Posts Tagged ‘phishing’

New PayPal Walmart Phishing Scam Making The Rounds

Monday, August 22nd, 2022

There’s a new phishing scam making the rounds. I’ve received examples of this one twice myself over the last week, and since it’s a lot more sophisticated and polished than the average email phishing scam, I think it’s worth taking a look at.

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

As always, look at every message from any financial institution as a potential phishing attack, so never click on links sent in email. Use your regular browser login to see if it’s a real issue, and if it’s a phishing scam, be sure to report the email in question.

Let’s be careful out there…

Most Sophisticated Bluehost Phising Scam Yet

Sunday, November 17th, 2019

So, a few days ago I got one of the most sophisticated phising scam messages I’ve ever received. Message:

Bluehost.com

2:46 PM (5 hours ago)

to me
Hello, LAWRENCE PERSON

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you've got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn't being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven't already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.313e7d092611f0c58251064957ca6b4c.
cajunhomeservices.com/account/58961/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Note the relatively good English and the fairly sophisticated “You have a technical spam problem” hook. The all caps name and the fact I don’t have any “forums” is the only giveaway, besides an examination of the actual link provided, that it’s not kosher.

Note that the link actually points to “cajunhomeservices.com”.

Raw source:

Delivered-To: l********@gmail.com
Received: by 2002:ac2:518f:0:0:0:0:0 with SMTP id u15csp11449403lfi;
Thu, 14 Nov 2019 12:46:12 -0800 (PST)
X-Google-Smtp-Source: APXvYqzeSBr4ElY5I4kaRQJbufydJ32F7GyXgzop2lpZkta8d7s7
RkuuytltMNPtM4up1GCCTCwr
X-Received: by 2002:aca:52c2:: with SMTP id g185mr5152898oib.45.1573764372228;
Thu, 14 Nov 2019 12:46:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573764372; cv=none;
d=google.com; s=arc-20160816;
b=sPXkzlz9bAXMXM5E2CaRKG6d6ybRdOxTCNcjZNm5e5kMRkr4KWL
2xq4PjgaGnn3KIYbVmgahiHv7Trl3QgGFzbryJNeeX5VNhxK/
cSIumeiQnlB3aNUV/0qfNY1Cu6szqcMn890SG6r/
7Nvq3XWQ0kGiPBdTAELDw8QS8bpgIPrSHeKPJ669ifn50yKL7KybJ
PnrlQrJe8rWDPDAag1kkJpPhEWIzhWzETQpMW65pUVsuO4SoleoVo
MRHR4WWZ3x4UgY+I7+s58RjcHDx+uSS5UYboFJd6n+ksMZQUNI9rq
MmUYIdq3GLvXAekXAbIXyzUYo+24K2Z0iusbAJo
CQGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:mime-version:from:to:subject:message-id
:date;
bh=sZf91ll1kaMuGiSLWB5C0DKuw/3r72M1cUA1iJqiuLw=;
b=b5CGhK96w1NqMgkAhr04RJAsjO9YKteraSIV/tvZoFeuEGUhGlHF
nxu8r3KLVTb5fNbAJXyxbLxSy+vxpXeZXhMLcS+OApLDERBmuJ9Pm
VH9TTxayaPbpqTHvyKgCGRr6JG4aM12/7CdqWxy3aH5hRvKwYg8Y35
xZZ0jQgnngrEXsx9glAX3S78XsCGS27BCKzoB/qA7c4245rT7rEXf3
y6uRyZSe6Kc9FaYotV7j5VpjhVr0c+qcf7iJUFtdjLSkYW/BlY2baA
jGq3WixP5g3y9fYZ8X636dLLFcu7PKpKsb324VRcRgKJONc356J7x0
K4I+pEk3oLxlMa8T3
/RLw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=fail (google.com: domain of support@bluehost.com does not designate 192.185.143.39 as permitted sender) smtp.mailfrom=support@bluehost.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bluehost.com
Return-Path:
Received: from gateway31.websitewelcome.com (gateway31.websitewelcome.com. [192.185.143.39])
by mx.google.com with ESMTPS id f84si4367574oig.42.2019.11.14.12.46.11
for
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 14 Nov 2019 12:46:12 -0800 (PST)
Received-SPF: fail (google.com: domain of support@bluehost.com does not designate 192.185.143.39 as permitted sender) client-ip=192.185.143.39;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of support@bluehost.com does not designate 192.185.143.39 as permitted sender) smtp.mailfrom=support@bluehost.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bluehost.com
Received: from cm13.websitewelcome.com (cm13.websitewelcome.com [100.42.49.6]) by gateway31.websitewelcome.com (Postfix) with ESMTP id BD99FD53F0 for ; Thu, 14 Nov 2019 14:46:11 -0600 (CST)
Received: from box2082.bluehost.com ([50.87.249.228]) by cmsmtp with SMTP id VM0Ji8N6s3Qi0VM0JiRiqR; Thu, 14 Nov 2019 14:46:11 -0600
X-Authority-Reason: ss=1
Received: from [162.248.225.8] (port=55837 helo=support) by box2082.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from ) id 1iVM0J-003aX1-95 for l*******@gmail.com; Thu, 14 Nov 2019 13:46:11 -0700
Date: Thu, 14 Nov 2019 15:48:38 -0500
Message-ID: <1332064982.webi20191114154838@bluehost.com>
Subject: Disabled your outbound email services temporarily
To: l********@gmail.com
From: "Bluehost.com"
X-Priority: 4 (Low)
Mime-Version: 1.0
X-Mailer: Php_libMail_v_2.11(webi.ru)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box2082.bluehost.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bluehost.com
X-BWhitelist: no
X-Source-IP: 162.248.225.8
X-Source-L: No
X-Exim-ID: 1iVM0J-003aX1-95
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (support) [162.248.225.8]:55837
X-Source-Auth: bh_1572749987@sandiegoslushkin.com
X-Email-Count: 9
X-Source-Cap: c2FuZGlmbjk7c2FuZGlmbjk7Ym94MjA4Mi5ibHVlaG9zdC5jb20=
X-Local-Domain: no

