Anyone else get spam with Legend Numismatics in the title of the email?
FredF
Posts: 526 ✭✭✭
Just got what looks like a phishing scam - the subject of the email is: [Legend Numismatics] Notice of Password Change. The body is a very poorly written email saying
Hi webtechb, This notice confirms your password was changed on Legend Numismatics.
If you did not change your password, please contact the Site Administrator at
support@studio98.comThis email has been sent to (my email address)
Regards,
All at Legend Numismatics
http://68.xxx.xxx.xx
Replace the url at the end with a numeric dot address.
I do have an account at Legend, and I did (just to be safe) change my password, but did it via the Legend site itself, not clicking anything in that email.
Got this email about 3 hours ago. Got 2 identical emails actually.
Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins
Comments
We do NOT phish. I am forwarding this to my team. Something sounds very wrong here.
If you give me an address @legend - I can forward the email to it so you can see - I don't know if there's anything useful in it for you other than the dot address I masked out.
Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins
Raw Whois Data
Domain Name: studio98.com
Registry Domain ID: 2236264_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.google.com
Registrar URL: https://domains.google.com
Updated Date: 2018-10-17T09:11:22Z
Creation Date: 1998-10-18T04:00:00Z
Registrar Registration Expiration Date: 2019-10-17T04:00:00Z
Registrar: Google LLC
Registrar IANA ID: 895
Registrar Abuse Contact Email: email@google.com
Registrar Abuse Contact Phone: +1.8772376466
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Contact Privacy Inc. Customer 124249906
Registrant Organization: Contact Privacy Inc. Customer 124249906
Registrant Street: 96 Mowat Ave
Registrant City: Toronto
Registrant State/Province: ON
Registrant Postal Code: M4K 3K1
Registrant Country: CA
Registrant Phone: +1.4165385487
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: email@contactprivacy.email
Registry Admin ID:
Admin Name: Contact Privacy Inc. Customer 124249906
Admin Organization: Contact Privacy Inc. Customer 124249906
Admin Street: 96 Mowat Ave
Admin City: Toronto
Admin State/Province: ON
Admin Postal Code: M4K 3K1
Admin Country: CA
Admin Phone: +1.4165385487
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: email@contactprivacy.email
Registry Tech ID:
Tech Name: Contact Privacy Inc. Customer 124249906
Tech Organization: Contact Privacy Inc. Customer 124249906
Tech Street: 96 Mowat Ave
Tech City: Toronto
Tech State/Province: ON
Tech Postal Code: M4K 3K1
Tech Country: CA
Tech Phone: +1.4165385487
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: email@contactprivacy.email
Name Server: NS-1186.AWSDNS-20.ORG
Name Server: NS-140.AWSDNS-17.COM
Name Server: NS-1697.AWSDNS-20.CO.UK
Name Server: NS-958.AWSDNS-55.NET
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
Raw Whois Data
Domain Name: studio98.com
Registry Domain ID: 2236264_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.google.com
Registrar URL: https://domains.google.com
Updated Date: 2018-10-17T09:11:22Z
Creation Date: 1998-10-18T04:00:00Z
Registrar Registration Expiration Date: 2019-10-17T04:00:00Z
Registrar: Google LLC
Registrar IANA ID: 895
Registrar Abuse Contact Email: email@google.com
Registrar Abuse Contact Phone: +1.8772376466
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Contact Privacy Inc. Customer 124249906
Registrant Organization: Contact Privacy Inc. Customer 124249906
Registrant Street: 96 Mowat Ave
Registrant City: Toronto
Registrant State/Province: ON
Registrant Postal Code: M4K 3K1
Registrant Country: CA
Registrant Phone: +1.4165385487
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: email@contactprivacy.email
Registry Admin ID:
Admin Name: Contact Privacy Inc. Customer 124249906
Admin Organization: Contact Privacy Inc. Customer 124249906
Admin Street: 96 Mowat Ave
Admin City: Toronto
Admin State/Province: ON
Admin Postal Code: M4K 3K1
Admin Country: CA
Admin Phone: +1.4165385487
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: email@contactprivacy.email
Registry Tech ID:
Tech Name: Contact Privacy Inc. Customer 124249906
Tech Organization: Contact Privacy Inc. Customer 124249906
Tech Street: 96 Mowat Ave
Tech City: Toronto
Tech State/Province: ON
Tech Postal Code: M4K 3K1
Tech Country: CA
Tech Phone: +1.4165385487
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: email@contactprivacy.email
Name Server: NS-1186.AWSDNS-20.ORG
Name Server: NS-140.AWSDNS-17.COM
Name Server: NS-1697.AWSDNS-20.CO.UK
Name Server: NS-958.AWSDNS-55.NET
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
@FredF,
Do not delete the PHISHING email. Also, it helps if you can extract the full SMTP headers for it. That will contain useful forensic information. Simply forwarding the email without the full SMTP headers will not be helpful.
EVP
How does one get a hater to stop hating?
I can be reached at evillageprowler@gmail.com
My guess would be a phishing email made to look like it was from Legend then made to look like studio98 was the one doing the phishing. Legend & studio98 are victims also and have no idea or participation. Hackers cover their tracks in many ways and most will lead to a dead end.
I had the same experience as the OP.
I got 2 of these emails in my spam folder today
Michael Kittle Rare Coins --- 1908-S Indian Head Cent Grading Set --- No. 1 1909 Mint Set --- Kittlecoins on Facebook --- Long Beach Table 448
You were very smart not to click on anything in the email. Always go to the known safe site.
My guess is that his computer and email have been compromised with malware, and after seeing his browsing history, it chose a site that he frequents.
