This page has been archived and commenting is disabled.

Warning: Phishing Attempt

Marla Singer's picture




 

Was only a matter of time, probably.

You will see below a phishing email both Tyler and I received just recently.

This did not come from Zero Hedge.  If you get one, yours also did not come from Zero Hedge.

Be aware.  Surf with care.

From: "noreply@zerohedge.com" <noreply@zerohedge.com>
Date: October 19, 2009 12:01:43 PM CDT
To: <marla@zerohedge.com>
Subject: The settings for the marla@zerohedge.com were changed
X-Spam-Level: *****

Dear user of the zerohedge.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (marla@zerohedge.com) settings were changed In order to apply the new set of settings click on the following link:

http://zerohedge.com/owa/service_directory/settings.php?email=marla@zero...

Best regards, zerohedge.com Technical Support.

 

- advertisements -

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Mon, 10/19/2009 - 12:15 | 103417 Emmanuel Goldstein
Emmanuel Goldstein's picture

Lame.

 

Thanks for the heads up.

Mon, 10/19/2009 - 12:18 | 103423 Cheeky Bastard
Cheeky Bastard's picture

Fuck you NSA, GS, JPM and the lot.

Thank you Marla, i would probably open it.

Mon, 10/19/2009 - 12:38 | 103451 SWRichmond
SWRichmond's picture

CB / Marla,

I have clients getting this exact email with a different mail server named.  Cheeky, that's not to say it isn't NSA.

Marla, thanks for the heads up, and thanks for not clicking on the link.  You really can't be too careful.

Mon, 10/19/2009 - 12:43 | 103460 Cheeky Bastard
Cheeky Bastard's picture

i know man, i was just kidding, i haven't got it yet; maybe GMail isn't a worthless piece of shit as i thought it was.

Mon, 10/19/2009 - 12:22 | 103429 Gilgamesh
Gilgamesh's picture

Hmm, at least that looks more legit than FINRA returning money to investors:

http://www.finra.org/Investors/ProtectYourself/InvestorAlerts/FraudsAndScams/P120094

Mon, 10/19/2009 - 12:27 | 103435 Hephasteus
Hephasteus's picture

If you had clicked it then it would have sent your email history out. So it's safe to say we won't be getting those emails.

Mon, 10/19/2009 - 12:42 | 103459 Careless Whisper
Careless Whisper's picture

Speaking of Squid programmers, why the silence on Sergey? His Federal case was adjourned until October 16. Come and gone. FREE SERGEY

Mon, 10/19/2009 - 12:49 | 103467 bookwurm
bookwurm's picture
o           .'`/
      '      /  (
    O    .-'` ` `'-._      .')
       _/ (o)        '.  .' /
       )       )))     ><  <
       `\  |_\      _.'  '. \
         '-._  _ .-'       '.)
         `\__\ all yur passwords are belong to us
Mon, 10/19/2009 - 19:36 | 103886 MsCreant
MsCreant's picture

You draw nice bait.

There is a pun I must do. Please don't be offended.

With a picture like that you have established yourself as a master baiter.

Mon, 10/19/2009 - 12:58 | 103475 Biff Malibu
Biff Malibu's picture

Thanks Marla glad to see you and Travis posting more.  Not to take anything away from Tyler but the variety of commentators on this site makes it the first website I visit every time I get on the internet.

 

Biff

 

Mon, 10/19/2009 - 12:59 | 103476 . . .
. . .'s picture

Marla,

I doubt any ZH'ers will end up receiving a phishing or spam email.  I would like to think that the readers are smart enough to sign up for the site using a disposable email address they close immediately after ZH verifies it.

Mon, 10/19/2009 - 15:46 | 103662 Anonymous
Anonymous's picture

The real ones wouldn't want to create a user id so that their opinions could be correlated back to them, on another web site under a different name, probably by their writing style and common colloquialism used by them.

As well, they won't feel the need to stroke their egos by having their comments associated with them.

Mon, 10/19/2009 - 13:42 | 103514 Anonymous
Anonymous's picture

lame attempt by GS

Mon, 10/19/2009 - 13:53 | 103525 Sqworl
Sqworl's picture

I got several on all my accounts and did not open.  They used my biz account name.  I replied with cc to FBI.  The IP address came from USSR.  Never a dull day in the land of spirits.

Mon, 10/19/2009 - 14:17 | 103565 Cheeky Bastard
Cheeky Bastard's picture

there is no USSR anymore Sqworl baby

Mon, 10/19/2009 - 14:46 | 103601 VegasBD
VegasBD's picture

Maybe not, but they are filming Red Dawn 2 right now.

...and guess which city looks like a war zone enough to film it in...

Mon, 10/19/2009 - 14:47 | 103605 Cheeky Bastard
Cheeky Bastard's picture

L.A 

Mon, 10/19/2009 - 13:53 | 103527 waterdog
waterdog's picture

I could tell that this was a scam. It was too nice to be coming from Marla. If Marla had sent a notice of changes, it would have gone like this- I changed some things to make your life better, accept it. Do not respond or I will pile drive your account into the lower reaches of hell.

Mon, 10/19/2009 - 16:34 | 103729 MinnesotaNice
MinnesotaNice's picture

lol

Mon, 10/19/2009 - 14:58 | 103611 Jim_Rockford
Jim_Rockford's picture

Wow, I didn't realize that my subscription to ZeroHedge included an email box.  jim_rockford@zerohedge.com .... how cool is that?  How much extra am I being charged for this?

