20141225

Mout Phishing Expedition Foiled (email alert)

So here is the timeline for a phishing expedition fail. Please note that I did not attempt to alert the phisher "SarahV" that I was onto him. Instead, I pretended oblivious to it all.

At first glance, the culprit appeared to be from Vietnam and the Ukraine but his base of operations is mout dot gmx dot net - a German router and server farm. This farm uses IP addresses served by 1&1 Mail & Media GmbH based in Karlsruhe, Germany. It is being used as the remailer for phishing expeditions running out of the Ukraine and Vietnam.

Mout appears like a secure remailer when surfing to it via elinks, and so does mout dot web de - both full domain name addresses are aliases for six and seven ip addresses for mout dot gmx dot net and mout dot web dot de respectively.

Anyway, rather than expose the ip addresses of mout, let me present the innocent conversation that I engaged in, rather than drop the ball. Rather than click on any link, I just reported this phishing exploit to Google's security team to take care of.

When this email first appeared in my gmail inbox, I was going to ignore it but instead got curious.


How can I prove that this is the culprit? Both Gmail security and I can view the email headers, and after the remote server supposedly in Vietnam spammed me, the guy who controls the Bellcrgash account at gmx dot net offer the phishing bait of some dating site. Then he gets impatient and tries to yank my chain.

In response, I give a short refusal and no explanation - this is necessary to fool the phisher.

After the second reply from the guy using the alias "SarahV", my response was to look up everything about all the IP addresses in the email header in all his replies. The only IP addresses common to the second and third replies resolved into two servers in the mout dot gmx dot net farm.

So beware: any email from gmx dot com are known to be spammers out to phish from oblivious rubes who do not know any better.

Thank you to Gmail for providing the means to reduce phishing scams like this from being successful.

Update: The phishing never stops. Hopefully using Ukrainian, Vietnamese, and German will get this guy to move on...

I hope me just talking to him will not only lead to more of the same BS...

No comments: