Here we have Scammer Scum pretending they are Intuit. What catches my eye is that the email does not look legit right off from the start. Several Red Flags exist without research. Now if just looking at the email makes you feel safe and cozy on the inside and you think it is Legit, THEN wake up and smell the Trash at the door trying to steal your money. Several MAJOR RED FLAGS!!! Can you see them?
Email Comes From:
Subject: Intuit: DDS Debit Failed
A) Email FROM: – The email may look like it is from Intuit, but far from it. The email has 2 @ signs in it first of all. This happens to be 2 email addresses. How can 2 people send the same email. This tells me they are trying to bounce the email through a hacked account, or personal account, or some other circumventing of Email/Spam/Security Systems.)
B) Email Links: All links except one link back to Intuit. Of course they are trying to trick you, However on the link that says FOLLOW INSTRUCTIONS actually links to another website. indianvisa-online.com with some directives at the end and points to 188.8.131.52 as the Webserver.
C) Email Header:
Received: from walmailout07.yourhostingaccount.com ([184.108.40.206])
Received: from walmailscan15.yourhostingaccount.com ([10.1.15.15]
Received: from walauthsmtp01.yourhostingaccount.com ([10.1.18.1])
Received: from 179.subnet-204-16-13.ellijay.com ([220.127.116.11]:26429 helo=[18.104.22.168]) by walauthsmtp01.yourhostingaccount.com with esmtpsa
Looking at this email Header, I find that its sent from a personal account. I also see that this email has been bounced to their Back End Spam/Junk/Filtering Systems. The hosting company didn’t see this as spam? What is even more interesting here is that another domain other then the yourhostingaccount.com domain was in the middle of the email being bounced around through email servers. Also the Origination of this IP Address is curious since it’s the DOD (Department of Defense)!!! Are they infected with malware or botnet software? The IP Address could also be used by someone else. In thinking about this. Why would you use the DOD IP Address? Out of all the Private IP Address Space Available? Although this is a Non-Route-Able Address over the Public Internet, A Proxy Server or NAT Router/Gateway would be required to use this address to access the internet. Does the DOD private peer with a Colo or Data Center? This would be a reason for a Hacker to try and use this network address and try to bypass security and firewalls. Maybe this Block of Private IP Space has been reclassified, but I typically see techniques like this when Hackers are trying to take over or bypass routers/firewalls within Hosting Networks.
The Typical Private Network IP Addresses used fall into the ranges below:
- 192.168.0.0 – 192.168.255.255 (65,536 IP addresses)
- 172.16.0.0 – 172.31.255.255 (1,048,576 IP addresses)
- 10.0.0.0 – 10.255.255.255 (16,777,216 IP addresses)