cyberwart

I’m into phishing attacks. I think they can be very clever and effective. So despite hating spam, when a particularly interesting attack makes it through my filters I’m interested. Here is a below message I recently received:

Received: from rrcs-70-61-41-118.central.biz.rr.com ([70.61.41.118]) by
XYZ.cyberwart.com with XYZ; Wed, 20 Aug 2008
16:46:16 -0400
Received: from [70.61.41.118] by vs.inext.co.jp; Wed, 20 Aug 2008 15:46:19
-0500
From: “Curtis Townsend” <xire@braintrust-art.com>
To: <XYZ@cyberwart.com>
Subject: Fedex Tracking N_ 6625268383
Date: Wed, 20 Aug 2008 15:46:19 -0500
Message-ID: <01c902db$e3389780$76293d46@xire>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_000E_01C902DB.E3389780″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Importance: Normal
Return-Path: xire@braintrust-art.com
X-OriginalArrivalTime: 20 Aug 2008 20:46:24.0488 (UTC)
FILETIME=[CF540680:01C90305]
X-Evolution-Source: pop://XYZ@localhost/

This is a multi-part message in MIME format.

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: 7bit

Unfortunately we were not able to deliver postal package you sent on August the 1st in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your FEDEX

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: application/zip; name=”WD6128922.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”WD6128922.zip”

I’m waiting on a couple fedex packages so I almost opened it. The sad thing is that looking at it, the details aren’t really there. They should have spoofed the sender and made it look more like a real fedex message.