Golpe Virtual da Caixa passa a circular esta semana

Por José Antonio Milagre

Data de Publicação: 25 de Agosto de 2009

Mais um Golpe de Phishing Scam passou a circular na manhã desta terça-feira (25 de agosto de 2009) na Internet. Por meio dele, o usuário recebe um e-mail aparentemente de “CAIXA”, com o assunto “Componente Atualizado Caixa”, com um texto que certamente foi revisto por um professor de português (ao contrário de muitos que circulam onde percebe-se claramente que o atacante peca em sua gramática):

  Your browser may not support display of this image.

Ao analisarmos as propriedades do E-mail verificamos na verdade que se trata de um e-mail “<caixa (a) rec org>”, o que por si já é suficiente para constatar a fraude. Ao analisarmos o header (cabeçalho do e-mail), nota-se que os criminosos utilizam o serviço “privatedns”, com Ips alocados fora do Brasil:

  Return-path: <nobody@cl-t030-521cl.privatedns.com>
  Envelope-to: jose.milagre@legaltech.com.br
  Delivery-date: Tue, 25 Aug 2009 10:37:39 -0300
  Received: from ip-67-205-74-71.static.privatedns.com ([67.205.74.71] helo=cl-t030-521cl.privatedns.com)
  by servidor1.aquaticbrasil.com.br with esmtps (TLSv1:AES256-SHA:256)
  (Exim 4.69)
  (envelope-from <nobody@cl-t030-521cl.privatedns.com>)
  id 1MfwDT-0005Mx-0o
  for jose.milagre@legaltech.com.br; Tue, 25 Aug 2009 10:37:39 -0300
  Received: from nobody by cl-t030-521cl.privatedns.com with local (Exim 4.69)
  (envelope-from <nobody@cl-t030-521cl.privatedns.com>)
  id 1MfwD9-0001aJ-Cu
  for jose.milagre@legaltech.com.br; Tue, 25 Aug 2009 18:37:19 +0500
  To: jose.milagre@legaltech.com.br
  Subject: Componente Atualizado CAIXA.
  From: CAIXA <caixa@rec.org>
  MIME-Version: 1.0
  Content-type: text/html; charset=iso-8859-1
  Content-Transfer-encoding: 8bit
  Reply-To: CAIXA <caixa@rec.org>
  Message-ID: <58c06cb77ac55bbefb37935af65fb136@rec.org>
  X-Priority: 3
  X-MSmail-Priority: High
  X-Mailer: Microsoft Office Outlook, Build 11.0.5510
  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
  X-Mailer: iGMail [www.ig.com.br]
  X-Originating-Email: [CAIXA]
  X-Sender: CAIXA
  X-Originating-IP: [201.201.120.121]
  X-iGspam-global: Unsure, spamicity=0.570081 ? pe=5.74e-01 ? pf=0.574081 ? pg=0.574081
  Date: Tue, 25 Aug 2009 18:37:19 +0500
  X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
  X-AntiAbuse: Primary Hostname ? cl-t030-521cl.privatedns.com
  X-AntiAbuse: Original Domain ? legaltech.com.br
  X-AntiAbuse: Originator/Caller UID/GID ? [99 99] / [47 12]
  X-AntiAbuse: Sender Address Domain ? cl-t030-521cl.privatedns.com

Interessante que na falsa identidade, o criminoso tem o cuidado de utilizar imagens que realmente são do site do Banco. Veja, com trechos do código html:

  <tr>

  <td style="text-align: left; background-color: rgb(0, 0, 153);"><img

  src="http://www.caixa.gov.br/_newimages/icaixa/header_caixa.jpg"

    alt="cef" style="" /><img style="width: 141px; height: 57px;" alt="bank"

    src="http://www.caixa.gov.br/_newimages/icaixa/O_banco_que_acredita.jpg" /></td>

  </tr>

Então verificamos o link onde o suposto arquivo é baixado:

  http://213.42.201.62/conn3.asp?http://www.caixa.gov.br/Modulo?card_id=3948298d8v9y589498veimv4y45r9er8v13

Note que o falsário usa o site da caixa como “querystring”, apenas para iludir a rápida investida visual de um usuário menos atento.

Ao clicarmos no Link somos direcionados a um arquivo chamado “CAIXA.exe”. Este arquivo, testado em nosso laboratório, instala um código kernel mode que prejudica o acesso ao site da maioria dos bancos brasileiros, capturado dados digitados, teclado virtual e os remetendo via ftp para o criminoso. (Embora o código também tenha função para envio de e-mail).

