[email protected], British Nokia Lottery

Got a strange message recently. No, actually the message itself is quite standard, a usual lottery scam. Rather than being a lucky person, I would be quite unlucky if I fell for their scam. What puzzles me a bit though is a strange disclaimer after the message (which is quite brief). Either it's completely faked, or the sender is related to Hilton somehow (or maybe hacked one of their mail systems, I don't know). Note that the scammer gives her (or his) email as [email protected]. Here is the message:

The British Nokia Group has picked you as a lucky person of a lump sum pay out of £750,000.00 Send Your Names:
Location:
Tel: to Email: ([email protected])

__________________________
This transmission is not a digital or electronic signature and cannot be used to form, document, or authenticate a contract. Hilton and its affiliates accept no liability arising in connection with this transmission.Copyright 2013 Hilton Worldwide Proprietary and Confidential

And here are the headers. They puzzled me even more, as I saw the Hilton domain there several times too. But, at the same time, the reply address in the email itself is a free account on Hotmail. Which makes me think again that they have hacked one of Hilton's mailboxes. Or - I have just thought about it - one of their mailboxes may be infected with some sort of Trojan which sends this message without the mailbox owner knowing it. Such cases are not uncommon, but I may be wrong, of course. So, here's a quiz for professionals. What do you think?

Delivered-To: [email protected]
Received: by 10.15.43.4 with SMTP id w4csp11024eev; Sat, 20 Apr 2013 05:59:17 -0700 (PDT) X-Received: by 10.68.102.2 with SMTP id fk2mr24159316pbb.168.1366462756692; Sat, 20 Apr 2013 05:59:16 -0700 (PDT)
Return-Path: <[email protected]>
Received: from esa2.hilton.iphmx.com (esa2.hilton.iphmx.com. [68.232.137.92]) by mx.google.com with ESMTPS id wn1si15545031pbc.201.2013.04.20.05.58.39 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 20 Apr 2013 05:59:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 68.232.137.92 as permitted sender) client-ip=68.232.137.92;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 68.232.137.92 as permitted sender) [email protected]
X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvoAAACQclGnu2QCmGdsb2JhbABQgkIjr0JYjWuDVxRvFg4BAQEBAQYLDQcUKIFwFQEBDwEKBVM4AQsBCRVWHwQDAQoBDAiFboIMAw8BmwuhDIxSgRGBEYMeYQOIU4I3AYohAogNhU6IKIFyATU
X-IronPort-AV: E=Sophos;i="4.87,513,1363150800"; d="scan'208,217";a="1831353"
Received: from unknown (HELO mail.hilton.com) ([167.187.100.2]) by esa2.hilton.iphmx.com with ESMTP/TLS/AES128-SHA; 20 Apr 2013 07:58:33 -0500
Received: from HFWMXMSG01PH.hotels.ad.hilton.com (10.80.40.21) by HFWMRMSG01PH.hotels.ad.hilton.com (10.80.200.51) with Microsoft SMTP Server (TLS) id 14.2.342.3; Sat, 20 Apr 2013 08:58:55 -0400
Received: from HFWMXMSG05PH.hotels.ad.hilton.com ([fe80::edc5:b93:12ab:fef1]) by HFWMXMSG01PH.hotels.ad.hilton.com ([169.254.1.58]) with mapi id 14.02.0342.004; Sat, 20 Apr 2013 08:58:20 -0400
From: Jenny Liang <[email protected]> Subject: re Thread-Topic: re Thread-Index: Ac49xruP6hFZ350YSIC7AkYijqkatA== Date: Sat, 20 Apr 2013 12:58:20 +0000
Message-ID: <7BA812B4C1FD9647B14FFA135EEDC9BF037D72@HFWMXMSG05PH.hotels.ad.hilton.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.80.202.27]
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 To: Undisclosed recipients:;
Return-Path: <[email protected]>

I have has a similar email this time from [email protected], However the sender is called Philip with a return email to [email protected],I note similar references to the Hilton Hotel however, information from SpamCops come up with this email Re: 167.187.100.2 (Administrator of network where email originates) To: oliver_ho#[email protected] (Notes)
The use of # signs means this is a good scammer hiding his trail via the Hilton Hotels and the IP address is as follows IP address "167.187.100.2" is located @ United States California Beverly Hills
I enclose the full headers of the email.

