Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Eric Auer via Freedos-devel]

Hi everybody,

now I have also received one of those freedos phishing mails:
test at multicenter.com.bo wrote "Re: [Freedos-devel] mode.com"
from 193.201.8.100 saying: Please review and sign the enclosed
document. This is essential for our current project (etc.)

The link in the mail interestingly was a doubleclick forward
to a bitly link. Luckily, bitly offers a link preview and
virustotal helped me to find out more. The link had checked
out as harmless 13 days ago, but a "reanalyze" now tells me:

https://www.virustotal.com/gui/url/ff13f15b868cc0b4efdb580f44b621d8f435b82e4fbb6e6fe1cef9327d3fb441/detection

Malware (ESET, Lumu, SOCRadar, VIPRE)
Malicious (Seclookup)
Phishing (Fortinet)

Details about the type of malware are not provided, though.

It is interesting that the previous check was around the
beginning of this phishing or malware wave. Maybe those
sending the mails themselves had their now-infected sites
checked before infecting them, for a fake sense of security?

Regards, Eric




___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Wilhelm Spiegl via Freedos-devel]

Hi Ralf,

yes you are right. I noticed all this before (except the link itself because Android devices use no mouse and the link is not shown in that app). Nevertheless - at the end curiosity won.

And I am not the first one and will not be the last one where this happens.

Since I retired I got at least two phone calls from a "Microsoft technician", several Whats App posts: Hi mum/dad I have a new mobile phone number, some messages

of young ladies, the persons that wants to give me millions of dollars and several other phone attack trials (at least not yet a "shock call from police" that my nephew had an accident and i have to pay money to get him free - this shock call still works fine every day although everyone is warned and bank companies ask their customer when they want a bigger amount of money).

 

I do not know if there were reports in USA that M$ lost one of its main access keys for the whole MS cloud some months ago - and did not really publish this (I am not happy to be forced to use OneDrive etc.)

Big companies are hacked here every day. Etc.  means: I am not alone. Some day they will get you too. There are so many different tricks...

And even if YOU are perfect, others are not. Keep in mind that you have left your email address, paypal account or whatever at douzen of websites,

and some day they can / will be hacked as the admin forgot to run the last updates...

 

Just for info: I checked my Android with 5 different virus scanners, four say: there is nothing, the fifth (VirusTotal) reports that TrendMicro-HouseCall found several of them. One of the four other Virus scanner apps is TrendMicro... So much about this theme.

 

Willi

 
>As for the way how this email is made, well, that is as stated before what makes me wonder on how someone can just click on such a link. "One way link" just doesn't >make any sense in the overall "picture" of the email. So first thing I do before I would even attempt to hover over the link with the mouse, which in my email client will >show me the actual address that link points to. At latest at this point, together with the overall indescriptive  email (not counting the apparently badly copied contents of >an half year old email thread), it should be obvious that this is a phishing attempt.


___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Ralf Quint via Freedos-devel]

On 11/3/2023 11:36 AM, Wilhelm Spiegl via Freedos-devel wrote:

Hi Ralf,
you never make a mistake? Then you never make a "backup"?

Rarely. And I do.
The thing that is more interesting for me is how the person really 
made it.


I just found this very same email in my spam folder, Thunderbird (or 
GMail) just perfectly fine determined that this is spam, hence, I did 
not see this when it came in.


I certainly won't make the mistake of reading/receiving email in a web 
browser. Email clients exist for a reason, and proper spam/virus 
scanning/filtering is one of the benefits that every email client worth 
it's salt provides.


As for the way how this email is made, well, that is as stated before 
what makes me wonder on how someone can just click on such a link. "One 
way link" just doesn't make any sense in the overall "picture" of the 
email. So first thing I do before I would even attempt to hover over the 
link with the mouse, which in my email client will show me the actual 
address that link points to. At latest at this point, together with the 
overall indescriptive email (not counting the apparently badly copied 
contents of an half year old email thread), it should be obvious that 
this is a phishing attempt.



Sorry Wilhelm, but it's the year 2023 and everyone should know by now 
that the Internet isn't the friendly place anymore it was +30 years ago 
and use common sense



Ralf

___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Wilhelm Spiegl via Freedos-devel]

Hi Ralf,

you never make a mistake? Then you never make a "backup"?

 

The thing that is more interesting for me is how the person really made it.

