Hi, just wasn't sure if I should post this here because this is not really related to bitcoins but I post it anyway cause I received this email with a email address I only use for bitcoin:
info@btcrow.comHere's the headers of email with some informations removed and replaced with (removed.fqdn.server):
------------------------------------------------ CUT -----------------------------------------------------
Return-Path: <
Claire@fia-net.fr>
X-Original-To:
info@btcrow.comDelivered-To:
info@btcrow.comReceived: from WIN-5D8CTVHD5GU (unknown [78.129.222.148])
by removed.fqdn.server (Postfix) with ESMTP id 199E035425C
for <
info@btcrow.com>; Sat, 16 Jul 2011 12:50:33 -0500 (CDT)
Received: from User ([127.0.0.1]) by WIN-5D8CTVHD5GU with Microsoft SMTPSVC(7.5.7600.16385);
Sat, 16 Jul 2011 18:50:06 +0200
Reply-To: <
service@orange.fr>
From: "
service@paypal.fr"<
Claire@fia-net.fr>
Subject: Notification de conexion a votre compte PayPal .
Date: Sat, 16 Jul 2011 18:50:06 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <WIN-5D8CTVHD5GUcQAB00000064@WIN-5D8CTVHD5GU>
X-OriginalArrivalTime: 16 Jul 2011 16:50:06.0179 (UTC) FILETIME=[6A44C330:01CC43D8]
To: undisclosed-recipients:;
------------------------------------------------ CUT -----------------------------------------------------
This first (before seing the message sound spammy and fishy to me cause of return-path and reply-to fields.
here's the screenshot of the message now:
Also there's the source of the html email mesage:
------------------------------------------------ CUT -----------------------------------------------------
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<img src="
http://playaussierules.com/wp-admin/images/form.png" width="598" height="699" border="0" usemap="#formpaypal" />
<map name="formpaypal" id="formpaypal">
<area shape="rect" coords="61,484,496,498" href="
http://esroros.net/url/url" alt="Accés au formulaire" />
<area shape="rect" coords="251,629,276,641" href="
https://www.paypal.com/fr/cgi-bin/helpweb?cmd=_help" alt="Aide" />
<area shape="rect" coords="285,629,368,641" href="" alt="Espace Sécurité" />
</map>
</body>
</html>
------------------------------------------------ CUT -----------------------------------------------------
As you can see the scam image and the form once you click the link are hosted (It's a guess but I'm sure at 99%) on a hacked website.
The 2 url are:
hxxp://esroros.net/url/url
and
hxxp://playaussierules.com/wp-admin/images/form.png
They use the area shape trick to fake a real link from paypal but once you click it it redirect to their fake form to steal you paypal credentials.
Just want to warn people here who aren't familiar with that type of messages to never ever complete it.
Paypal / Visa / MasterCard / Your Bank, anything which is relative to keeping safe your money won't ever send you message asking you your password and login informations.
If you have doubt when receiving this kinda email, Always verify with the genuine website in order to be sure that nobody want to phish you.
If you have questions it will be a pleasure to answer them here.
EDIT: I'll shortly send email to owner of esroros.net and playaussierules.com in order to let them know that their websites have been hacked.
