New phishing variation?

me too. do they think were stupid.
Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 220497

You have ordered the following:

Price
RING 1 160.40
RING 2 167.60
Setup fee 6.00

+VAT 00.82
_____________________________
Total in USD: 289.20

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!
whats with the zip file they included. not opening it incase its got something nasty in it

 

Someone asked

and

. Simple answer is for those still unsure, always ignore and delete these emails, and NEVER open the attachments they contain.

 

I got one of these too... mine came through as a bounced message from another email using my domain name as the sending address, other than that it follows the same pattern as everybody elses.

Spyder.

 

Thanks Trom,

I searched a little and conformed your initial assessment. Whoever is sending this is somewhere in the Asia Pac. region using APNIC. I visited the APNIC webpage to look for options and found that they don't investigate claims, but they do allow you to search their database. The fact that they won't turn on their customers probably makes this a popular provider with spammers and the like, but I am guessing that you already knew that. Here are the results I got when I searched APNIC's database for "58.69.88.40":

person: Henry Marcelino
nic-hdl: HM8-AP
e-mail: himarcelino@pldt.com.ph
address: PLDT Sampaloc
phone: +63-2-885-9176
country: PH
changed: framirez@info.com.ph 20030827
mnt-by: MAINT-PH-INFOCOM
source: APNIC

person: Nelson Sibal
nic-hdl: NS141-AP
e-mail: nbsibal@pldt.com.ph
address: MGO Bldg, Dela Rosa cor. Legaspi Sts., Makati City
phone: +63-2-885-9174
fax-no: +63-2-813-5794
country: PH
changed: jcgonzales@pldt.com.ph 20050806
mnt-by: PHIX-NOC-AP
source: APNIC

person: Sigfred Saliendra
nic-hdl: SS843-AP
e-mail: sssaliendra@pldt.com.ph
address: MGO Bldg, Dela Rosa cor. Legaspi Sts., Makati City
phone: +63-2-885-9174
fax-no: +63-2-813-5794
country: PH
changed: jcgonzales@pldt.com.ph 20050806
mnt-by: PHIX-NOC-AP
source: APNIC

person: Nonilon Topacio
nic-hdl: NT31-AP
e-mail: nvtopacio@pldt.com.ph
address: MGO Bldg, Dela Rosa cor. Legaspi Sts., Makati City
phone: +63-2-885-9174
fax-no: +63-2-813-5794
country: PH
changed: jcgonzales@pldt.com.ph 20050806
mnt-by: PHIX-NOC-AP
source: APNIC

Before I sue them, I need to figure out if the Philippines will honor a judgment in an American court or if I need to look to an international forum. Thanks for your help.

 

I got one too.....

From: cgoble@znickel.de
Subject: Ordering information (Ref: 63456)
Date: November 21, 2005 6:46:23 PM PST
To: MYEMAIL@ADDRESS.com
Attachment: bul582.zip (27.5 KB)

Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 285387

You have ordered the following:

Price
RING 1 113.10
RING 2 171.40
Setup fee 7.00

+VAT 15.96
_____________________________
Total in USD: 279.10

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

...Maybe we should contact CCBill to let them know they're being spoofed somewhat?

 

My partner got this today:

Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 905771

You have ordered the following:

Price
RING 1 142.60
RING 2 184.20
Setup fee 8.00

+VAT 16.27
_____________________________
Total in USD: 269.80

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

 

A user on my network receive the same email and actually opened the attached file, regardless of how often I administer beatings for such a thing. It appears to be a virus, or something, that then began sending hundreds of emails using it's own smtp engine. The only reason he noticed it is because Norton AV 2005 starting getting error messages for "mail server unreachable", or "email address has been deactivated", etc. I updated the signature files, but Norton will not detect the virus. I then installed avast (avast.com) and it will not detect the virus. Hitmanpro was of no good either.

I finally reinstalled the OS.

 

Dear pissed off lawyer,
I am not that well versed on the technical side of the internet but would the following be of any use?

