by xynerate
Thu Apr 28, 2016 3:51 am
Hi there, I hope someone can assist me (gut feeling is that something is not right here)
Someone is asking me to transfer money from an account to my account so that I may pay his staff whilst he is working offshore.
Firstly, the email address he provided to ask us to send an email to SantanderOnlineCorp is [email protected] (I have never known a bank to have a gmail address)
Secondly when I received a reply back from the bank (posted below) the login screen looks strange as it is not a normal layout for Santander.
Finally, after digging around a few domain lookups I found that the following :
Domain name:
SANTANDERONLINECORP.TK
Organisation:
BV Dot TK
Dot TK administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax: +31 20 5315721
E-mail: abuse: [email protected], copyright infringement: [email protected]
Domain Nameservers:
NS01.FREENOM.COM
NS02.FREENOM.COM
NS03.FREENOM.COM
NS04.FREENOM.COM
===============================================================
Email :
Dear customer
The link to Lee hennine's account with us has been created .
You can now click on this link to make a successful transfer.
santanderonlinecorp.tk
(I HAVE ALSO NOTICED http://unicredit.host.sk/ also shows the same log in page)
=============================================================================
Header for above email.
Return-path: <[email protected]>
Envelope-to: <removed>
Delivery-date: Wed, 27 Apr 2016 22:51:20 +0200
Received: from cpt-prewall-01.mweb.co.za ([196.28.150.151])
by mailstore-02.smp.mweb.co.za with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1avWQa-0006iq-Ea
for <removed>; Wed, 27 Apr 2016 22:51:20 +0200
Received: from cpt-mx-09.mweb.co.za ([196.28.149.159])
by cpt-prewall-01.mweb.co.za with esmtp (Exim 4.84 (FreeBSD))
(envelope-from <[email protected]>)
id 1avWQo-0005gp-UG
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200
Received: from [197.96.204.133] (helo=mta05-dc01.cm.synaq.com)
by cpt-mx-09.mweb.co.za with esmtp (Exim 4.84)
id 1avWQo-0008r4-N9
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200
Received: from localhost (localhost [127.0.0.1])
by mta05-dc01.cm.synaq.com (Postfix) with ESMTP id 6A319E4310C
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200 (SAST)
X-Virus-Scanned: amavisd-new at mta05-dc01.cm.synaq.com
Authentication-Results: mta05-dc01.cm.synaq.com (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from mta05-dc01.cm.synaq.com ([127.0.0.1])
by localhost (mta05-dc01.cm.synaq.com [127.0.0.1]) (amavisd-new, port 10033)
with ESMTP id i9HesOqxHmt7 for <removed>;
Wed, 27 Apr 2016 22:51:34 +0200 (SAST)
Received: from securemail-pl-mx25.synaq.com (unknown [196.35.198.137])
by mta05-dc01.cm.synaq.com (Postfix) with ESMTP id 54AFDE42D4F
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200 (SAST)
Received: from mail-lf0-f65.google.com ([209.85.215.65])
by securemail-pl-mx25.synaq.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.63)
(envelope-from <[email protected]>)
id 1avWQY-00069W-Hl
for<removed>; Wed, 27 Apr 2016 22:51:18 +0200
Received: by mail-lf0-f65.google.com with SMTP id p64so10553666lfg.0
for <removed>; Wed, 27 Apr 2016 13:51:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to;
bh=rL9L6Fi4UXnLpAkim32AfNp+4QOfhjuflxfiQo9ffBU=;
b=iCEpOuugNotxLYIt2Q25J81YbnWpczkEURSaD6dWevzr7cbiBwbJ9YnakuCjqlPplr
