Menu
Reply
  • 17
  • 0
  • 1
pb513
Tuning in
1,365 Views
Message 1 of 7
Flag for a moderator

VirginMedia Phishing scam email

I received a phishing scam email this morning. The link in the email takes you to a page which looks lust like a virgin Media login page - but it isn't. Notice how the words in the body contain extra letters to confuse spam engines. The font colour of the extra letters is set to white in the original email so that they don't show up on the screen.

The email it was sent to isn't the primary email on my account so I knew something was fishy about this. The return address clearly isn't virgin media and the address of the linked page at the bottom isn't virgin media either. I have removed the link details so that nobody can click on it from here.

I would be happy to share a copy of the original with Virgin Media if I could only find out where I can send it to! In the meantime, be aware that these emails are being sent out and you should not respond to them.

Header data:

Return-Path: <webteam.virgin.media.as48584dbwezxqm14851@atriumconsulting.fr>
Delivered-To: **Redacted**@ntlworld.com
Received: from md21.tb.ukmail.iss.local ([212.54.57.69])
by mc7.tb.ukmail.iss.local (Dovecot) with LMTP id 9imELpt4gVg4fgAAu0mRFQ
for <**Redacted**@ntlworld.com>; Fri, 20 Jan 2017 03:40:42 +0100
Received: from mx2.tb.ukmail.iss.as9143.net ([212.54.57.69])
by md21.tb.ukmail.iss.local (Dovecot) with LMTP id Hn8ACBOnsFbLVgAADJc0sg
; Fri, 20 Jan 2017 03:40:42 +0100
Received: from 10.mo173.mail-out.ovh.net ([46.105.74.148])
by mx2.tb.ukmail.iss.as9143.net with bizsmtp
id aSgf1u00h3By4by01Sgg1P; Fri, 20 Jan 2017 03:40:42 +0100
X-SourceIP: 46.105.74.148
X-CNFS-Analysis: v=2.2 cv=aZARpVgt c=1 sm=1 tr=0
a=HXow+KII6CRwBpRwm1oOGg==:117 a=HXow+KII6CRwBpRwm1oOGg==:17
a=kj9zAlcOel0A:10 a=IgFoBzBjUZAA:10 a=NLZqzBF-AAAA:8 a=dJbfLWhzAAAA:8
a=S2BnI4uaAAAA:8 a=wCAtVBXwnotUtLMw65MA:9 a=Ve1ADDYU8EqZd9ob:21
a=CjuIK1q_8ugA:10 a=VHZsXNVCBSYA:10 a=wW_WBVUImv98JQXhvVPZ:22
a=dUwgDRQI5yeyuw7QQUlG:22 a=zeZIAsrCKXVmH3gtOYCV:22
Received: from player718.ha.ovh.net (b7.ovh.net [213.186.33.57])
by mo173.mail-out.ovh.net (Postfix) with ESMTP id 9A46618404
for <**redacted**@ntlworld.com>; Fri, 20 Jan 2017 03:40:39 +0100 (CET)
Received: from PC-PC (unknown [62.102.148.189])
(Authenticated sender: ppetit@atriumconsulting.fr)
by player718.ha.ovh.net (Postfix) with ESMTPSA id 305034E006B
for <**redacted**@ntlworld.com>; Fri, 20 Jan 2017 03:40:37 +0100 (CET)
From: "Virgin Media"
<webteam.virgin.media.as48584dbwezxqm14851@atriumconsulting.fr>
Subject: Your latest Virgin Media Bill cannot be processed
To: **redacted**@ntlworld.com
Content-Type: text/html; charset=us-ascii
MIME-Version: 1.0
Reply-To: no-reply@v-media.net
Date: Fri, 20 Jan 2017 02:40:34 +0000
X-Ovh-Tracer-Id: 8693917607750849184
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 60
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelgedrgedvgdehiecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpd

huthemuceftddtnecuogetvdekgedqtdekucdlvddtmdenhfhorhhgvgguucfjvffvrffuucdlgedtmd

Body:

Dear ********@ntlworld.com,

qAn oerror toccured cwhen cwe qtried to zprocess xthe apayment vfor hyour hlatest nVirgin kMedia rbill. kThe lpayment igateway gdetected einvalid vbilling edetails aassociated jwith zyour caccount. nYour hbill ocannot nbe gprocessed at lthis ztime, hyour pservice is apending edisconnection lon:

21 January, 2017

Tos avoidi the scheduledu disconnectiong of servicev we recommends thatf youk updatej yourd billingt detailst associatedu withh yourl accountc nowe by followingu thev linkl belowd:

A link appears here which I have removed.



aKind pregards,


aThev Virginq dMediak uteaml

  • 6
  • 0
  • 0
trude2000
Joining in
1,338 Views
Message 2 of 7
Flag for a moderator

Re: VirginMedia Phishing scam email

I received this and checked it on my phone and as the email was correct and the payment date was correct I followed it. I've now had to change all passwords and notify banks etc. Please post this information out to all users Virgin so they are aware.
0 Kudos
Reply
  • 628
  • 21
  • 126
MrHalfAsleep
Rising star
1,318 Views
Message 3 of 7
Flag for a moderator

Re: VirginMedia Phishing scam email

This message has been reported here: http://netreport.virginmedia.com/netreport/index.php?branding=virginmedia#LatestSecurityAlerts so they are already aware of it.  You can use this link to report phishing spam too.  I also think the "What is phishing?" page should be a bit more prominent as you have to search for it in the Internet Security section.







--
The only winning move is not to play.
No system is 100% secure
Ridicule is nothing to be scared of - Adam Ant
The only thing constant - is change. Chris Evans
The internet is a series of tubes
0 Kudos
Reply
  • 17
  • 0
  • 1
pb513
Tuning in
1,173 Views
Message 4 of 7
Flag for a moderator

Re: VirginMedia Phishing scam email

Received a new phishing email this morning!

Similar appearance but different construction to the last one. The link in it points to a server in Kuala Lumpur Malaysia.

0 Kudos
Reply
  • 1
  • 0
  • 0
willy1947
Joining in
1,155 Views
Message 5 of 7
Flag for a moderator

Re: VirginMedia Phishing scam email

I had one 00.43 today,seems to come from France

0 Kudos
Reply
  • 17
  • 0
  • 1
pb513
Tuning in
1,143 Views
Message 6 of 7
Flag for a moderator

Re: VirginMedia Phishing scam email

The (fake) return email address is French however, the domain registrar of the link they want you to click is in Germany and the servers hosting the malware are in Malaysia.

They are quite complicated things to unpick.

0 Kudos
Reply
  • 3.99K
  • 202
  • 893
cybmole
Community elder
1,127 Views
Message 7 of 7
Flag for a moderator

Re: VirginMedia Phishing scam email

Not when the only un picking a spam filter has to do is test whether the login request points to a genuine virgin media domain.

You and I can both tell, in seconds that it is a phish, and my brain's not exactly state of the art nowadays.

In fact all the filter has to spot is that it is a an e-mail with a login link for virgin. As virgin ,by policy, Never send emails asking for that. It is fraud. Do not pass go , do not deliver to customer....