Envelope-to: name removed@madasafish.com
Received: from localhost ([127.0.0.1])
by mx01.global.net.uk with smtp (Exim 4.42)
id 1EeZ40-000HE3-F6
for name removed@madasafish.com; Tue, 22 Nov 2005 14:24:04 +0000
Received: from 64-44-4-166.user.uswo.net ([64.44.4.166] helo=FOB15)
by mx01.global.net.uk with smtp (Exim 4.42)
id 1EeZ3z-000HC9-L2
for name removed@madasafish.com; Tue, 22 Nov 2005 14:24:04 +0000
Message-ID: <001401c5ef70$602b4030$6c05fe0a@FOB15>
From: <wminten@sparnasa.com>
To: <name removed@madasafish.com>
Subject: GOLDNOW SHOP Billing Team (Ref: 627)
Date: Tue, 22 Nov 2005 09:23:57 -0400
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0010_01C5EF46.77505630"
X-Priority: 3

 

i hope this helps you...i got a from address??
Date: Tue, 22 Nov 2005 13:01:29 -0500
From: <lkingsmore@p3wnet.com>
To: <switzer@gvtc.com>
Subject: Ordering information (Ref: 13834)



Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 496907

You have ordered the following:

Price
RING 1 143.50
RING 2 183.50
Setup fee 5.00

+VAT 67.62
_____________________________
Total in USD: 218.80

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!




Attachments:
application/x-zip-compressed; name="iis539.zip"


--------------------------------------------------------------------------------

 

Lucky I wasn't foolish enough to run it! Symantec (defs 20021122.005) now detects it as PWSteal.Trojan from December 27, 1999, but I suspect it's newer than that.

Strangely, there's a new trojan they just found called Trojan.Goldun.H so we may have a trojan from the same family that's now being detected but not correctly identified yet.

I wish these people would apply their brains to something useful : there's a lot of money to made from cheap clean fuels.

Trom (now registered on forum)

 

Hi
I reported this scam 22 Nov ember, and today received another one which is very similar but this one had a message to say that the attachment was infected with a virus. Whether this was true or not I do not know, but I did not and will not open attachments of this nature anyway. Thought you should know about the virus but that in itself may be another scam to get me to open it thinking it is safe!
Dilly

Subject: Customer support (Ref: 8400)
Date: 24 November, 2005 03:13:26 GMT
From: gjosiah@earmless-angel.demon.co.uk
To: xxxxxx@xxxx.net
Return-Path: <gjosiah@earmless-angel.demon.co.uk>
Received: from n078.sc1.cp.net (64.97.168.33) by n069.sc1.cp.net (7.2.066) id 4349302B0062D1A0 for xxxxxxxxx; Thu, 24 Nov 2005 03:13:00 +0000
Received: from sys1 (221.237.167.113) by n078.sc1.cp.net (7.2.069.1) id 4381FB3A001A080F for xxxxxxxxxx; Thu, 24 Nov 2005 03:12:54 +0000
Message-Id: <001a01c5f0a5$0956b678$0c2410ac@sys1>
Mime-Version: 1.0
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2180
Content-Type: multipart/mixed; boundary="========/4381FB3A001A0833/n078.sc1.cp.net"
Content-Disposition: inline
This message had an attachment which were found to contain the following virus(es):

File 'usy372.zip/gsbill.exe' was infected with virus 'Trojan.Danmec' (ID 5617)

The infected file(s) were cleaned or removed from the attachment
----------------------------------------------------------------------


From: <gjosiah@earmless-angel.demon.co.uk>
Date: 24 November, 2005 03:13:26 GMT
To: <delyse.upton@virgin.net>
Subject: Customer support (Ref: 8400)


Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 693990

You have ordered the following:

Price
RING 1 163.60
RING 2 165.40
Setup fee 2.00

+VAT 13.00
_____________________________
Total in USD: 241.70

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

 

I've been googling GOLDNOW, and arrived here.

Symantec defs 20051122 detect gsbill.exe as Trojan.Danmec, and Sophos as Troj/Danmec-A.

It was "discovered" on November 22 - Sophos IDEs were released at 22:16 GMT on that date.

Hope this helps.