@cameonut - Hadn't been to Legend's site in months if not longer. Haven't been to this forum in eons; only showed up because I got this spam and wanted people to know. My concern is if someone got an email list from legend somehow.
Here are the message headers:
Received: from AM5EUR03HT111.eop-EUR03.prod.protection.outlook.com
(2603:10b6:4:60::46) by DM6PR03MB4683.namprd03.prod.outlook.com with HTTPS
via DM5PR08CA0057.NAMPRD08.PROD.OUTLOOK.COM; Mon, 4 Mar 2019 22:06:03 +0000
Received: from AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com
(10.152.16.53) by AM5EUR03HT111.eop-EUR03.prod.protection.outlook.com
(10.152.17.8) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.11; Mon, 4 Mar
2019 22:06:02 +0000
Authentication-Results: spf=temperror (sender IP is 68.183.120.59)
smtp.mailfrom=LAMPb5174cjkns2018100236e06f; hotmail.com; dkim=none (message
not signed) header.d=none;hotmail.com; dmarc=temperror action=none
header.from=68.183.120.59;
Received-SPF: TempError (protection.outlook.com: error in processing during
lookup of LAMPb5174cjkns2018100236e06f: DNS Timeout)
Received: from LAMPb5174cjkns2018100236e06f (68.183.120.59) by
AM5EUR03FT056.mail.protection.outlook.com (10.152.17.224) with Microsoft SMTP
Server id 15.20.1643.11 via Frontend Transport; Mon, 4 Mar 2019 22:06:00
+0000
X-IncomingTopHeaderMarker: OriginalChecksum:2FE0C3CE136C3FDF339B572308552B312DE44915C452466E7971A8F1BD8C19DD;UpperCasedChecksum:E2184FD7F92BCE0612663902F8EC22D25D51C149E19E350E5722E532371426A4;SizeAsReceived:488;Count:9
Received: by LAMPb5174cjkns2018100236e06f (Postfix, from userid 33)
To: <(my email address)>
Subject: [Legend Numismatics] Notice of Email Change
Date: Mon, 4 Mar 2019 22:05:59 +0000
From: WordPress <wordpress@68.183.120.59>
Message-ID: <ebf8f172d184611b92ec7966937c4b28@68.183.120.59>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
Content-Type: text/plain; charset="UTF-8"
X-IncomingHeaderCount: 9
Return-Path: www-data@LAMPb5174cjkns2018100236e06f
X-MS-Exchange-Organization-ExpirationStartTime: 04 Mar 2019 22:06:00.9481
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: 3552c8bc-b142-48f9-0045-08d6a0ed9657
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: EFV:NLI;
X-MS-Exchange-Organization-AuthSource:
AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-UserLastLogonTime: 3/4/2019 10:04:14 PM
X-MS-Office365-Filtering-Correlation-Id: 3552c8bc-b142-48f9-0045-08d6a0ed9657
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(2390118)(5000111)(711020)(4605104)(610169)(8291501072);SRVR:AM5EUR03HT111;
X-MS-TrafficTypeDiagnostic: AM5EUR03HT111:
X-MS-Exchange-PUrlCount: 1
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 68.183.120.59
X-SID-PRA: WORDPRESS@68.183.120.59
X-SID-Result: NONE
X-MS-Exchange-Organization-PCL: 4
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2019 22:06:00.8640
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3552c8bc-b142-48f9-0045-08d6a0ed9657
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR03HT111
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.6272695
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1665.020
X-Microsoft-Antispam-Mailbox-Delivery:
X-Message-Info:
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Microsoft-Antispam-Message-Info:
MIME-Version: 1.0
Hi webtechb,
This notice confirms that your email address on Legend Numismatics was changed to pharman65@yahoo.com.
If you did not change your email, please contact the Site Administrator at
support@studio98.com
This email has been sent to (email address removed)
Regards,
All at Legend Numismatics
http:// 68 . 183 . 120 . 59
(NOTE - I broke up the url at the end as I don't want anyone accidentally clicking on it)
Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins
Note that this one actually said that my email address had changed (it hadn't) and the other one I got said my password had changed. It's clearly looking like someone's trying to freak people out a bit and get them to click - but it's a really poor email and because the lack of DKIM and other stuff, Outlook.com easily flagged it as phishing attempt.
Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins
Thanks for the alert... I get phishing emails all the time.. and scam emails (Please help me move $25 million dollars etc.)... I never respond or click on them.... usually get about five or six a week...Cheers, RickO
We apologize for this problem. Again, we do NOT send phising emails.
We are still waiting to hear what happened. It is being aggressively worked on
There is nothing in this thread for you to apologize for. You cannot control bad actors.
I can confirm all customer info is safe and secure. They still do not have an answer.
I understand nothing about the situation. I just wanted it fixed asap.
I doubt the target was your Legend account, that's just the hook (think for a sec how you would convert a compromised Legend account into cash?). I'm betting the target was the URL they wanted you to click on.
That IP address resolved to Digital Ocean's Northeast US data center. There is no DNS on that address. DO is a reputable company, you might consider contacting them at https://www.digitalocean.com/company/contact/#abuse
ANA 50 year/Life Member (now "Emeritus")
haven't gotten it (yet)
Legend is obviously having a website overhaul and it was a mishap on their transition.
I saw this earlier (we own a military defense company and I do security) but it wasn’t my business to say anything. Since they announced the change I don’t mind speaking up (NOT on their behalf).
By the way. I like the new sites layout of inventory.
My Type Set & My Complete Proof Nickel Set!
https://forums.collectors.com/discussion/1016494/multiple-posts-on-march-18-2019-2-39pm
.
.
.