Nach Installation Phishingmail erhalten

Discussion in 'AnyStream (de)' started by Josef Carnap, Feb 20, 2021.

  1. Josef Carnap

    Josef Carnap New Member

    Hallo Forum,

    ich habe heute AnyStream heruntergeladen und installiert. Nach dem erstmaligen Login bei Amazon (ich wollte einen Film probeweise herunterladen) habe ich nach einigen Minuten eine E-Mail in schlechtem Deutsch von Amazon erhalten. Mein Konto sei gesperrt worden. Ich möge mich bei Amazon anmelden etc.

    Die E-Mail ist unecht, es handelt sich um einen Phishingversuch.

    Ich war etwas platt. Gibt es hier User, die ähnliche Erfahrungen gemacht haben?
     
  2. D300

    D300 Well-Known Member

    muss nicht zwangsweise etwas mit AnyStream zu tun haben...und mit dem Installieren schon mal gar nicht,... ist halt so, dass Deine Mail-Adresse irgendwo abgegriffen wurde, und jetzt wird Unfug damit Getrieben...
    .................
    Musst die Nachrichten in deinen Mail-Konto mit den Nachrichten im MessageCenter vergleichen.....
    Eine Nachricht an Dich, die Nicht auch im MessageCenter hinterlegt ist, ist auch Nicht von Amazon !!
    wwwwwwwwwwwwwwwwwwwwwdddaaaaqqqqqq.jpg
     
    Last edited: Feb 21, 2021
    kufo likes this.
  3. tectpro

    tectpro Translator (ms_MY)

    Das ist der erste Bericht von so etwas.
    Wenn das zusammenhaengen wuerde, wuerde das mehr Berichtet.

    Das kann reiner Zufall gewesen sein.
     
  4. Ivan

    Ivan Admin Staff Member

    Could you please post the source including headers of this email? I'll investigate this matter. Please remove your email address before posting it.

    RedFox does not send spam nor do we share any data with nobody. It sounds like you installed a trial version, so we do not even know your email address.

    Thanks
     
  5. Josef Carnap

    Josef Carnap New Member

    I'm pleased to post the Header of the e-mail.

    I habe replaced my real e-mail address by my-email-address on each occurance.


    Code:
    From - Sun Feb 21 07:46:02 2021
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    Return-Path: <supportservicesl14186@putanginamos.com>
    Received: from fra1frontrelay05.vodafonemail.de (fra1prox51.fra-mediabeam.com [10.110.1.51])
        by fra1checkrelay07.fra-mediabeam.com (8.15.2/8.15.2/Debian-10) with ESMTPS id 11KCKXw5007161
        (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
        for <my-email-address>; Sat, 20 Feb 2021 13:20:34 +0100
    Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177])
        by fra1frontrelay05.vodafonemail.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 11KCKTN9031057
        (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
        for <my-email-address>; Sat, 20 Feb 2021 13:20:30 +0100
    Authentication-Results: fra1frontrelay05.vodafonemail.de; dmarc=pass (p=quarantine dis=none) header.from=putanginamos.com
    Authentication-Results: fra1frontrelay05.vodafonemail.de;
        dkim=pass (2048-bit key; unprotected) header.d=putanginamos.com header.i=@putanginamos.com header.b="kIzWPEtW";
        dkim-atps=neutral
    Received: by mail-qk1-f177.google.com with SMTP id t62so8237570qke.7
            for <my-email-address>; Sat, 20 Feb 2021 04:20:30 -0800 (PST)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=putanginamos.com; s=google;
            h=date:to:from:subject:message-id:mime-version;
            bh=YYiPSNAwqRFhuhL2Ja32EUfIFRG4oHWhlNPt8Af7cl4=;
            b=kIzWPEtWGZNiP2dbAYF37OPQ2Yx3VcgQfERIcD8KWSP+TUeg6Ajrp4QX8Mvj3XRkq7
             dbnbyaW3N5HeI08xojG1wPWA05xNsh0esgoi9xyYV+heOzfMkOVlua2NDWus90yAWnA1
             uXJvMKcWkzSOxG6m3AkgjGeBxXz1GcPaJQoZ460bxQBKoJ5vI9Sq/Z8JGNjG9zB6sFtN
             ekE7J3JlcI6dhmet3NNvQRX0MsphUy8KuwkV+SKkSZP2VrC6jFuIh8CuRFKYbJd1JACQ
             JfqHQ0GkXhoFw+pM+L/1AhhWm5Ikf3v0i79bLRQwYaUCp1dp/bEubCSCDToQt2rsFooc
             ph8Q==
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=1e100.net; s=20161025;
            h=x-gm-message-state:date:to:from:subject:message-id:mime-version;
            bh=YYiPSNAwqRFhuhL2Ja32EUfIFRG4oHWhlNPt8Af7cl4=;
            b=bOwSv4C8R0ZRKLEB2VSf8KIWDMfaNyC8emv3sgKHaNSpaCkPF7+2kpGdMFYBqMcvWP
             bLEi9/DZJ23VPN/PFyLbAxgAcbAKR96dd240kblcqI7Ed4P27z/NnNPZL+FS1f31p8dF
             8UvPxh3EV/mMfPy31vQ0u4lkbmyONwCdz38AaCLrbvM4ISoxj3JPq91ZNPLlxb0Gye5h
             liGjjdxU4W1juFrKSCZnlQd5dA6OTmO+0JJ61IqYJFd0TKAIjncbH6JbsZqPLnI9lwQv
             pfRG85Y7dtLn+aVMPX3617KMEkKayD7QKjIZxqYVVlTfPn6li8567rSySahOKdeK7p6U
             52fQ==
    X-Gm-Message-State: AOAM530tC+DT1Dw7cNhkfqUk97uQOsXhArnpahEWxtRvDOQ8rET+eivP
        b5oacMHhICdhWqewPzksGUnV8gU0wwXgy3Kva07alExHiklb/JCBIxqg4mHvwhqnF1XBsO8GWj7
        BYeLp
    X-Google-Smtp-Source: ABdhPJx0+xPj3/JTn1FAFlif9AmcCY9qSsKxKOEhZa+AXO+Mg8tle2LcyLUIEzsnK8nyrjosWQ/D3w==
    X-Received: by 2002:a37:9b0c:: with SMTP id d12mr13125531qke.215.1613823627665;
            Sat, 20 Feb 2021 04:20:27 -0800 (PST)
    Received: from ubuntu-s-1vcpu-2gb-nyc1-01 ([64.227.18.140])
            by smtp.gmail.com with ESMTPSA id v23sm5671040qtb.83.2021.02.20.04.20.25
            (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
            Sat, 20 Feb 2021 04:20:26 -0800 (PST)
    Date: Sat, 20 Feb 2021 12:20:25 +0000
    To: supportservicesl84584@tigaserangkais.com
    From: =?UTF-8?B?S+KAjm/igI5u4oCOdOKAjm/igI4g4oCOV+KAjmHigI5y4oCObuKAjnXigI5u?=
    =?UTF-8?B?4oCOZ+KAjkDigI5B4oCObeKAjmHigI564oCOb+KAjm7igI4u4oCOZOKAjmU=?= <supportservicesl14186@putanginamos.com>
    Subject: =?UTF-8?Q?[Warnung]_:_Ihr_Konto_vor=C3=BCbergehend_gesperrt_ist,_=C3=BCbe?=
    =?UTF-8?Q?rpr=C3=BCfen_Sie_jetzt._Sat,_February_20,_2021__12:20_PM?=
    Message-ID: <c1nQ0GuKKV28nzLlPGdOaGDzpKnsZwLboNZSl1GZL6o@ubuntu-s-1vcpu-2gb-nyc1-01>
    X-Priority: 3
    X-Mailer: Microsoft Avondale Mailer
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
        boundary="b1_c1nQ0GuKKV28nzLlPGdOaGDzpKnsZwLboNZSl1GZL6o"
    X-purgate-type: clean
    X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
    X-purgate: clean
    X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
    X-purgate-size: 1933551
    X-purgate-ID: 149169::1613823632-000005C6-2AD0771C/0/0
    X-mediaBEAM-SpamCheck: ham
    