x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=pass (sender IP is 68.232.137.182) smtp.mailfrom=prvs=822222d8f=Chantelle. ... hilton.com; dkim=none header.d=Hilton.com; x-hmca=pass
X-SID-PRA: [email protected]
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0z
X-Message-Info: BoWLbcrhZCvC3BEs8Cjcec5pB/lPi85Hnbhc5uoJC3YGgmldiU0lG07Z0OtZ77p/lOcvaxJz+pxyylc73lYv9Gd5OmowZCYyda+BNlH+XTKtJPriFr7lWDdFzT4DUg95Ye4kU2FJYDGGHD4IV4npzA==
Received: from esa4.hilton.iphmx.com ([68.232.137.182]) by SNT0-MC4-F26.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sat, 27 Apr 2013 14:06:13 -0700
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtMEAHw9fFGnu2QCmGdsb2JhbAA9FoFvCEytcBCRQoEDFg4BAQEBAQYLDQcUKIISAQEBAgQBAQEBAQEBBAsgYAEIBAEIFQlKAQIMAQEYAQoBFIVBAQEBASmCAgEBAQkBARCebI8shyKIcY1QgRmDJmEDnVRegm2GSYNxPIFs
X-IronPort-AV: E=Sophos;i="4.87,564,1363150800";
d="scan'208,217";a="11895363"
Received: from unknown (HELO mail.hilton.com) ([167.187.100.2])
by esa4.hilton.iphmx.com with ESMTP/TLS/AES128-SHA; 27 Apr 2013 16:05:53 -0500
Received: from HFWMXMSG05PH.hotels.ad.hilton.com (10.80.40.25) by
HFWMRMSG01PH.hotels.ad.hilton.com (10.80.200.51) with Microsoft SMTP Server
(TLS) id 14.2.342.3; Sat, 27 Apr 2013 16:51:01 -0400
Received: from HFWMXMSG14PH.hotels.ad.hilton.com ([169.254.7.79]) by
HFWMXMSG05PH.hotels.ad.hilton.com ([fe80::edc5:b93:12ab:fef1%16]) with mapi
id 14.02.0342.004; Sat, 27 Apr 2013 16:50:27 -0400
From: Chantelle Le Roux <[email protected]>
Subject: RE:
Thread-Topic: RE:
Thread-Index: Ac5Dd1ZewkdPd1WQQ8u0qx8+9eoXhg==
Date: Sat, 27 Apr 2013 20:50:27 +0000
Message-ID: <52AF9CFC6B020147BF68C05913E01FC6A2483B@HFWMXMSG14PH.hotels.ad.hilton.com>
Reply-To: "[email protected]" <[email protected]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.80.202.26]
Content-Type: multipart/alternative;
boundary="_000_52AF9CFC6B020147BF68C05913E01FC6A2483BHFWMXMSG14PHhotel_"
MIME-Version: 1.0
To: Undisclosed recipients:;
Return-Path: <[email protected]>
X-OriginalArrivalTime: 27 Apr 2013 21:06:13.0438 (UTC) FILETIME=[0CC9A5E0:01CE438B]

--_000_52AF9CFC6B020147BF68C05913E01FC6A2483BHFWMXMSG14PHhotel_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello,

I seek your assistance in retrieving $50M left behind by a deceased custome=
r of my bank. Reply for detailed information.

Regards,

Philip.

________________________________

This transmission is not a digital or electronic signature and cannot be us=
ed to form, document, or authenticate a contract. Hilton and its affiliates=
accept no liability arising in connection with this transmission.Copyright=
2013 Hilton Worldwide Proprietary and Confidential

--_000_52AF9CFC6B020147BF68C05913E01FC6A2483BHFWMXMSG14PHhotel_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<style>
<!--
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
span.EmailStyle17
{font-family:"Calibri","sans-serif";
color:windowtext}
.MsoChpDefault
{font-size:10.0pt;
font-family:"Calibri","sans-serif"}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
-->
</style>
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hello,</p>
<p class=3D"MsoNormal">&nbsp;</p>
<p class=3D"MsoNormal">I seek your assistance in retrieving $50M left behin=
d by a deceased customer of my bank. Reply for detailed information.</p>
<p class=3D"MsoNormal">&nbsp;</p>
<p class=3D"MsoNormal">Regards,</p>
<p class=3D"MsoNormal">&nbsp;</p>
<p class=3D"MsoNormal">Philip.</p>
</div>
<br>
<hr>
<font face=3D"Arial" color=3D"Gray" size=3D"1"><br>
This transmission is not a digital or electronic signature and cannot be us=
ed to form, document, or authenticate a contract. Hilton and its affiliates=
accept no liability arising in connection with this transmission.Copyright=
2013 Hilton Worldwide Proprietary
and Confidential<br>
</font>
</body>
</html>

--_000_52AF9CFC6B020147BF68C05913E01FC6A2483BHFWMXMSG14PHhotel_--

Thanks, so this scammer is just hiding his real address by simulating Hilton servers' signatures and creating an impression that it was sent by Hilton? Yes, they really want money...

Ironically - Jenny Liang has struck again - this time on Canadian Soil - Offering Payment through PayPal for very expensive shoes - the connection to this is interesting as her/his hosting company for the fake PayPal account is a nokia company. Funny that this fraud above was the British "Nokia" Lottery. She had a "Google" telephone number to text to and a fake email set up as well to send and receive info about the shoes. She basically wanted me to send them - provide the shipping number and she would send the money - But the problem was - I deal with Paypal all the time and I could see that the email she responded to me with was not an official PayPal. I told her I was going to call the Police.. she said, I did not know who I was "fucking" with. Thank goodness I was able to grab my parcel back from the Post office before they shipped it!
enny Liang <[email protected]>
1:26 PM (5 hours ago)

to me - Here is just some of the lies and deception. Don't fall for it! Kijiiji ad!

i have just sent you the payment of 275 USD including the postage,and i belive you should have been notified by an email from paypal,please quickly post it out asap VIA FEDEX/USPS NEXT DAY EXPRESS and let me know the tracking number,i just wanna let you know that i've paid more only to save you the postage hassle okay,and here is the postage address below..
Jenny Liang,
149 Mississauga Avenue
Elliot Lake,Ontario.
P5A 1E3 Canada

Deceptive telephone number - (909) 713-6832

And the fraud committed on PayPal

PayPal

Dear Removed (BW),

Thanks for your affirmative email.
We have received the Reference/Tracking Number
We want to bring to your notice that your funds has been processed and it would reflect in your PayPal Account within the Next 24 hours,once the Reference/Tracking Number has been Verified through our secured server.
Thank you for using PayPal!
The PayPal Team.

Questions? Go to the Customer Care Help Center at: Click Here
VisaMasterCardDiscoverAmerican ExpresseCheck

Copyright © 2014 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1525