SGVsbG8sIExBV1JFTkNFIFBFUlNPTg0KIA0KV2UgYXJlIGNvbnRhY3RpbmcgeW91IHRvZGF5IGJl
Y2F1c2Ugd2UgaGF2ZSBkaXNhYmxlZCB5b3VyIG91dGJvdW5kIGVtYWlsIHNlcnZpY2VzIHRlbXBv
cmFyaWx5LiBUaGUgcmVhc29uIGZvciB0aGlzIGlzIGJlY2F1c2UgeW91J3ZlIGdvdCBhIGZvcnVt
IHRoYXQgc3BhbW1lcnMgd2VyZSBzdWJzY3JpYmluZyB0byB0byBnZXQgbWVzc2FnZXMgc2VudCBv
dXQuIFRoZXkgdXNlZCBhIHNwYW0gdHJhcCBlbWFpbCBhZGRyZXNzIHRoYXQgYWN0dWFsbHkgcmVz
dWx0ZWQgaW4gb3VyIG1haWwgc2VydmVyIGdldHRpbmcgYmxhY2tsaXN0ZWQuDQoNCldlIG5lZWQg
eW91IHRvIGFkZCBwcm90ZWN0aW9uIHRvIGl0IHNvIGl0IGlzbid0IGJlaW5nIGV4cGxvaXRlZCBp
biB0aGUgZnV0dXJlLiBZb3Ugd2lsbCBuZWVkIHRvIGNvbnRhY3QgdXMgYW5kIGxldCB1cyBrbm93
IHRoaXMgaGFzIGJlZW4gcmVzb2x2ZWQgZm9yIHVzIHRvIHJlc3RvcmUgeW91ciBlbWFpbCBzZXJ2
aWNlcy4NCg0KRm9yIHByb3RlY3Rpb24sIHdlIGFzayB0aGF0IHlvdSByZXF1aXJlIGFuIGFjY291
bnQgdG8gc3Vic2NyaWJlIHRvIHRvcGljIG5vdGlmaWNhdGlvbnMgaWYgeW91IGhhdmVuJ3QgYWxy
ZWFkeS4gV2UgYWxzbyBhc2sgdGhhdCB5b3UgYWRkIHByb3RlY3Rpb24gdG8geW91ciBzaWduLXVw
IHBhZ2Ugc28gdGhhdCBzcGFtbWVycyBjYW5ub3QgYXV0b21hdGUgaXQuIFlvdSBjYW4gZG8gdGhp
cyBieSB1c2luZyBhIGNhcHRjaGEgb3Igc29tZXRoaW5nIHNpbWlsYXIgdG8gdGhhdC4NCg0KVG8g
YWN0aXZhdGUgeW91ciBhY2NvdW50LCBwbGVhc2UgdmlzaXQgb3VyIEJsdWVIb3N0IGFjY291bnQg
cmVhY3RpdmF0aW9uIGNlbnRlci4gVXNlIHRoZSBsaW5rIGJlbG93Og0KaHR0cDovL215LmJsdWVo
b3N0LmNvbS4zMTNlN2QwOTI2MTFmMGM1ODI1MTA2NDk1N2NhNmI0Yy5jYWp1bmhvbWVzZXJ2aWNl
cy5jb20vYWNjb3VudC81ODk2MS9yZWFjdGl2YXRpb24uaHRtbA0KDQogDQpUaGFuayB5b3UsIA0K
Qmx1ZUhvc3QuY29tIFRlcm1zIG9mIFNlcnZpY2UgQ29tcGxpYW5jZQ0KaHR0cDovL3d3dy5ibHVl
aG9zdC5jb20NCkZvciBzdXBwb3J0IGdvIHRvIGh0dHA6Ly9oZWxwZGVzay5ibHVlaG9zdC5jb20v
DQpUb2xsLUZyZWU6ICg4ODgpIDQwMS00Njc4