BIUcPmFMpoFIZ5BQzz05avrze44E6UA+yuwifazm+CUuJXl0k+ezg9Lw0iG6FBMXa+Cc
MmwH3di123kj0iafVCC9EK+ONP1sSjAqDAHt+jhveaEnBamBAqWVuLYMV4KvRqHCd0p9
Ri+QotXdJcDVer2on/CYlCqEeOnX29gAdngnQPJBE30tyOHHZQLjPx2QFr0WcPZVft8q
o7mB5qotNSrjvAu2y6H+o63FU6hUDLXl/iNAEkJtF9SXm2ifehkm9vr/zpRGSVwnNGzW
qjVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
bh=rL9L6Fi4UXnLpAkim32AfNp+4QOfhjuflxfiQo9ffBU=;
b=Fk/UJBIHdjzDR3gV66s5DbGHgrGjZjipwqt3//8Y0tvd88cw1R2jHFzu72NfDRtwsl
BzfJmoCjeC3cn4VPsEMe893lmq6xlxTAi7fOSIfSb0BlXN1gjwScL10wKlU7wOC6t/20
vXWOVA8JDa5A45rKzE6aJt+PfARh/bOJSNBwkyzAQ+huVlgQvqxqF8i0WzBK5uJN0Yk0
i03CkJpu4pwwqw+PI0SdEQxfYJohUTPFbcdlcCc8pdjAxNy/dyntBrxEaUhRkRVftLNW
OFw+dovBBsY7x0eY9ZtWdS8gCtaEYbZDji0QTL58kTP4qqBs6n1cwmK18fD3pyBYUq5a
l8Sg==
X-Gm-Message-State: AOPr4FW3FNJLyua3Kz+eCg0hyPjPlGEK0LC18ay9NhMrtGYnr7fH9OfGOj5AH3gWrUEpRg5kSWKdtDDMgpY97A==
MIME-Version: 1.0
X-Received: by 10.112.72.193 with SMTP id f1mr4505551lbv.114.1461790275443;
Wed, 27 Apr 2016 13:51:15 -0700 (PDT)
Received: by 10.112.199.229 with HTTP; Wed, 27 Apr 2016 13:51:15 -0700 (PDT)
Date: Wed, 27 Apr 2016 21:51:15 +0100
Message-ID: <CAPcygW-v=WZkDfAZ=iufeW=d5mGGb0RrgSmGafYz_KLfqF8oTg@mail.gmail.com>
Subject: ONLINE TRANSFER
From: santander bank <[email protected]>
To: <removed>>
Content-Type: multipart/alternative; boundary=001a11c33d9e1aa09a05317d9240
X-SYNAQ-Pinpoint-Information: Please contact MWEB for more information
X-SYNAQ-Pinpoint-ID: 1avWQY-00069W-Hl
X-SYNAQ-Pinpoint: Found to be clean
X-SYNAQ-Pinpoint-SpamCheck: spam, SpamAssassin (not cached, score=5.917,
required 5, BAYES_05 -0.50, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
DKIM_VALID_AU -0.10, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00,
KAM_TK 5.00, RCVD_IN_HOSTKARMA_YE 0.01, SPF_PASS -0.00,
SUBJ_ALL_CAPS 1.51)
X-SYNAQ-Pinpoint-SpamScore: sssss
X-Pinpoint-From: [email protected]
X-Spam-Flag: YES
Received-SPF: cpt-mx-09.mweb.co.za: transitioning domain of gmail.com does not designate 197.96.204.133 as permitted sender
X-Antivirus: AVG for E-mail 2016.0.7539 [4563/12116]
X-AVG-ID: ID3C5E267A-5770C8ED
Someone is asking me to transfer money from an account to my account so that I may pay his staff whilst he is working offshore.
Firstly, the email address he provided to ask us to send an email to SantanderOnlineCorp is [email protected] (I have never known a bank to have a gmail address)
Secondly when I received a reply back from the bank (posted below) the login screen looks strange as it is not a normal layout for Santander.
Finally, after digging around a few domain lookups I found that the following :
Domain name:
SANTANDERONLINECORP.TK
Organisation:
BV Dot TK
Dot TK administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax: +31 20 5315721
E-mail: abuse: [email protected], copyright infringement: [email protected]
Domain Nameservers:
NS01.FREENOM.COM
NS02.FREENOM.COM
NS03.FREENOM.COM
NS04.FREENOM.COM
===============================================================
Email :
Dear customer
The link to Lee hennine's account with us has been created .
You can now click on this link to make a successful transfer.
santanderonlinecorp.tk
(I HAVE ALSO NOTICED http://unicredit.host.sk/ also shows the same log in page)
=============================================================================
Header for above email.
