Home U.S. Coin Forum

Anyone else get spam with Legend Numismatics in the title of the email?

FredFFredF Posts: 526 ✭✭✭

Just got what looks like a phishing scam - the subject of the email is: [Legend Numismatics] Notice of Password Change. The body is a very poorly written email saying

Hi webtechb, This notice confirms your password was changed on Legend Numismatics.

If you did not change your password, please contact the Site Administrator at
support@studio98.com

This email has been sent to (my email address)

Regards,
All at Legend Numismatics
http://68.xxx.xxx.xx

Replace the url at the end with a numeric dot address.

I do have an account at Legend, and I did (just to be safe) change my password, but did it via the Legend site itself, not clicking anything in that email.

Got this email about 3 hours ago. Got 2 identical emails actually.

Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins

Tagged:

Comments

  • specialistspecialist Posts: 956 ✭✭✭✭✭

    We do NOT phish. I am forwarding this to my team. Something sounds very wrong here.

  • FredFFredF Posts: 526 ✭✭✭

    If you give me an address @legend - I can forward the email to it so you can see - I don't know if there's anything useful in it for you other than the dot address I masked out.

    Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins

  • HemisphericalHemispherical Posts: 9,370 ✭✭✭✭✭

    Raw Whois Data
    Domain Name: studio98.com
    Registry Domain ID: 2236264_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.google.com
    Registrar URL: https://domains.google.com
    Updated Date: 2018-10-17T09:11:22Z
    Creation Date: 1998-10-18T04:00:00Z
    Registrar Registration Expiration Date: 2019-10-17T04:00:00Z
    Registrar: Google LLC
    Registrar IANA ID: 895
    Registrar Abuse Contact Email: email@google.com
    Registrar Abuse Contact Phone: +1.8772376466
    Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
    Registry Registrant ID:
    Registrant Name: Contact Privacy Inc. Customer 124249906
    Registrant Organization: Contact Privacy Inc. Customer 124249906
    Registrant Street: 96 Mowat Ave
    Registrant City: Toronto
    Registrant State/Province: ON
    Registrant Postal Code: M4K 3K1
    Registrant Country: CA
    Registrant Phone: +1.4165385487
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: email@contactprivacy.email
    Registry Admin ID:
    Admin Name: Contact Privacy Inc. Customer 124249906
    Admin Organization: Contact Privacy Inc. Customer 124249906
    Admin Street: 96 Mowat Ave
    Admin City: Toronto
    Admin State/Province: ON
    Admin Postal Code: M4K 3K1
    Admin Country: CA
    Admin Phone: +1.4165385487
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: email@contactprivacy.email
    Registry Tech ID:
    Tech Name: Contact Privacy Inc. Customer 124249906
    Tech Organization: Contact Privacy Inc. Customer 124249906
    Tech Street: 96 Mowat Ave
    Tech City: Toronto
    Tech State/Province: ON
    Tech Postal Code: M4K 3K1
    Tech Country: CA
    Tech Phone: +1.4165385487
    Tech Phone Ext:
    Tech Fax:
    Tech Fax Ext:
    Tech Email: email@contactprivacy.email
    Name Server: NS-1186.AWSDNS-20.ORG
    Name Server: NS-140.AWSDNS-17.COM
    Name Server: NS-1697.AWSDNS-20.CO.UK
    Name Server: NS-958.AWSDNS-55.NET
    DNSSEC: unsigned
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

    Last update of WHOIS database: 2019-03-05T01:54:42Z <<<

    For more information on Whois status codes, please visit
    https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

