/cvs.php">click here</a></b></font><br><br> <font face="Courier" size="2">Regards, <br> Internal Revenue Service</font></p><br><br><br> <font color="#C0C0C0" size="2">© Copyright 2008, Internal Revenue Service U.S.A. All rights reserved. I have edited this file to redirect to my site's Index page. Not sure what else to do... My admin area is protected by .htaccess
Guest Posted March 3, 2008 Posted March 3, 2008 Hi, I received a couple of emails today claiming i have been sending out fake emails. when i asked for the mail to be forwarded to me, it has a link to a file within my store's admin/images/graphs folder... this was linking to a FAKE us inland revenue site. http://khromagraph.com/catalog/images/Best...d=96596,00.html Received: from sbs2003.Bestlights.local (adsl-75-55-130-174.dsl.sfldmi.sbcglobal.net [75.55.130.174]) by mx.google.com with ESMTP id y64si1061810pyg.22.2008.03.03.11.48.16; Mon, 03 Mar 2008 11:48:21 -0800 (PST) Received-SPF: neutral (google.com: 75.55.130.174 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=75.55.130.174; Authentication-Results: mx.google.com; spf=neutral (google.com: 75.55.130.174 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected] Received: from User ([87.127.167.31]) by sbs2003.Bestlights.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 3 Mar 2008 14:41:36 -0500 From: "[email protected]"<[email protected]> Subject: IRS Notification - Request your refund! Date: Mon, 3 Mar 2008 19:50:16 -0000 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Return-Path: [email protected] Message-ID: <[email protected]> X-OriginalArrivalTime: 03 Mar 2008 19:41:36.0968 (UTC) FILETIME=[97F60C80:01C87D66] <br><br> <font face="Courier" size="3">After the last annual calculations of your fiscal activity we have determined that<br> you are eligible to receive a tax refund of <b>$238.59</b><br>Please submit the tax refund request and allow us 2-3 days in order to<br> process it.</font><br><br> <font size="3" face="Courier">To access the form for your tax refund, please <b><a href="http://thescoobiestore.co.uk/admin/images/graphs/cvs.php">click here</a></b></font><br><br> <font face="Courier" size="2">Regards, <br> Internal Revenue Service</font></p><br><br><br> <font color="#C0C0C0" size="2">© Copyright 2008, Internal Revenue Service U.S.A. All rights reserved. I have edited this file to redirect to my site's Index page. Not sure what else to do... My admin area is protected by .htaccess Report it to the IRS, and defenatally remove it, or quarentine it!
germ Posted March 3, 2008 Posted March 3, 2008 You might be interested in this too (found in your shop) http://khromagraph.com/catalog/images/CurrenciesBox/secure/susquehanna-survey/www.susquehanna.net/ Looks like a fake bank login page to me. :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Guest Posted March 3, 2008 Posted March 3, 2008 You might be interested in this too (found in your shop) http://khromagraph.com/catalog/images/CurrenciesBox/secure/susquehanna-survey/www.susquehanna.net/ Looks like a fake bank login page to me. :blush: I am playing in it to find out where the phished information is being sent to. If I find anything, I will let you know.
swscoobies Posted March 4, 2008 Author Posted March 4, 2008 You might be interested in this too (found in your shop) http://khromagraph.com/catalog/images/CurrenciesBox/secure/susquehanna-survey/www.susquehanna.net/ Looks like a fake bank login page to me. :blush: Where is this link located. I am trying to remove them all...
Guest Posted March 4, 2008 Posted March 4, 2008 Where is this link located. I am trying to remove them all... http://khromagraph.com/catalog/images/CurrenciesBox/secure/
ozEworks Posted March 6, 2008 Posted March 6, 2008 You should check the file dates on those files and then check your hosting acccess logs to see how these files were loaded to your site. If it was ftp or online access. You need to change all passwords and virus check your PC. You should check file permissions on your files and folders. You should remove programs such as file manager and define languages. If you do not have .htaccess protection on your Admin and are relying on Admin Access levels, then don't. Add .htacess as it is a blanket protection stronger than Admin Access levels.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.