    This is a multi-part message in MIME format.
    --b1_c1nQ0GuKKV28nzLlPGdOaGDzpKnsZwLboNZSl1GZL6o
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: base64
    
    w5ZmZm5lbiwgdW0gdmVyd2FuZHRlIEluaGFsdGUgYW56dXplaWdlbiAyMC0wMi0yMDIx
    
    --b1_c1nQ0GuKKV28nzLlPGdOaGDzpKnsZwLboNZSl1GZL6o
    Content-Type: application/pdf; name="=?UTF-8?Q?=C3=84ndern_Sie_Ihre_Daten_vorerst_20-02-2021.pdf?="
    Content-ID: <Ändern Sie Ihre Daten vorerst 20-02-2021.pdf>
    Content-Disposition: attachment; filename="=?UTF-8?Q?=C3=84ndern_Sie_Ihre_Daten_vorerst_20-02-2021.pdf?="
    Content-Transfer-Encoding: base64
    
    JVBERi0xLjcKJafj8fEKMiAwIG9iago8PAovVHlwZSAvQ2F0YWxvZwovUGFnZXMgNCAwIFIKL05h
    bWVzIDUgMCBSCi9PdXRsaW5lcyA2IDAgUgovT0NQcm9wZXJ0aWVzIDcgMCBSCi9FeHRlbnNpb25z
    IDggMCBSCi9BY3JvRm9ybSA5IDAgUgo+PgplbmRvYmoKMTcgMCBvYmoKPDwKL0ZpbHRlciBbL0Zs
    YXRlRGVjb2RlXQovTGVuZ3RoIDE1NjIKPj4Kc3RyZWFtDQp42s1ZSW8bNxS+DzD/gbcuqBm+xx01
    ... PDF file ...
    --b1_c1nQ0GuKKV28nzLlPGdOaGDzpKnsZwLboNZSl1GZL6o--

    In the e-mail therte is an attachment in PDF. I attach the pdf file, too.
     

    Attached Files:

  6. Ivan

    Ivan Admin Staff Member

    Thanks @Josef Carnap !
    "Bierkarte"? I know that Germans love beer, but I didn't know that Amazon accept payments in beer money. :coolman:

    Technically the spam is well done and hard for spam filters to identify as spam.
    pdf file has been created with Corel Draw 2020 (didn't know CD is still around ) by author "Ananda Nicolas", which seems to be the spammers real name.
    Source of the spam seems to be Vietnam.

    However, AnyStream works like a Browser and connects you directly with Amazon or NetFlix. None of your credentials will be sent to Redfox, they are stored locally and encrypted.
    If there would be a leak in AnyStream (or your computer got hacked) there is no need to send you an Amazon phishing mail, the hacker might already have this data :)

    So receiving this spam was just a coincidence...
     
  7. Josef Carnap

    Josef Carnap New Member

    Thanks a lot for your analysis. I will try to download a film once more. If I get a spam mail again I will install windows from the scratch. Perhaps my computer is hacked.
     
  8. Ivan

    Ivan Admin Staff Member

    I don't think your computer got hacked. This spam email was just "Zufall"