Mon, 10/19/2009 - 15:02 | 103613 Cheeky Bastard
Cheeky Bastard's picture

Marla, do we all have this, or just the chosen ones 

Mon, 10/19/2009 - 16:53 | 103742 Miles Kendig
Miles Kendig's picture

BTW, since you asked.  Here is a slice of pie where we happen to have found each other.  Except some folks know that the oil deal is just a cover.

Cheers

http://www.youtube.com/watch?v=IOtVg05JLPc

Mon, 10/19/2009 - 18:36 | 103845 Cognitive Dissonance
Cognitive Dissonance's picture

Thanks Miles Kendig.

There were no bad scenes in "Good Will Hunting". Only better and best. This was one of the best. 

Mon, 10/19/2009 - 20:58 | 103976 Intuition
Intuition's picture

I was just a kid when I saw that movie for the first time. I mean utterly wet-behind-the-ears, juvenile thinking, adolescent child. And yet somehow it spoke to me. And that scene was one that somehow conveyed truth that I could not understand nor even really recognize. I've seen it dozens of times since then and it has much truth to this day.

Mon, 10/19/2009 - 15:45 | 103660 crzyhun
crzyhun's picture

MS, I use a real address...still if I don't know you you get flushed....and truly I am not so big headed to think that you would ever contact me, since I don't know you.

 

Mon, 10/19/2009 - 18:38 | 103846 Cognitive Dissonance
Cognitive Dissonance's picture

Follow safe e-mail practices. As you say, dump everything you don't know and always wear a full body condom while reading your e-mail. And don't go all cheap on me and reuse the condom.

Mon, 10/19/2009 - 15:59 | 103676 SV
SV's picture

Marla, you know this is what you get for pissing on the Anon's that bring their HuffPo logic skills here, right?  I come bace from leaving for a week unplugged and what's that - Tyler having to pull Dante references about Hell in relation to the markets.

Ahhh, it's nice to be back.

Mon, 10/19/2009 - 16:04 | 103687 Cheeky Bastard
Cheeky Bastard's picture

welcome back man, i for one, missed your comments.

Mon, 10/19/2009 - 16:35 | 103732 SV
SV's picture

Thank you CB. I appreciate her civility in dealing with the morons, hence I try to extend the same.  I'm now trying to unbury myself from the crap that has awaited my return.  I was on the road so I didn't trade OPEX either; would have shot myself... 

Mon, 10/19/2009 - 16:43 | 103740 Miles Kendig
Miles Kendig's picture

The weekend after hours action seeps into Monday. Perhaps a new faze has arrived since the attempts at mockery have fallen flat.

Mon, 10/19/2009 - 16:58 | 103755 Quackking
Quackking's picture

I run a few Drupal sites on some of my servers and I got this myself. (with the domain name of one of them) - I suspect it is somebody trawling for Drupal credentials, and can't quite understand why. The link itself is going nowhere - it isn't an obfuscated redirect, it actually is trying to go someplace on my server where there is no handler. (So nothing would happen if you clicked on it, that is.)

It is also possible that it is targeting a whole bunch of Windows boxen that have been compromised so there is in fact an /owa/ directory - but again, I don't exactly see this as a high yield attack. Hmm. See below.

 

Not Found

The requested URL http://[victimdomain.com]/owa/service_directory/settings.php was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

Update: more here, http://isc.sans.org/diary.html?storyid=7357

 

I don't see the obfuscated link because I (safely) only view the text/plain version of this email. There is a link in the HTML version, apparently.

 

 

 

Mon, 10/19/2009 - 17:48 | 103799 SWRichmond
SWRichmond's picture

The link in one of the versions I got for examination went to xxxxxx.xxxxxxx.xxxxxx.eu, and DNS on the name got me IP's registered in:

Chile, Korea, Taiwan, Morocco, Israel, and Argentina, among others.

Fun stuff.

Mon, 10/19/2009 - 16:55 | 103760 Anonymous
Anonymous's picture

Are you sure this is a phishing attack?! The link goes directly back to the host server - it doesn't really seem like phishing.

Where does the email originate? "Full headers" or "Show original" or whatever it takes to get your email client to show you all the text. Follow the "Received by" headers.

Mon, 10/19/2009 - 17:43 | 103794 TomJoad
TomJoad's picture

If this was the best the Anon comments poster from yesterday's Iran article could do in terms of his awesome intraw3bzz retaliation, I am somewhat disappointed. 

 

It's nice to be back on again, the firewall on my SATCOM system wouldn't let me post on ZH, it was all read-only for the past 45 days or so.

Mon, 10/19/2009 - 20:03 | 103896 peterr (not verified)
peterr's picture

Tbanks for the heads up!

Goldman and Bank of Amerika run the markets along with Geithner, and beagle boy Ben. There is no free markets, only welfare capitalism and socialism for capitalism.

good articles; good articles 4 slow news day ..http://www..
hat tip: finance news

Mon, 10/19/2009 - 21:03 | 103981 Intuition
Intuition's picture

Apparently I've been left out. This is going to wreak havoc on my inferiority complex.

Do NOT follow this link or you will be banned from the site!