El correo fraudulento del día se relaciona con la usurpación de identidad de Telmex – vía correo electrónico –. El mensaje que se recibe es el siguiente:

ph_telmex_20161116

 

 

 

 

 

 

 

 

 

La mecánica consiste en que la persona atacada, tras recibir este correo, realice tres posibles acciones:

  • actualice el correo para que todos los links se activen y con ello suceda la posible descarga de un archivo que sea malware o un tracer de actividad
  • de click a la indicación  “Ver recibo Telmex” y llegar a un sitio web ajeno a Telmex (mismo que al momento de publicar este post sí ha sido reportado con contenido malicioso)

ph_telmex_20161116_2

  • de click a la indicación  “Ver recibo Telmex” y llegar a un sitio web ajeno a Telmex (mismo que al momento de publicar este post no contiene archivos o contenido malicioso)

Compartimos header para los que hacen investigación al respecto:

Delivered-To: xxxxxxxxxxx
Received: by 10.107.39.148 with SMTP id n142csp221343ion;
Wed, 16 Nov 2016 07:33:54 -0800 (PST)
X-Received: by 10.98.63.148 with SMTP id z20mr5297036pfj.151.1479310434214;
Wed, 16 Nov 2016 07:33:54 -0800 (PST)
Return-Path: <[email protected]>
Received: from server1.clarvi.com (server1.clarvi.com. [104.236.191.65])
by mx.google.com with ESMTPS id x27si32349330pff.112.2016.11.16.07.33.54
for <xxxxxxxxxxxx>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 16 Nov 2016 07:33:54 -0800 (PST)
Received-SPF: fail (google.com: domain of [email protected] does not designate 104.236.191.65 as permitted sender) client-ip=104.236.191.65;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of [email protected] does not designate 104.236.191.65 as permitted sender) [email protected]
Received: from localhost (localhost.localdomain [127.0.0.1])
by server1.clarvi.com (Postfix) with ESMTP id A1AAD23C04;
Tue, 15 Nov 2016 10:13:48 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at server1.clarvi.com
Received: from server1.clarvi.com ([127.0.0.1])
by localhost (server1.clarvi.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IGk2anqyHnHW; Tue, 15 Nov 2016 10:13:44 -0500 (EST)
Received: from u14.xdeal4you.com (unknown [89.42.212.185])
(Authenticated sender: [email protected])
by server1.clarvi.com (Postfix) with ESMTPA id 9B37223C03;
Tue, 15 Nov 2016 10:13:34 -0500 (EST)
Message-ID: <[email protected]>
Reply-To: “Mi Telmex” <[email protected]>
From: “Mi Telmex” <[email protected]>
Subject: Tu Recibo Telmex mantiene deuda
Date: Tue, 15 Nov 2016 14:12:53 -0800
Organization: bsh
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_155D_01D23F4A.5ACE1230″
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157