Se recebeu este e-mail, não o execute, apague imediatamente. Se já executou, desconecte a máquina da Rede e procure um especialista.

fonte: http://www.dicas-l.com.br/legaltech/legaltech_20090825.php

E MAIS UMA VEZ FUI PREMIADO!!!! TO COM UM SORTE DA P….!!!

The Camelot Group,operators of The National Lottery.

NOTICE OF ACKNOWLEDGMENT!!!

The United Kingdom National Lottery wishes to inform you that the results of the E-mail address ballot lottery international program by Great Britain held on the of 26th of June 2008 is out.Your email account have been picked as a winner of a lump sum pay out of Eight hundred and ninety-one thousand,nine hundred and thirty-four Great Britain pounds (£891,934.00 pounds sterling) credited to file REF NO.REF:UKL/74-A0802742007. This is from total prize money of GBP 4,459,670.00 shared among the FIVE (5) international winners in this category.You are to contact our claims agent for validation:

THE BENEFICIARY/OWNER OF THE WINNING EMAIL OF THE FUNDS SHOULD COMPLETE
THIS CLAIMS FORM.

1. FULL NAMES OF BENEFICIARY:
2. RESIDENTIAL ADDRESS:
3. DATE AND PLACE OF BIRTH:
4. PHONE/FAX NUMBERS:
5. NAME AND ADDRESS OF NEXT OF KIN:
6. SEX:
7. OCCUPATION:
8. MARITAL STATUS:
9. NATIONALITY:
10. REF NUMBER AND BATCH NUMBER:
11. AMOUNT WON:
12. CLAIM OPTIONS (A)…….COURIER AND (B)…….BANK TO BANK WIRE TRANSFER

Mr Phil Herald.
Email: camelotgroup@gala.net
Tell: +44 703 194 8898

Yours Sincerely,

Mrs. Dianne Thompson
Online Coordinator,
CAMELOT GROUP,Operator of The National Lottery.

>>>>>>>>> RESPECTIVA TRADUÇÃO<<<<<<<<<<<<<<<<

Continue lendo →

logo eu!!! ganhei e não sabia (fraude + golpe + sacanagem + …)

Olhem só o e-mail que recebi:

—– Mensagem original —-
De: MICROSOFT WINDOW-XP <customerservice@microsoft.co.uk>
Enviadas: Segunda-feira, 23 de Junho de 2008 11:06:16
Assunto: MICROSOFT OFFICIAL WINNING NOTIFICATION

Microsoft Promotion Award Team
40 Ryecroft Way Stopsley

London,

United Kingdom.

Dear Winner,

We are pleased to inform you of the result of the Lottery Winners International programs held on the 1st of May 2008. Your e-mail address attached to ticket number 20511465897-6287 with serial number 472-971103 Secret numbers 8-66-97-22-46-88 which consequently won in the 3rd category, you have therefore been approved for a lump sum pay out of Ј450,000(Four Hundred and Fifty Thousand Pounds)

CONGRATULATIONS!!!
Due to mix up of some numbers and names, we ask that you keep your winning information very confidential till your claims have been processed and your prize/money Remitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants.

All participants were selected through a computer ballot system drawn from over 200,000,000 company and 300,000,000 individual email addresses and names from all over theworld. This promotional program takes place annually.

Note:You are to fill the form below for autentication

VERIFICATION AND FUNDS RELEASE FORM.

(1) Your contact address.
(2) Your Tel/Fax numbers.
(3) Your Nationality/Country.
(4) Your Full Names.
(5) Occupation/Age.

(6) Serial Numbers.
(7)Ticket Numbers.

(8)Secret Numbers.

Your Preferred Method Of Receiving Your Prize(From Below)

Mode Of Prize Remittance.

(1)Cash Pick-Up (You coming Down to United Kingdom Personally to Pick Your Prize).

(2)Courier Delivery Of your Certified Winning Cheque Name and other Winning Documents safely to you.

We hope, with some part of your winning you will take part in our next year Ј2 million international lottery. To file for your claim, please contact our/your fiducial agent,

Transfer manager

Sir Kelvin Joe,
Email:sirkelvinjoe@microsoftonlineprm.com

Please note in order to avoid unnecessary delays and complications please remember to quote your reference number and batch numbers in all correspondence.

Furthermore, should there be any change of address do inform our agent as soon as possible.
Congratulations once more from our members of staff and thank you for being part of our promotional program.

Note: Anybody under the age of 21 is automatically disqualified.

Sincerely Yours,
Edina Woodland
Lottery Coordinator.

Depois foi facil. Eu pesquisei no google com o termo "Edina Woodland" e descobri que se tratava de uma fraude