 

OK Pissed off lawyer, here's mine:

The originating ip of the one I received is 24.130.60.148(Helo tuffruck). hmmm, it seems to me that they are saying "Hello, tough luck". The return-path is grandjunco@tintimatecontacts.net. They even spelled intimate wrong. The email reads as follows:
-------------------------------------------------------------------------
Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 353391

You have ordered the following:

Price
RING 1 122.40
RING 2 119.40
Setup fee 5.00

+VAT 44.66
_____________________________
Total in USD: 235.30

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!
-------------------------------------------------------------------------
GO GET 'EM PISSED OFF LAWYER!!!

PS: There is nothing more dangerous than a lawyer, except a pissed off one. lol

 

Still at it...
only there is a zip file attached... ntv231.zip 29.2KB

Price
RING 1 127.10
RING 2 123.20
Setup fee 8.00

+VAT 99.05
_____________________________
Total in USD: 220.90

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.7/181 - Release Date: 24/11/2005

 

new addition this one had the Trojan.Danmec virus in the zip file
From: <paullange@lkortes.com>
To: <someone@virgin.net>
Sent: Tuesday, November 22, 2005 8:12 AM
Subject: Transaction information (Ref: 4892)


Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 828838

You have ordered the following:

Price
RING 1 169.30
RING 2 167.50
Setup fee 5.00

+VAT 92.17
_____________________________
Total in USD: 217.10

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

 

From: gpmsm@ypanloafs.demon.co.uk Add to Address Book Add Mobile Alert
To: me
Subject: Customer support (Ref: 36552)
Date: Tue, 22 Nov 2005 01:07:50 +0800

Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 335991

You have ordered the following:

Price
RING 1 139.70
RING 2 168.20
Setup fee 8.00

+VAT 22.77
_____________________________
Total in USD: 261.00

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

 

We seem to have wandered way off topic here -- my original posting was about one with no (evident) "please contact us to correct this" text or attachment.

Plus we've now seen a zillion copies here, give or take, of essentially the same email.

 

I dont know much about phishing. Got this email, opened the file, it did nothing but detect it as a virus.I ran McAffee, it asked me if I wanted to delete or clean it, and I chose to delete. Does this mean I am safe? there was no link to reply to, just the zip file, that I did open, but nothing happened... If I deleted the attachment, is it still in my computer, as a virus? Is there something more I should do? I am computer virus illiterate. HELP GUIDE ME TO SAFETY IF YOU CAN! Thank you.



From: <bsbr@pride.hu>

Attachments: Attach0.html 2K
zif616_zip.renamed 28K



Dear Customer.

You've specified this e-mail as reachable.

Sorry,we were unable to process your transaction
at this time for the following reason:

Transaction Denied by Bank.

Order details:

Date: 11/21/05
Order number is: 128588

You have ordered the following:

Price
RING 1 110.90
RING 2 177.50
Setup fee 3.00

+VAT 79.82
_____________________________
Total in USD: 279.00

Please see attached file.

GOLDNOW SHOP Billing Team.

Thank you for choosing CCBill as the eMerchant for your subscription!

 

AND THEN I GOT THIS EMAIL.... Is this something else? (I never usually get weird emails like this one, can anybody confirm for me?) What should I do?


Please reply to this email message to confirm your subscription to
dat_notification.

Sunday, December 4, 2005 10:21 PM -0800

From: "dat_notification Confirmation (from Lyris ListManager)" <lyris-confirm-616482C@listserv.nai.com>
"dat_notification Confirmation (from Lyris ListManager)" <lyris-confirm-616482C@listserv.nai.com>

Subject: Your confirmation is needed


Your email address has been entered for a subscription to the
dat_notification mailing list. However, your new subscription requires
a confirmation that you received this email message and want
to join this mailing list.

If you do not want to join, do nothing. You will be automatically
removed.

To confirm that you do want to join, simply reply to this message.
Make sure that your message is addressed to
lyris-confirm-616482C@listserv.nai.com

To unsubscribe immediately, you send an email message to
leave-dat_notification-616482C@listserv.nai.com

 

Goldnow is advertising on this web page too. I recieved the same email about two rings and not clearing my account so I did\0\0
?r;\0\0\0\0r$@?d this website listed. It looks like they're in the "make tons of money at home" scams too.

I'm posting this for the guy above who was interested in trying to figure out information on them.

hxxp://thispaysbig.com/exchange.html

edited to make link un-clickable - Detox