On August 4th 2015 Comodo has detected a recent phishing attack which tries to deceive receivers into some kind of method for cracking U.S Lotto industry. Original mail comes from beverley.daynes@gmail.com and reply to field set as ramble000@gmail.com
Mail content is as following
——————————————————————————————————–
Hi,
GREETINGS!!!
Did you know that there are S.E.C.R.E.T patterns that exist within every single draw game?…
Or that using them can allow you to W.I.N the lottery multiple times per month, every month?
This CODE, if leaked, could demolish the entire U.S. lotto industry.
GoClick HERE
The good news is, this is completely honest and ethical… Absolutely nothing illegal…
Regards,
Amanda
——————————————————————————————————–
There is only one link in the mail which refers to: http://migre.me/qSPOm uses migre.me url shortener service and redirects to http://lottocrushercode.me/ website. This website is a 1 page website with a video presentation and its textual presentation as content
Embedded video is hosted on youtube at : https://www.youtube.com/watch?v=pDnAIXwd44M
When we click the Add To Cart button it redirects us to http://preciouscart.com/buy.php? id=55&hash=fc49306d97602c8ed1be1dfbf0835ead which is cart service for easy payment.
If we continue to checkout we’ll see a legit pay-pal payment to the receiver of “RADL Misc Product” which is a fake name or a very well hidden company name since there is no result for this company name. Product that allegedly cracks the lottery system is named like LCCode(LatestVsn)LCCode(LatestVsn) and it is for 97$.
When we look at the whois information of the site we see that it originates from Cebu city in Philippines.
Domain ID:D15680223-ME
Domain Name:LOTTOCRUSHERCODE.ME
Domain Create Date:21-Mar-2015 09:37:43 UTC
Domain Last Updated Date:10-Jul-2015 12:39:57 UTC
Domain Expiration Date:21-Mar-2016 09:37:43 UTC
Last Transferred Date:
Sponsoring Registrar:eNom Inc R32-ME (48)
Created by:eNom Inc R32-ME (48)
Last Updated by Registrar:eNom Inc R32-ME (48)
Domain Status:CLIENT TRANSFER PROHIBITED
Registrant ID:1e8bb8b473ba0188
Registrant Name:Radl Promotion
Registrant Organization:none
Registrant Address:San Vicente
Registrant Address2:Liloan
Registrant Address3:
Registrant City:cebu
Registrant State/Province:CB
Registrant Country/Economy:PH
Registrant Postal Code:6012
Registrant Phone:+63.322546480
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:radlpromotion@gmail.com
Admin ID:1e8bb8b473ba0188
Admin Name:Radl Promotion
Admin Organization:none
Admin Address:San Vicente
Admin Address2:Liloan
Admin Address3:
Admin City:Cebu
Admin State/Province:CB
Admin Country/Economy:PH
Admin Postal Code:6012
Admin Phone:+63.322546480
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin E-mail:radlpromotion@gmail.com
Tech ID:1e8bb8b473ba0188
Tech Name:Radl Promotion
Tech Organization:none
Tech Address:San Vicente
Tech Address2:Liloan
Tech Address3:
Tech City:Cebu
Tech State/Province:CB
Tech Country/Economy:PH
Tech Postal Code:6012
Tech Phone:+63.322546480
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech E-mail:radlpromotion@gmail.com
Nameservers:NS1.HOSTBLAST.US
Nameservers:NS2.HOSTBLAST.US
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
Nameservers:
DNSSEC:Unsigned