Thursday, August 12, 2010

New Phishing site lebirtyreserve.com

Another Phishing liberty Reserve site created by HYIP scammer

Site link - _http://lebirtyreserve.com/en/customer/verify/
Domain: lebirtyreserve.com

Registration Service Provided By: Gold-Domain's Customer
Contact:
Domain name: lebirtyreserve.com
Registrant Contact:

John Schreck alanmorniem@yahoo.ca
Fax:
1245 Glenwood St.
Livermore, 94550
US


Whois Records lebirtyreserve.com
IP Address: 76.73.94.204
IP Location: United States - Illinois - Woodstock - Fdcservers.net
There are 40 domains hosted on this IP address.

Mass spam send out from two different hosting accounts

First from account maxicash( blacklotus.net )
X-PHP-Script: 208.64.126.5/tmp/log/kirang.php for 94.23.114.11
Second from the variofun (nvhserver.com )sent out from site sofixfund.com
X-PHP-Script: sofixfund.com/images/temp/kirang.php for 94.23.114.11, 94.23.114.11

Phishing spam emails going around right now, claiming to be from LibertyReserve

Here is a copy of the received emails:

Return-Path:
Received: from server13.nvhserver.com (server13.nvhserver.com [72.20.34.206])
by mx.google.com with ESMTP id g14si722385vcj.141.2010.08.11.10.22.07;
Wed, 11 Aug 2010 10:22:08 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of variofun@server13.nvhserver.com designates 72.20.34.206 as permitted sender) client-ip=72.20.34.206;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of variofun@server13.nvhserver.com designates 72.20.34.206 as permitted sender) smtp.mail=variofun@server13.nvhserver.com
Received: from variofun by server13.nvhserver.com with local (Exim 4.69)
(envelope-from )
id 1OjF0A-0008U0-QZ
for xxxxxxx@gmail.com; Thu, 12 Aug 2010 00:22:06 +0700
To: xxxxxxx@gmail.com
Subject: Liberty Reserve Security Measures!
X-PHP-Script: sofixfund.com/images/temp/kirang.php for 94.23.114.11, 94.23.114.11
From:
Reply-To: no_reply@libertyreserve.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Thu, 12 Aug 2010 00:22:06 +0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server13.nvhserver.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [569 565] / [47 12]
X-AntiAbuse: Sender Address Domain - server13.nvhserver.com

Business account at Liberty Reserve

Dear Member,

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Liberty Reserve account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.


How can I restore my business account access?

Click the link below and confirm your Liberty Reserve account information, otherwise your Liberty Reserve access will remain restricted:
http://libertyreserve.com/en/customer/verify/

Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.

© 2002 — 2010 Liberty Reserve S.A. All rights reserved.