As much as I could see the mail archive only writes:


wilhelm.spi...@mxxx-online.de - okay, it is not a big problem to find the whole name if it is in the same text and to add the correspondig mail subject.

But I am nevertheless astonished that someone investigates so much work for such a small community.

 

Or was mail-archive.com hacked to get the addresses?

 

Yesterday I tried to create a "honeypot" for this link on an old unimportant XP machine,

clicked on the link - and after one second Google appeared, I noticed no download. I checked the HD from outside the machine

with 3 virus scanners - nothing.

At my first trial in a secure environment with a booted Linux CD with HD write protection one day before this worked different, I noticed a short download, but I did not

backup it. So I have  the feeling that the link was removed rather quickly. Why? Because of the discussion?

 


Willi
 

Sent: Friday, November 03, 2023 at 6:39 PM
From: "Ralf Quint via Freedos-devel" 
To: freedos-devel@lists.sourceforge.net
Cc: "Ralf Quint" 
Subject: Re: [Freedos-devel] FreeDOS Phishing attack - warning!


On 11/2/2023 2:38 AM, Wilhelm Spiegl via Freedos-devel wrote:



Hi all,

I only wanted to tell you that I had a "FreeDOS" phishing attack yesterday.

 

The mail I got arrived at my n...@mnet-online.de account, with subject:

 

Re: [Freedos-devel] mode.com

sender: m...@planet.com.pk

Text:

 

Hi There,

Please see the documentation contained in the url followed below.

 

Hyperlink: ONE WAY LINK

 

Enjoy a great daytime!


Who would click on such a link? In an email from a random user that contains absolutely no information what this is about?
Unfortunately, the random and possibly malicious nature of the sender is exaggerated that we for a while now don't really see the actual sender, but only the "Technical Discussion." from the mailing list... :(
 

 

Ralf 
___ Freedos-devel mailing list Freedos-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-devel




___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Ralf Quint via Freedos-devel]

On 11/2/2023 2:38 AM, Wilhelm Spiegl via Freedos-devel wrote:

Hi all,
I only wanted to tell you that I had a "FreeDOS" phishing attack 
yesterday.

The mail I got arrived at my n...@mnet-online.de account, with subject:
*Re: [Freedos-devel] mode.com*
sender:*m...@planet.com.pk*
Text:
*Hi There,*
*Please see the documentation contained in the url followed below.*
*Hyperlink: ONE WAY LINK*
*Enjoy a great daytime!*
Who would click on such a link? In an email from a random user that 
contains absolutely no information what this is about?
Unfortunately, the random and possibly malicious nature of the sender is 
exaggerated that we for a while now don't really see the actual sender, 
but only the "Technical Discussion." from the mailing list... :(




Ralf 
___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Rugxulo via Freedos-devel]

Hi,

Gmail caught one with its Spam filter. It doesn't show any prior
emails from this person.

author: th...@yamashita1921.com
subject: Re: [Freedos-user] TASM under an emulator?
link: urdirec.com


On Thu, Nov 2, 2023 at 11:07 AM Mercury Thirteen via Freedos-devel
 wrote:
>
> ...as did I. Mine was as follows.
> 
> From: webmas...@propstei-marien.de
> Subject: Re: [Freedos-devel] Logger v0.3-BETA
> Content:
> Hi There,
> Please look into the the document in the web-link down the page.
> LINK BUTTON
> Enjoy a good afternoon!
> 


___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Mercury Thirteen via Freedos-devel]

...as did I. Mine was as follows.

From: webmas...@propstei-marien.de
Subject: Re: [Freedos-devel] Logger v0.3-BETA
Content:
Hi There,
Please look into the the document in the web-link down the page.
LINK BUTTON
Enjoy a good afternoon!


Where "LINK BUTTON" links to a page in the https://bone-shed.net/ domain. It 
seems it was sent as a reply to a message I posted to the mailing list myself, 
which is likely how it's getting past the spam filters of my email provider.

Sent with [Proton Mail](https://proton.me/) secure email.

