Your Email Address Has Been Transmitting Viruses Phishing Scam

Phishing Scam

Oh look my webmail is being blocked for spreading viruses, or so this phishing scam wants me ( and you) to believe.

They use email addresses and subjects that will entice a user to read the email and follow the links  A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

The email looks like:

From: WebMail Administrator <ytdhg@ytsrgfey.com>

Date: Tue 21/03/2017 20:58

Subject: Important Notification

Body content:

Dear Customer,  We hereby notify you that your email address has been transmitting viruses to our network servers and will be deactivated permanently if not resolved. You are urgently required to sanitize your email or your access to email services will be terminated.  Click here to sanitize your e-mail account Failure to sanitize your email account will lead to permanent deactivation without warning.  We apologize for any inconvenience and appreciate your understanding.  Administrator.

This email has been checked for viruses by Avast antivirus software.  www.avast.com

Email headers:

IP Hostname City Region Country Organisation
52.165.134.39  Des Moines Iowa US AS8075 Microsoft Corporation
127.0.0.1 Local IP
Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed
Received: from [52.165.134.39] (port=65009 helo=price5)
by knight.knighthosting.co.uk with esmtp (Exim 4.88)
(envelope-from <ytdhg@ytsrgfey.com>)
id 1cqR6z-0003ua-N6
for greenpeace@dvk01.com; Tue, 21 Mar 2017 21:14:37 +0000
Received: from price5.fbnuvoezyhmuvjwiabgskqgnwc.gx.internal.cloudapp.net ([127.0.0.1]) by price5 with Microsoft SMTPSVC(8.5.9600.16384);
Tue, 21 Mar 2017 21:12:42 +0000
Content-Type: multipart/alternative; boundary=”===============0567972517==”
MIME-Version: 1.0
Subject: Important Notification
To: “alert@emailservie.com” <ytdhg@ytsrgfey.com>
From: “WebMail Administrator” <ytdhg@ytsrgfey.com>
Date: Tue, 21 Mar 2017 21:12:42 +0000
Message-ID: <PRICE5gZcUYzEMPnop300001283@price5>
X-OriginalArrivalTime: 21 Mar 2017 21:12:42.0535 (UTC) FILETIME=[E0F12370:01D2A287]

The link goes to http://ostelloforyou.altervista.org/modules/007008.php where is redirects to a page looking like a typical webmail login page on a Cpanel server  http://transcapital.com.ge/language/hgfghj/webmail/index.php  where after you insert an email address and password are bounced on to a genuine Cpanel webmail login page on http://jattours.com:2095/  which appears to be an innocent site picked at random and doesn’t give any indication of actually being hacked or compromised.