Return-path: <[email protected]>
Envelope-to: <removed>
Delivery-date: Wed, 27 Apr 2016 22:51:20 +0200
Received: from cpt-prewall-01.mweb.co.za ([196.28.150.151])
by mailstore-02.smp.mweb.co.za with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1avWQa-0006iq-Ea
for <removed>; Wed, 27 Apr 2016 22:51:20 +0200
Received: from cpt-mx-09.mweb.co.za ([196.28.149.159])
by cpt-prewall-01.mweb.co.za with esmtp (Exim 4.84 (FreeBSD))
(envelope-from <[email protected]>)
id 1avWQo-0005gp-UG
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200
Received: from [197.96.204.133] (helo=mta05-dc01.cm.synaq.com)
by cpt-mx-09.mweb.co.za with esmtp (Exim 4.84)
id 1avWQo-0008r4-N9
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200
Received: from localhost (localhost [127.0.0.1])
by mta05-dc01.cm.synaq.com (Postfix) with ESMTP id 6A319E4310C
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200 (SAST)
X-Virus-Scanned: amavisd-new at mta05-dc01.cm.synaq.com
Authentication-Results: mta05-dc01.cm.synaq.com (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from mta05-dc01.cm.synaq.com ([127.0.0.1])
by localhost (mta05-dc01.cm.synaq.com [127.0.0.1]) (amavisd-new, port 10033)
with ESMTP id i9HesOqxHmt7 for <removed>;
Wed, 27 Apr 2016 22:51:34 +0200 (SAST)
Received: from securemail-pl-mx25.synaq.com (unknown [196.35.198.137])
by mta05-dc01.cm.synaq.com (Postfix) with ESMTP id 54AFDE42D4F
for <removed>; Wed, 27 Apr 2016 22:51:34 +0200 (SAST)
Received: from mail-lf0-f65.google.com ([209.85.215.65])
by securemail-pl-mx25.synaq.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.63)
(envelope-from <[email protected]>)
id 1avWQY-00069W-Hl
for<removed>; Wed, 27 Apr 2016 22:51:18 +0200
Received: by mail-lf0-f65.google.com with SMTP id p64so10553666lfg.0
for <removed>; Wed, 27 Apr 2016 13:51:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to;
bh=rL9L6Fi4UXnLpAkim32AfNp+4QOfhjuflxfiQo9ffBU=;
b=iCEpOuugNotxLYIt2Q25J81YbnWpczkEURSaD6dWevzr7cbiBwbJ9YnakuCjqlPplr
BIUcPmFMpoFIZ5BQzz05avrze44E6UA+yuwifazm+CUuJXl0k+ezg9Lw0iG6FBMXa+Cc
MmwH3di123kj0iafVCC9EK+ONP1sSjAqDAHt+jhveaEnBamBAqWVuLYMV4KvRqHCd0p9
Ri+QotXdJcDVer2on/CYlCqEeOnX29gAdngnQPJBE30tyOHHZQLjPx2QFr0WcPZVft8q
o7mB5qotNSrjvAu2y6H+o63FU6hUDLXl/iNAEkJtF9SXm2ifehkm9vr/zpRGSVwnNGzW
qjVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
bh=rL9L6Fi4UXnLpAkim32AfNp+4QOfhjuflxfiQo9ffBU=;
b=Fk/UJBIHdjzDR3gV66s5DbGHgrGjZjipwqt3//8Y0tvd88cw1R2jHFzu72NfDRtwsl
BzfJmoCjeC3cn4VPsEMe893lmq6xlxTAi7fOSIfSb0BlXN1gjwScL10wKlU7wOC6t/20
vXWOVA8JDa5A45rKzE6aJt+PfARh/bOJSNBwkyzAQ+huVlgQvqxqF8i0WzBK5uJN0Yk0
i03CkJpu4pwwqw+PI0SdEQxfYJohUTPFbcdlcCc8pdjAxNy/dyntBrxEaUhRkRVftLNW
OFw+dovBBsY7x0eY9ZtWdS8gCtaEYbZDji0QTL58kTP4qqBs6n1cwmK18fD3pyBYUq5a
l8Sg==
X-Gm-Message-State: AOPr4FW3FNJLyua3Kz+eCg0hyPjPlGEK0LC18ay9NhMrtGYnr7fH9OfGOj5AH3gWrUEpRg5kSWKdtDDMgpY97A==
MIME-Version: 1.0
X-Received: by 10.112.72.193 with SMTP id f1mr4505551lbv.114.1461790275443;
Wed, 27 Apr 2016 13:51:15 -0700 (PDT)
Received: by 10.112.199.229 with HTTP; Wed, 27 Apr 2016 13:51:15 -0700 (PDT)
Date: Wed, 27 Apr 2016 21:51:15 +0100
Message-ID: <CAPcygW-v=WZkDfAZ=iufeW=d5mGGb0RrgSmGafYz_KLfqF8oTg@mail.gmail.com>
Subject: ONLINE TRANSFER
From: santander bank <[email protected]>
To: <removed>>
Content-Type: multipart/alternative; boundary=001a11c33d9e1aa09a05317d9240
X-SYNAQ-Pinpoint-Information: Please contact MWEB for more information
X-SYNAQ-Pinpoint-ID: 1avWQY-00069W-Hl
X-SYNAQ-Pinpoint: Found to be clean
X-SYNAQ-Pinpoint-SpamCheck: spam, SpamAssassin (not cached, score=5.917,
required 5, BAYES_05 -0.50, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
DKIM_VALID_AU -0.10, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00,
KAM_TK 5.00, RCVD_IN_HOSTKARMA_YE 0.01, SPF_PASS -0.00,
SUBJ_ALL_CAPS 1.51)
X-SYNAQ-Pinpoint-SpamScore: sssss
X-Pinpoint-From: [email protected]
X-Spam-Flag: YES
Received-SPF: cpt-mx-09.mweb.co.za: transitioning domain of gmail.com does not designate 197.96.204.133 as permitted sender
X-Antivirus: AVG for E-mail 2016.0.7539 [4563/12116]
X-AVG-ID: ID3C5E267A-5770C8ED