(Note: Line breaks added on ARC lines.)

Note the authentication fails in the raw source of the message.

Let’s do a whois for cajunhomeservices.com:

Domain Name: CAJUNHOMESERVICES.COM
Registry Domain ID: 1987624026_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.fastdomain.com
Registrar URL: http://www.fastdomain.com
Updated Date: 2018-12-16T00:21:49Z
Creation Date: 2015-12-16T00:22:33Z
Registry Expiry Date: 2019-12-16T00:22:33Z
Registrar: FastDomain Inc.
Registrar IANA ID: 1154
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.BLUEHOST.COM
Name Server: NS2.BLUEHOST.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-11-15T02:46:01Z <<<

The interesting thing here is that cajunhomeservices.com is actually registered to bluehost.com. I launched a chat window with technical support (offshore, it seemed like), and they promised to alert the proper security staff.

Lesson: If you receive a message alerting you to some sort of online fraud, never click any link in the message. If it's a domain or service you use, go there by your saved bookmark or by typing the domain URL directly into your browser.

Eternal vigilance is the price of IT security...

LinkSwarm for February 15, 2019

Friday, February 15th, 2019

There’s a much criticized spending bill with a lot of poison pill provisions and a tiny bit of border wall funding President Trump is expected to sign, and then declare a national emergency to get the wall built.

While that’s up in the air, enjoy a Friday LinkSwarm:

  • Democrats don’t want to detain or deport violent felons. If that’s the hill they want to die on, bring on the shutdown. (Hat tip: Director Blue.)
  • “National Border Patrol Council president Brandon Judd told Breitbart News Tonight on Wednesday that Congress had ignored the advice of experts when reaching a deal to provide less than $1.4 billion for border fencing.”
  • The ludicrous nature of the Democrats’ “Green New Deal” continues to haunt them, leading to a lot of walking back economically insane socialist goals. NPR has the original text of the proposal.
  • Jonah Goldberg on the subject:

    These people think that they can adequately plan and run — for all time — an economic system from Washington that would guarantee: “a job with a family-sustaining wage, adequate family and medical leave, paid vacations, and retirement security to all people of the United States” as well as “access to nature.”

    But they can’t even plan the roll out of a non-binding resolution and some press-release materials? And, when confronted by their own words, their immediate response was to accuse their enemies of sabotaging them? Gosh, by all means, let’s give them control of the entire economy. That couldn’t work out badly. I mean “Mistakes happen when doing time launches like this coordinating multiple groups and collaborators,” when uploading FAQs, not when doing anything as simple as commandeering the bulk of the U.S. economy.

  • Republicans pull the dirtiest trick on Democrats ever: forcing them to vote on the Green New Deal lunacy they just endorsed. (Hat tip: Stephen Green at Instapundit.)
  • Bill Barr confirmed as Attorney General.
  • Amazon cancels it’s New York City HQ2 expansion plans. Government shouldn’t be throwing subsidies at targeted corporations (nor picking winners and losers). The decision is also rich, zesty schadenfreude for Rep. Alexandria Ocasio-Cortez screwing over New York Governor Andrew Cuomo and New York City Mayor Bill de Blasio, who both pushed hard for the Amazon deal.
  • This story should be absolutely infuriating to everyone on all sides of the political spectrum: rather than preserving or processing DNA rape kits, Oklahoma destroyed them.
  • How do Democrats expect to get socialism to work nationwide when they can’t even get it to work at one Panera Bread location?
  • Twitter bias is real. “Of 22 prominent, politically active individuals who are known to have been suspended since 2005 and who expressed a preference in the 2016 U.S. presidential election, 21 supported Donald Trump.” (Hat tip: Director Blue.)
  • Democrats cause climate change. The science is settled!
  • Those pesky peasants are threatening the EU by daring to vote for parties of which the EU elite disapproved.
  • Brexit update:

  • “Migrants” banned from Finnish schools and daycare centers because of all the rapes.
  • Here’s a phising scam that targets not only credit unions, but the credit union officers in charge of enforcing anti-money laundering laws.
  • Pro-tip: If you’re a phone scammer, try not to target the former head of the FBI and the CIA.
  • Meanwhile in Australia: “$500 per family for a single day’s electricity. There’s your Green New Deal.”
  • Germany and Japan are teaming up to oppose American foreign policy. I’ve seen this movie before, and I don’t think they’ll like how it ends…
  • Islamic State executioner enjoys death by tank. (Hat tip: Stephen Green at Instapundit.)
  • More semi-informed speculation than insider knowledge: “The Notorious RBG…is not dead. But she probably soon will be.” (Hat tip: Doug Ross on Twitter.)
  • New frontiers in unconstitutional legislation: “The Los Angeles City Council voted yesterday to require companies who want to contract with the city to disclose their relationships with the National Rifle Association.” (Hat tip: Ace of Spades HQ.)
  • Disgraced former Democratic state senator Carlos Uresti sentenced to five years for bribery. Unfortunately it will run concurrently with his fraud conviction, and therefore result in no additional time in prison. (Hat tip: Dwight.)
  • Don’t mess with Texas, Part 8,192. Doesn’t say whether the attackers were illegal aliens or not. (Hat tip: HeidiL_RN.)
  • There’s low, and there’s “constable stealing Hurricane Harvey donations” low.
  • Tesla’s Buffalo Gigafactory workers are not happy campers.
  • Jussie Smollett’s hate crime allegations fall apart.
  • New Jersey hates high school football.
  • I don’t keep up with celebrity culture at all, but this is freaking hilarious. (Hat tip: Ann Althouse, who provides context for celebrity-challenged.)
  • “Millennials Have Discovered ‘Going Out’ Sucks.” And they only discovered this after cities pushed densification policies to hurd them all downtown where the clubs and bars are… (Hat tip: Millennial Conservative.)
  • Attempted BlueHost Phishing Attack

    Tuesday, May 16th, 2017

    Just got this phishing attempt purporting to be a domain change notification.

    Raw source (slightly edited to remove my email address, and with added line breaks to keep the block from spilling into my righthand links column):


    Delivered-To: [my email address]
    Received: by 10.129.168.138 with SMTP id f132csp137359ywh;
    Tue, 16 May 2017 04:25:08 -0700 (PDT)
    X-Received: by 10.25.145.78 with SMTP id y14mr3013524lfj.182.1494933668196;
    Tue, 16 May 2017 04:21:08 -0700 (PDT)
    X-Received: by 10.25.145.78 with SMTP id y14mr3013498lfj.182.1494933666719;
    Tue, 16 May 2017 04:21:06 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1494933666; cv=none;
    d=google.com; s=arc-20160816;
    b=EkN54HW9eTyfd0jOfsRVNR0X/FcZbGItIa0uZOBR4HJp7/98oZ6n1B7FLmwrWmZrv4

    5dDu5xxwEZUzXOGnickvxjN/j4xeYRwg4QRKcl1oGU/sN1/28cbmMhz+cPm/9IiocabJ

    lbM3KY9yS06l8Tqks6NqCjYu37tBecVsdXCIDs97H8jlGMftPJtfHwSjp4NB8

    Atmse85rgzAUDI3VQ0heJUNaej7eJ3iQZUoO4WUrE2a83+zL1RFIxhMy

    xwuntOSRaMWqjkjUb0z pwB6DYLaFL6I4OBemO2fQ9KPAVSArN+W6yiD/

    WTdHOH80EG6taU55R0BSe3v0Cm/JSjA

    tGng==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
    h=date:message-id:content-transfer-encoding:mime-version:from:subject
    :to:delivery-date:arc-authentication-results;

    bh=3vPc/J8rnDJTfIYUKavWvnMr/

    efHU9EsfJ+Vu6fidbs=;b=fgaxPBNn1/vQIC45obi02J30mqqvoJ8yrp

    N9bGIHG2rvWt1Qmtxt4ik7dyARWJDqzvOQnNMHX+

    4bC1fVD1qcmjntpe0fkMR8HbYywI8r3k3rZArnj79fVoWJX

    wzb0akib3zyGGSFLS+nZ1fkCdPfmU96JmPYevKmB3l0v86yU/

    aj2WqNE+Olvc6s14wuBXia8rzGtWtsLHIlm2zmqS2NFLNTv

    CapcNPx8ZQvOQEA37pv6oRmlnz/XOg7Rwi4dIrzaAbtY8wv0sI/29

    EjXFkxsVgvXKHIRVc685xWXYuYKATJGIzfccUNJaP/

    TBuhLI7uS8uo7QBkm+B21jhl0x

    AnNw==
    ARC-Authentication-Results: i=1; mx.google.com;
    spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
    Return-Path:
    Received: from annika.timeweb.ru (annika.timeweb.ru. [2a03:6f00:1::5c35:605f])
    by mx.google.com with ESMTPS id p5si688773lfp.49.2017.05.16.04.21.06
    for
    (version=TLS1_2 cipher=AES128-SHA bits=128/128);
    Tue, 16 May 2017 04:21:06 -0700 (PDT)
    Received-SPF: pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) client-ip=2a03:6f00:1::5c35:605f;
    Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
    Delivery-date: Tue, 16 May 2017 14:21:06 +0300
    To: lawrenceperson@gmail.com
    Subject: Domain: BATTLESWARMBLOG.COM. Warning 5946
    From: Bluehost
    X-Priority: 4 (Low)
    Mime-Version: 1.0
    X-Mailer: Php_libMail_v_2.0(webi.ru)
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: base64
    Message-Id:
    Date: Tue, 16 May 2017 14:21:06 +0300

    RGVhciBCbHVlaG9zdCBjdXN0b21lciBMQVdSRU5DRSBQRVJTT04s
    DQoNClRoaXMgbm90aWZpY2F0aW9uIGlzIGdlbmVyYXRlZCBhdXRvb
    WF0aWNhbGx5IGFzIGEgc2VydmljZSB0byB5b3UuDQpXZSBoYXZlI
    HJlY2VpdmVkIGEgcmVxdWVzdCB0aGF0IHRoZSBuYW1lIHNlcnZlcn
    MgYmUgY2hhbmdlZCBmb3IgdGhlIGZvbGxvd2luZyBkb21haW4gbm
    FtZShzKToNCg0KQkFUVExFU1dBUk1CTE9HLkNPTQ0KDQpJZiB5b3U
    gYXJlIG1vbml0b3JpbmcgdGhpcyBuYW1lIHdpdGggRG9tYWluIEJh
    Y2tvcmRlcnMsIHRoZSBhYm92ZSBjaGFuZ2UgaXMgYWxzbyBkaXNwb
    GF5ZWQgaW4gdGhlICJNb25pdG9yaW5nIGFuZCBCYWNrb3JkZXJpbm
    ciIHNlY3Rpb24gb2YgeW91ciBBY2NvdW50IE1hbmFnZXIuDQoNCmh
    0dHA6Ly9teS5ibHVlaG9zdC5jb20uNjczMjcxY2M0N2MxYTRlNzdm
    NTdlMjM5ZWQ0ZDI4YTcuZm9vb3BlcnRvLmNsaWVudC5jb29wZXJ0a
    W5vLXRlc3QucnUvZG9tYWluL2x4eHZrbWhtem8uaHRtDQoNClRo
    YW5rIHlvdSwNCkJsdWVob3N0DQpUb2xsIEZyZWU6ICg4ODgpIDQw
    MS00Njg4DQpPdXRzaWRlIFVTOiAxKyg4MDEpIDc1Ni05NTAw


    And here’s the non-encoded message payload:


    Dear Bluehost customer LAWRENCE PERSON,

    This notification is generated automatically as a service to you.
    We have received a request that the name servers be changed for the following domain name(s):

    BATTLESWARMBLOG.COM

    If you are monitoring this name with Domain Backorders, the above change is also displayed in the “Monitoring and Backordering” section of your Account Manager.

    http://my.bluehost.com.673271cc47c1a4e77f57e239ed4d28a7.foooperto.
    client.coopertino-test.ru/domain/lxxvkmhmzo.htm

    Thank you,
    Bluehost
    Toll Free: (888) 401-4688
    Outside US: 1+(801) 756-9500


    Note the .ru address in the phishing link, and the phishing URL suggests this attempt is geared at Mac users.

    I don’t think I was personally targeted, I think this was probably sent out to every BlueHost domain contact email address the spammers could target.

    I’m posting this as a warning to other BlueHost domain owners (and, in fact, anyone else that has a hosted domain): 1. Don’t click suspicious email links. 2. When in doubt, every email link is suspicious. Log into your domain hosting control panel directly like your normally would and contact your hosting company that way.

    This was a clumsy attempt. Additional phising attacks are likely to be more sophisticated. Let the blogger beware…