On Thursday, November 2nd, 2023 at 7:27 AM, Steve Nickolas via Freedos-devel 
freedos-devel@lists.sourceforge.net wrote:

> On Thu, 2 Nov 2023, Harald Arnesen via Freedos-devel wrote:
>
>> Jim Hall via Freedos-devel [02/11/2023 11.12]:
>>
>>> So now phishers are pretending to be FreeDOS emails. That's pretty
>>> targeted phishing (aka "spear phishing" where attackers customize the
>>> email to be very specific to the recipient).
>>>
>>> Thanks for sharing. I haven't seen this, but I'll watch for it now.
>>>
>>> On Thu, Nov 2, 2023, 4:39 AM Wilhelm Spiegl via Freedos-devel
>>> >> mailto:freedos-devel@lists.sourceforge.net> wrote:
>>>
>>> Hi all,
>>> I only wanted to tell you that I had a "FreeDOS" phishing attack
>>> yesterday.
>>
>> I got one as well. Same subject and link.
>
> I got one from an Argentinian address - figured it was a hack rather than
> a phish, but with the same idea.
>
> -uso.___
> Freedos-devel mailing list
> Freedos-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freedos-devel___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Steve Nickolas via Freedos-devel]

On Thu, 2 Nov 2023, Harald Arnesen via Freedos-devel wrote:


Jim Hall via Freedos-devel [02/11/2023 11.12]:

So now phishers are pretending to be FreeDOS emails. That's pretty 
targeted phishing (aka "spear phishing" where attackers customize the 
email to be very specific to the recipient).


Thanks for sharing. I haven't seen this, but I'll watch for it now.

On Thu, Nov 2, 2023, 4:39 AM Wilhelm Spiegl via Freedos-devel 
> wrote:


Hi all,
I only wanted to tell you that I had a "FreeDOS" phishing attack
yesterday.


I got one as well. Same subject and link.



I got one from an Argentinian address - figured it was a hack rather than 
a phish, but with the same idea.


-uso.___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Harald Arnesen via Freedos-devel]

Jim Hall via Freedos-devel [02/11/2023 11.12]:

So now phishers are pretending to be FreeDOS emails. That's pretty 
targeted phishing (aka "spear phishing" where attackers customize the 
email to be very specific to the recipient).


Thanks for sharing. I haven't seen this, but I'll watch for it now.

On Thu, Nov 2, 2023, 4:39 AM Wilhelm Spiegl via Freedos-devel 
> wrote:


Hi all,
I only wanted to tell you that I had a "FreeDOS" phishing attack
yesterday.


I got one as well. Same subject and link.
--
Hilsen Harald
Слава Україні!



___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel

Re: [Freedos-devel] FreeDOS Phishing attack - warning!

[Jim Hall via Freedos-devel]

So now phishers are pretending to be FreeDOS emails. That's pretty targeted
phishing (aka "spear phishing" where attackers customize the email to be
very specific to the recipient).

Thanks for sharing. I haven't seen this, but I'll watch for it now.


On Thu, Nov 2, 2023, 4:39 AM Wilhelm Spiegl via Freedos-devel <
freedos-devel@lists.sourceforge.net> wrote:

> Hi all,
> I only wanted to tell you that I had a "FreeDOS" phishing attack yesterday.
>
> The mail I got arrived at my n...@mnet-online.de account, with subject:
>
> *Re: [Freedos-devel] mode.com *
> sender:* m...@planet.com.pk *
> Text:
>
> *Hi There,*
> *Please see the documentation contained in the url followed below.*
>
> *Hyperlink: ONE WAY LINK*
>
> *Enjoy a great daytime!*
>
> *__*
> *Freedos-devel mailing list*
> *Freedos-devel@lists.sourceforge.net *
>
>
>
>
> The ONE WAY LINK leads to:
> h ttps://theorganicgardeners.co ./...  (rest not written for security
> reasons)
>
> *Please do not click on this link!*
>
> *After clicking on the link nothing seemed to happen, but I assume that a
> download started.*
>
>
>
> Just for info.
> As I still work on the latest help I was not really astonished about this
> mail although mode.com is already done.
> I hope I could stop the download early enough on my Android phone.
> The virus scanner on phone found nothing. Lets see...
>
>
> Would be nice to hear if somebody else got this mail too.
> Interesting thing is that I usually get mails from the USERS forum and
> some other FD programmers and people that I know on this account only.
> In case that you get strange mails from me, please inform me via this mail
> account.
>
> Thanks
>
> W. Spiegl / Fritz Mueller
>
> ___
> Freedos-devel mailing list
> Freedos-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freedos-devel
>
___
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel