Fraudulent direct debit scam pretending to be Orange
jKaha
-
papinoxe -
papinoxe -
Hello,
I received a strange message, appearing completely as Orange-telecom, asking me to provide my bank card details under the pretext of regularization. It's surely a scam, as the only mistake I noted was the word "conexion" with only one n. It goes to show that spelling is useful.
Of course, I didn't respond, but what else can we do?
Thank you for any wise advice
I received a strange message, appearing completely as Orange-telecom, asking me to provide my bank card details under the pretext of regularization. It's surely a scam, as the only mistake I noted was the word "conexion" with only one n. It goes to show that spelling is useful.
Of course, I didn't respond, but what else can we do?
Thank you for any wise advice
Configuration: Mac OS X SeaMonkey 1.1.14
20 réponses
Here is the Free response to a mailing scam I received:
[11-13-2009 14:32] [Chat Session Start] [Service chosen: Billing]
[3:04 PM] Me: hello
[3:05 PM] Me: I just received an email with the following link requesting me to fill out postal and billing information... are you aware of this:
http://hostinfo.cafe24.com/serviceExpire/servicestop.html (link to the site trying to hijack your data)
[3:05 PM] Support: hello
[3:06 PM] Support: It is likely that you will receive, totally at random, emails that appear to be sent by Free but are actually not and represent phishing attempts
[3:06 PM] Support: These are emails impersonating Free, urging Free users to provide their personal information such as usernames, passwords, postal addresses, account numbers, or credit card numbers, etc., via a website or email mimicking Free's presentation.
[3:06 PM] Support: Please note that Free will never ask you for this kind of information.
Therefore, please ignore such suspicious emails (do not reply to them) and do not click on the links contained within. You can delete the message.
[3:07 PM] Me: Okay, thank you for your response...
Goodbye.
[11-13-2009 14:32] [Chat Session Start] [Service chosen: Billing]
[3:04 PM] Me: hello
[3:05 PM] Me: I just received an email with the following link requesting me to fill out postal and billing information... are you aware of this:
http://hostinfo.cafe24.com/serviceExpire/servicestop.html (link to the site trying to hijack your data)
[3:05 PM] Support: hello
[3:06 PM] Support: It is likely that you will receive, totally at random, emails that appear to be sent by Free but are actually not and represent phishing attempts
[3:06 PM] Support: These are emails impersonating Free, urging Free users to provide their personal information such as usernames, passwords, postal addresses, account numbers, or credit card numbers, etc., via a website or email mimicking Free's presentation.
[3:06 PM] Support: Please note that Free will never ask you for this kind of information.
Therefore, please ignore such suspicious emails (do not reply to them) and do not click on the links contained within. You can delete the message.
[3:07 PM] Me: Okay, thank you for your response...
Goodbye.
Hello,
it's obviously useful to talk about it!
Clearly, it's a scam; it's as obvious as can be! If it's indeed an email you received, geolocation is easy to determine. Be clever about getting them to provide the URL of the "official site," because if they make that mistake, they'll be done for: you can conduct a "WhoIs" query to possibly obtain the WebMaster's address, their name, their business name, their address (in a French-speaking African country?), their age, and even the size of their shoes if they wear any!!!
However, ask yourself how they were able to know your email address, which is the most important!
Tell us what happens next, let's have a laugh...
it's obviously useful to talk about it!
Clearly, it's a scam; it's as obvious as can be! If it's indeed an email you received, geolocation is easy to determine. Be clever about getting them to provide the URL of the "official site," because if they make that mistake, they'll be done for: you can conduct a "WhoIs" query to possibly obtain the WebMaster's address, their name, their business name, their address (in a French-speaking African country?), their age, and even the size of their shoes if they wear any!!!
However, ask yourself how they were able to know your email address, which is the most important!
Tell us what happens next, let's have a laugh...
Why not just send this email to Orange with a copy-paste! It will really get Orange fired up... for sure it's going to hurt! For once, Orange would see red!
lol
So funny!
lol
So funny!
This is not strictly speaking a scam but phishing.
To counter this, just hover over the link where it invites you to click and check at the bottom left if the displayed URL matches the provider that is announcing itself. In this specific case, it should have been: https://www.orange.fr/portail and nothing else. If something else appears, do not click and put the message directly in the trash or forward it to Orange: abuse@orange.fr
Not sure that Orange will do anything, like many ISPs do
--
PLEASE MENTION THE EMAIL ADDRESSES AND PHONE NUMBERS OF THESE SCAMMERS
We will make good use of them (Blacklists)
To counter this, just hover over the link where it invites you to click and check at the bottom left if the displayed URL matches the provider that is announcing itself. In this specific case, it should have been: https://www.orange.fr/portail and nothing else. If something else appears, do not click and put the message directly in the trash or forward it to Orange: abuse@orange.fr
Not sure that Orange will do anything, like many ISPs do
--
PLEASE MENTION THE EMAIL ADDRESSES AND PHONE NUMBERS OF THESE SCAMMERS
We will make good use of them (Blacklists)
Not difficult.
Right-click on the proposed link. Definitely not a normal left-click
------>Copy the link address
You need to go here: http://whois.domaintools.com/
Paste it in the search bar of the site above and there you'll have all the information
If the domain is not the ISP in question, it's a fake site
--
PLEASE, MENTION THE EMAIL ADDRESSES AND PHONE NUMBERS OF THESE SCAMMERS
We will make good use of them (Blacklists)
Right-click on the proposed link. Definitely not a normal left-click
------>Copy the link address
You need to go here: http://whois.domaintools.com/
Paste it in the search bar of the site above and there you'll have all the information
If the domain is not the ISP in question, it's a fake site
--
PLEASE, MENTION THE EMAIL ADDRESSES AND PHONE NUMBERS OF THESE SCAMMERS
We will make good use of them (Blacklists)
What is concerning for jKaha is the dissemination and "potentially malicious" use of his email address.
It makes one wonder what one can leave lying around when spreading a bit on the web.
The interest for jKaha will, I presume, be to find out how his email address ended up in the trash of those phishing idiots.
It makes one wonder what one can leave lying around when spreading a bit on the web.
The interest for jKaha will, I presume, be to find out how his email address ended up in the trash of those phishing idiots.
All helplines of our ISPs are in North Africa. Without wanting to implicate anyone from North Africa, we know that networks are established there.
We can imagine without being paranoid, that they are infiltrated into the hotlines... and that it is very easy for them to retrieve addresses.
This also explains why we sometimes see addresses like: loteriegagnate@orange.fr or loteriedusiecle@club-internet.fr
It is very easy for someone infiltrating a hotline to retrieve accounts and unused email addresses.
In general, we have 5 addresses included in our subscriptions but few use all 5.
Not to mention email extractors that collect all the addresses we might leave lying around on websites, guestbooks, forums, etc... hence the importance of never mentioning anything personal on the web.
--
PLEASE MENTION THE EMAIL ADDRESSES AND PHONE NUMBERS OF THESE SCAMMERS
We will make good use of them (Blacklists)
We can imagine without being paranoid, that they are infiltrated into the hotlines... and that it is very easy for them to retrieve addresses.
This also explains why we sometimes see addresses like: loteriegagnate@orange.fr or loteriedusiecle@club-internet.fr
It is very easy for someone infiltrating a hotline to retrieve accounts and unused email addresses.
In general, we have 5 addresses included in our subscriptions but few use all 5.
Not to mention email extractors that collect all the addresses we might leave lying around on websites, guestbooks, forums, etc... hence the importance of never mentioning anything personal on the web.
--
PLEASE MENTION THE EMAIL ADDRESSES AND PHONE NUMBERS OF THESE SCAMMERS
We will make good use of them (Blacklists)
Sure for the grand "connection".
I'm curious to conduct a WhoIs this time. If Jkaha could look into it and get back to us to write the adventures of such a pretty tale. Let's go all the way to the end of the journey (African?).
I'm curious to conduct a WhoIs this time. If Jkaha could look into it and get back to us to write the adventures of such a pretty tale. Let's go all the way to the end of the journey (African?).
Hello and thank you all for your responses and suggestions.
I'm new to this forum and not yet used to reacting so quickly.
But I will share with you all the elements I have.
First of all, I want to clarify that I have a naturally trusting and optimistic disposition. I believe in an open and free internet. My email address appears on many websites and various associations, not to mention the salespeople who exchange their client files. I have nothing to hide; I don't publish anything confidential.
I have received a total of 3 suspicious emails supposedly from Orange. How can I send them to you in full?
See you soon.
I'm new to this forum and not yet used to reacting so quickly.
But I will share with you all the elements I have.
First of all, I want to clarify that I have a naturally trusting and optimistic disposition. I believe in an open and free internet. My email address appears on many websites and various associations, not to mention the salespeople who exchange their client files. I have nothing to hide; I don't publish anything confidential.
I have received a total of 3 suspicious emails supposedly from Orange. How can I send them to you in full?
See you soon.
Hello, I also received this email on 09/26/09, so here is the URL of the link:
http://www.leasing-factoring.com/plugins/system/legacy/confirm-online.htm
My accounts have not been debited, so it is indeed a banking scam!!!! Never be naive and give your credit card code to any fool claiming to refund you supposedly.
http://www.leasing-factoring.com/plugins/system/legacy/confirm-online.htm
My accounts have not been debited, so it is indeed a banking scam!!!! Never be naive and give your credit card code to any fool claiming to refund you supposedly.
Well, a "whois" query from whois.domaintools gives us this:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Leasing-Factoring.com Whois Record
( Leasing Factoring )
Change Word Breaks
Site Profile
Website Title: GATOR SERVICE GROUP: LEASING AND FACTORING
Title Relevancy 100%
Meta Description: GATOR is an independent corporate finance company. Are you looking for a strong partner in leasing and factoring? We advise SMEs as well as investors on all financing issues.
Relevancy: 64% relevant.
Meta Keywords: gator leasing factoring gator corporate finance leasing company factoring company gator service group
Relevancy: 0% relevant
SEO Score: 87%
Terms: 154 (Unique: 86, Linked: 50)
Images: 4 (Alt tags missing: 0)
Links: 20 (Internal: 15, Outbound: 1)
AboutUs: Wiki article on Leasing-factoring.com
Search Rank
Alexa Trend/Rank: The lower the rank the better. #5,123,369: Down 322,982 ranks over the last three months.
Registration Record
ICANN Registrar: INTERNETWIRE COMMUNICATIONS GMBH
Created: 2008-09-29
Expires: 2009-09-29
Updated: 2008-09-29
Registrar Status: clientTransferProhibited
Name Server: NS5.KASSERVER.COM (has 98,765 domains)
Name Server: NS6.KASSERVER.COM (has 98,765 domains)
Whois Server: whois.internetwire.de
Server Data
Server Type: Apache
IP Address: 85.13.139.15 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Germany - Berlin - Berlin - Neue Medien Muennich
Response Code: 200
Domain Status: Registered And Active Website
DomainTools Exclusive
Registrant Search: "Christian Scherg" owns about 34 other domains
Email Search: is associated with about 19 domains
is associated with about 74,197 domains
Registrar History: 3 registrars with 2 drops.
NS History: 14 changes on 10 unique name servers over 4 years.
IP History: 24 changes on 11 unique name servers over 4 years.
Whois History: 5 records have been archived since 2008-10-02.
Reverse IP: 157 other sites hosted on this server.
Free Tool: Download DomainTools Download DomainTools for Windows
Whois Record
domain: leasing-factoring.com
nserver: ns5.kasserver.com
nserver: ns6.kasserver.com
created: 2008-09-29
updated: 0000-00-00
expire: 2009-09-29
owner-id: CS430280
owner-org:
owner-name: Christian Scherg
owner-address: Sonderfeld 6
owner-pcode: 45277
owner-city: Essen
owner-country: DE
owner-phone: +49 201 3107539
owner-email:
admin-id: CS430280
admin-org:
admin-name: Christian Scherg
admin-address: Sonderfeld 6
admin-pcode: 45277
admin-city: Essen
admin-country: DE
admin-phone: +49 201 3107539
admin-email:
tech-id: WK1126
tech-org: Neue Medien Muennich GmbH
tech-name: Werner Kaltofen
tech-address: Hauptstr. 68
tech-pcode: 02742
tech-city: Friedersdorf
tech-country: DE
tech-phone: +49 35872 35310
tech-fax: +49 35872 35330
tech-email:
billing-id: WK1126
billing-org: Neue Medien Muennich GmbH
billing-name: Werner Kaltofen
billing-address: Hauptstr. 68
billing-pcode: 02742
billing-city: Friedersdorf
billing-country: DE
billing-phone: +49 35872 35310
billing-fax: +49 35872 35330
billing-email:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Could you please post a copy-paste of the entire email you received?
A+.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Leasing-Factoring.com Whois Record
( Leasing Factoring )
Change Word Breaks
Site Profile
Website Title: GATOR SERVICE GROUP: LEASING AND FACTORING
Title Relevancy 100%
Meta Description: GATOR is an independent corporate finance company. Are you looking for a strong partner in leasing and factoring? We advise SMEs as well as investors on all financing issues.
Relevancy: 64% relevant.
Meta Keywords: gator leasing factoring gator corporate finance leasing company factoring company gator service group
Relevancy: 0% relevant
SEO Score: 87%
Terms: 154 (Unique: 86, Linked: 50)
Images: 4 (Alt tags missing: 0)
Links: 20 (Internal: 15, Outbound: 1)
AboutUs: Wiki article on Leasing-factoring.com
Search Rank
Alexa Trend/Rank: The lower the rank the better. #5,123,369: Down 322,982 ranks over the last three months.
Registration Record
ICANN Registrar: INTERNETWIRE COMMUNICATIONS GMBH
Created: 2008-09-29
Expires: 2009-09-29
Updated: 2008-09-29
Registrar Status: clientTransferProhibited
Name Server: NS5.KASSERVER.COM (has 98,765 domains)
Name Server: NS6.KASSERVER.COM (has 98,765 domains)
Whois Server: whois.internetwire.de
Server Data
Server Type: Apache
IP Address: 85.13.139.15 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Germany - Berlin - Berlin - Neue Medien Muennich
Response Code: 200
Domain Status: Registered And Active Website
DomainTools Exclusive
Registrant Search: "Christian Scherg" owns about 34 other domains
Email Search: is associated with about 19 domains
is associated with about 74,197 domains
Registrar History: 3 registrars with 2 drops.
NS History: 14 changes on 10 unique name servers over 4 years.
IP History: 24 changes on 11 unique name servers over 4 years.
Whois History: 5 records have been archived since 2008-10-02.
Reverse IP: 157 other sites hosted on this server.
Free Tool: Download DomainTools Download DomainTools for Windows
Whois Record
domain: leasing-factoring.com
nserver: ns5.kasserver.com
nserver: ns6.kasserver.com
created: 2008-09-29
updated: 0000-00-00
expire: 2009-09-29
owner-id: CS430280
owner-org:
owner-name: Christian Scherg
owner-address: Sonderfeld 6
owner-pcode: 45277
owner-city: Essen
owner-country: DE
owner-phone: +49 201 3107539
owner-email:
admin-id: CS430280
admin-org:
admin-name: Christian Scherg
admin-address: Sonderfeld 6
admin-pcode: 45277
admin-city: Essen
admin-country: DE
admin-phone: +49 201 3107539
admin-email:
tech-id: WK1126
tech-org: Neue Medien Muennich GmbH
tech-name: Werner Kaltofen
tech-address: Hauptstr. 68
tech-pcode: 02742
tech-city: Friedersdorf
tech-country: DE
tech-phone: +49 35872 35310
tech-fax: +49 35872 35330
tech-email:
billing-id: WK1126
billing-org: Neue Medien Muennich GmbH
billing-name: Werner Kaltofen
billing-address: Hauptstr. 68
billing-pcode: 02742
billing-city: Friedersdorf
billing-country: DE
billing-phone: +49 35872 35310
billing-fax: +49 35872 35330
billing-email:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Could you please post a copy-paste of the entire email you received?
A+.
I am actually thinking of a landing page, with redirection at play. Before I go there myself a bit later, other info would further enlighten me.
HERE IS THE EMAIL BUT OF COURSE THE ORIGINAL IS VERY NICE IN COLOR AND ALL!!!
Dear customer:
During a routine computer processing regarding the monthly withdrawals from our client's account, on September 26, 2009, we debited 90 euros from your account.
This problem is primarily due to the similarity of your names and surnames with those of another client.
To proceed with an immediate refund, we kindly ask you to respond to this email (by clicking the reply button) to provide the necessary information for the establishment of your special refund form ..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Click here to access your security form.
We thank you for your understanding and apologize for the inconvenience caused.
Form reference: 1-Q84-KP05
Important:
The payment made by Orange will be reflected in your next bank statement.
Our Orange customers will benefit from a commercial gesture.
We assure you of the confidentiality of the information provided. Orange is legally responsible for these transactions.
@2009 Orange Service. All rights reserved.
Dear customer:
During a routine computer processing regarding the monthly withdrawals from our client's account, on September 26, 2009, we debited 90 euros from your account.
This problem is primarily due to the similarity of your names and surnames with those of another client.
To proceed with an immediate refund, we kindly ask you to respond to this email (by clicking the reply button) to provide the necessary information for the establishment of your special refund form ..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Click here to access your security form.
We thank you for your understanding and apologize for the inconvenience caused.
Form reference: 1-Q84-KP05
Important:
The payment made by Orange will be reflected in your next bank statement.
Our Orange customers will benefit from a commercial gesture.
We assure you of the confidentiality of the information provided. Orange is legally responsible for these transactions.
@2009 Orange Service. All rights reserved.
Deliciously good!
Of course, there were no actual accounting errors that motivated this action on Orange's part, right?
If I were you, as previously mentioned by [ChrisVorascam], I would forward this cursed email to abuse@orange.fr, asking them for some ...innocent explanation! Hehe!
See you later.
Of course, there were no actual accounting errors that motivated this action on Orange's part, right?
If I were you, as previously mentioned by [ChrisVorascam], I would forward this cursed email to abuse@orange.fr, asking them for some ...innocent explanation! Hehe!
See you later.
Great!
Don't forget to tell us what happens next, so we can have a little laugh*
*"...as the stress of every eviction flies far away where, it is believed, an ancestral poetry survives"
(it doesn't mean anything, but it sounds so nice!)
Well: I'm going to visit GATOR SERVICE GRUPPE.
Don't forget to tell us what happens next, so we can have a little laugh*
*"...as the stress of every eviction flies far away where, it is believed, an ancestral poetry survives"
(it doesn't mean anything, but it sounds so nice!)
Well: I'm going to visit GATOR SERVICE GRUPPE.
Bingo!
I wanted to visit
http://www.leasing-factoring.com/plugins/system/legacy/confirm-online.htm
and I was warned of the following:
"Counterfeit site!
The website at www.leasing-factoring.com has been reported as a counterfeit and has been blocked based on your security preferences.
Counterfeit websites are designed to trick you into revealing personal or financial information by mimicking sites you may trust.
Entering information on this web page may result in identity theft or other fraud."
It's true that "you can be famous for fifteen minutes in life"! So funny!
I wanted to visit
http://www.leasing-factoring.com/plugins/system/legacy/confirm-online.htm
and I was warned of the following:
"Counterfeit site!
The website at www.leasing-factoring.com has been reported as a counterfeit and has been blocked based on your security preferences.
Counterfeit websites are designed to trick you into revealing personal or financial information by mimicking sites you may trust.
Entering information on this web page may result in identity theft or other fraud."
It's true that "you can be famous for fifteen minutes in life"! So funny!