  • HemisphericalHemispherical Posts: 9,370 ✭✭✭✭✭

    Raw Whois Data
    Domain Name: studio98.com
    Registry Domain ID: 2236264_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.google.com
    Registrar URL: https://domains.google.com
    Updated Date: 2018-10-17T09:11:22Z
    Creation Date: 1998-10-18T04:00:00Z
    Registrar Registration Expiration Date: 2019-10-17T04:00:00Z
    Registrar: Google LLC
    Registrar IANA ID: 895
    Registrar Abuse Contact Email: email@google.com
    Registrar Abuse Contact Phone: +1.8772376466
    Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
    Registry Registrant ID:
    Registrant Name: Contact Privacy Inc. Customer 124249906
    Registrant Organization: Contact Privacy Inc. Customer 124249906
    Registrant Street: 96 Mowat Ave
    Registrant City: Toronto
    Registrant State/Province: ON
    Registrant Postal Code: M4K 3K1
    Registrant Country: CA
    Registrant Phone: +1.4165385487
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: email@contactprivacy.email
    Registry Admin ID:
    Admin Name: Contact Privacy Inc. Customer 124249906
    Admin Organization: Contact Privacy Inc. Customer 124249906
    Admin Street: 96 Mowat Ave
    Admin City: Toronto
    Admin State/Province: ON
    Admin Postal Code: M4K 3K1
    Admin Country: CA
    Admin Phone: +1.4165385487
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: email@contactprivacy.email
    Registry Tech ID:
    Tech Name: Contact Privacy Inc. Customer 124249906
    Tech Organization: Contact Privacy Inc. Customer 124249906
    Tech Street: 96 Mowat Ave
    Tech City: Toronto
    Tech State/Province: ON
    Tech Postal Code: M4K 3K1
    Tech Country: CA
    Tech Phone: +1.4165385487
    Tech Phone Ext:
    Tech Fax:
    Tech Fax Ext:
    Tech Email: email@contactprivacy.email
    Name Server: NS-1186.AWSDNS-20.ORG
    Name Server: NS-140.AWSDNS-17.COM
    Name Server: NS-1697.AWSDNS-20.CO.UK
    Name Server: NS-958.AWSDNS-55.NET
    DNSSEC: unsigned
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

  • EVillageProwlerEVillageProwler Posts: 5,856 ✭✭✭✭✭
    edited March 4, 2019 6:10PM

    @FredF,

    Do not delete the PHISHING email. Also, it helps if you can extract the full SMTP headers for it. That will contain useful forensic information. Simply forwarding the email without the full SMTP headers will not be helpful.

    EVP

    How does one get a hater to stop hating?

    I can be reached at evillageprowler@gmail.com

  • ifthevamzarockinifthevamzarockin Posts: 8,843 ✭✭✭✭✭

    My guess would be a phishing email made to look like it was from Legend then made to look like studio98 was the one doing the phishing. Legend & studio98 are victims also and have no idea or participation. Hackers cover their tracks in many ways and most will lead to a dead end.

  • planetsteveplanetsteve Posts: 1,425 ✭✭✭✭

    I had the same experience as the OP.

  • illini420illini420 Posts: 11,466 ✭✭✭✭✭

    I got 2 of these emails in my spam folder today

  • cameonut2011cameonut2011 Posts: 10,161 ✭✭✭✭✭

    @FredF said:
    I do have an account at Legend, and I did (just to be safe) change my password, but did it via the Legend site itself, not clicking anything in that email.

    You were very smart not to click on anything in the email. Always go to the known safe site.

  • cameonut2011cameonut2011 Posts: 10,161 ✭✭✭✭✭

    @specialist said:
    We do NOT phish. I am forwarding this to my team. Something sounds very wrong here.

    My guess is that his computer and email have been compromised with malware, and after seeing his browsing history, it chose a site that he frequents.

  • FredFFredF Posts: 526 ✭✭✭
    edited March 4, 2019 8:25PM

    @cameonut - Hadn't been to Legend's site in months if not longer. Haven't been to this forum in eons; only showed up because I got this spam and wanted people to know. My concern is if someone got an email list from legend somehow.


    Here are the message headers:

    Received: from AM5EUR03HT111.eop-EUR03.prod.protection.outlook.com

    (2603:10b6:4:60::46) by DM6PR03MB4683.namprd03.prod.outlook.com with HTTPS

    via DM5PR08CA0057.NAMPRD08.PROD.OUTLOOK.COM; Mon, 4 Mar 2019 22:06:03 +0000

    Received: from AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com

    (10.152.16.53) by AM5EUR03HT111.eop-EUR03.prod.protection.outlook.com

    (10.152.17.8) with Microsoft SMTP Server (version=TLS1_2,

    cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.11; Mon, 4 Mar

    2019 22:06:02 +0000

    Authentication-Results: spf=temperror (sender IP is 68.183.120.59)

    smtp.mailfrom=LAMPb5174cjkns2018100236e06f; hotmail.com; dkim=none (message

    not signed) header.d=none;hotmail.com; dmarc=temperror action=none

    header.from=68.183.120.59;

    Received-SPF: TempError (protection.outlook.com: error in processing during

    lookup of LAMPb5174cjkns2018100236e06f: DNS Timeout)

    Received: from LAMPb5174cjkns2018100236e06f (68.183.120.59) by

    AM5EUR03FT056.mail.protection.outlook.com (10.152.17.224) with Microsoft SMTP

    Server id 15.20.1643.11 via Frontend Transport; Mon, 4 Mar 2019 22:06:00

    +0000

    X-IncomingTopHeaderMarker: OriginalChecksum:2FE0C3CE136C3FDF339B572308552B312DE44915C452466E7971A8F1BD8C19DD;UpperCasedChecksum:E2184FD7F92BCE0612663902F8EC22D25D51C149E19E350E5722E532371426A4;SizeAsReceived:488;Count:9

    Received: by LAMPb5174cjkns2018100236e06f (Postfix, from userid 33)

    id 94ADF437C8; Mon,  4 Mar 2019 22:06:00 +0000 (UTC)
    

    To: <(my email address)>

    Subject: [Legend Numismatics] Notice of Email Change

    Date: Mon, 4 Mar 2019 22:05:59 +0000

    From: WordPress <wordpress@68.183.120.59>

    Message-ID: <ebf8f172d184611b92ec7966937c4b28@68.183.120.59>

    X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)

    Content-Type: text/plain; charset="UTF-8"

    X-IncomingHeaderCount: 9

    Return-Path: www-data@LAMPb5174cjkns2018100236e06f

    X-MS-Exchange-Organization-ExpirationStartTime: 04 Mar 2019 22:06:00.9481

    (UTC)

    X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

    X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000

    X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit

    X-MS-Exchange-Organization-Network-Message-Id: 3552c8bc-b142-48f9-0045-08d6a0ed9657

    X-EOPAttributedMessage: 0

    X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0

    X-MS-Exchange-Organization-MessageDirectionality: Incoming

    X-Forefront-Antispam-Report: EFV:NLI;

    X-MS-Exchange-Organization-AuthSource:

    AM5EUR03FT056.eop-EUR03.prod.protection.outlook.com

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-PublicTrafficType: Email

    X-MS-UserLastLogonTime: 3/4/2019 10:04:14 PM

    X-MS-Office365-Filtering-Correlation-Id: 3552c8bc-b142-48f9-0045-08d6a0ed9657

    X-Microsoft-Antispam:

    BCL:0;PCL:0;RULEID:(2390118)(5000111)(711020)(4605104)(610169)(8291501072);SRVR:AM5EUR03HT111;

    X-MS-TrafficTypeDiagnostic: AM5EUR03HT111:

    X-MS-Exchange-PUrlCount: 1

    X-MS-Exchange-EOPDirect: true

    X-Sender-IP: 68.183.120.59

    X-SID-PRA: WORDPRESS@68.183.120.59

    X-SID-Result: NONE

    X-MS-Exchange-Organization-PCL: 4

    X-OriginatorOrg: outlook.com

    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2019 22:06:00.8640

    (UTC)

    X-MS-Exchange-CrossTenant-Network-Message-Id: 3552c8bc-b142-48f9-0045-08d6a0ed9657

    X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

    X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

    X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:

    00000000-0000-0000-0000-000000000000

    X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR03HT111

    X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.6272695

    X-MS-Exchange-Processed-By-BccFoldering: 15.20.1665.020

    X-Microsoft-Antispam-Mailbox-Delivery:

    abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:1;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900095)(740004)(4920090)(6375004)(4950130)(4990090)(9140004);RF:JunkEmail;
    

    X-Message-Info:

    qoGN4b5S4ypJ9/aE7JNQr5WFUlOLF3e8lHOcDpQjiUgxfaNaq4u1HP0Xmrp5H6IqFUxioMccE2COKBk4+TibwIdRDsehz/RHOIyz6e/s/7C7Cbx4aLtpts1pjpPcNL2eqwxXsfbdDn2nLmB0EkJRlpsLzuNR7PMUHCwoOTC5BtOCzi1/x1g61pScqHBCClV15mKjWINBLe8P6ggq9+fF0Q==
    

    X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02

    X-Microsoft-Antispam-Message-Info:

    ghFQlp41MgVgJ+kHlhU5TRjli6ZxuhVp5nFGUObObZG/nKmxoyIIEtS6+7vOaaVtt0xxmBcLDG+nFLNGRvPlSCcn4Mmly9Jsc5UOsILWRMpYNVPQL7CTDIUq1cWhU41jKhW2FSW+35zqg2eZ/Dw3h0wD/TG5goU3kcllHPodPCloRwVQbNW8AeC4FqfKpdp/BoJ1x7e8YZUuap/KeHAdIZN0W6hseHSEzu3Y2RTFBscoelEfW4on9nmB0wCt5PvJrBvdxVEc8Ivx+gj9GWGtjVqct+ZjnMrX5ilr6cmsp10IcRyZ//9VjpQTu9nvuhkq9gH36mZpL9OCGlPLylBDX0R7Gyx6D5UrdutxcM9QKILhxxeZLnj5DiYIuGbqrXBJrVGuGCXZKV6YOwjvDwGDJQ8j+NQ9ALXeS1Ut7mvGjrRVVxevqtwgWvltV+xhi8f7mTkW8f8+nbdq0wMQm7fHOKlOfqhJO/o4cjk+uyoZkXALAGaAewa0PRk3QNCtyubMr6OeCcJS9GbmaA+cM5R9FhW+pHqMBRqenPzvv7deGPSkQwXOHcjwhNOX0MqEEm8NwM13Dhi+lgIHPFZADmyRmCrcQpJ2rZarwmtDZUf1h2jl2oH2NBPwAmtqeOy6+K6kb70sQ5+CYg3r5eSkPTPorYbLkJ9s4hahuKHhJydHFlVa82w3q3GE44qpDuEwRdUFLNZ31Ky8gmnwNnRKS1nroFndSQm6lrWV/4Oa3HEMkeRYadhfUCDiXARmXLTfRERRUowuGh4ZjZuWr0bU2qo+1yz+80s5cq9pIYRzf3Vo50U=
    

    MIME-Version: 1.0

    Hi webtechb,

    This notice confirms that your email address on Legend Numismatics was changed to pharman65@yahoo.com.

    If you did not change your email, please contact the Site Administrator at

    support@studio98.com

    This email has been sent to (email address removed)

    Regards,

    All at Legend Numismatics

    http:// 68 . 183 . 120 . 59

    (NOTE - I broke up the url at the end as I don't want anyone accidentally clicking on it)

    Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins

  • FredFFredF Posts: 526 ✭✭✭

    Note that this one actually said that my email address had changed (it hadn't) and the other one I got said my password had changed. It's clearly looking like someone's trying to freak people out a bit and get them to click - but it's a really poor email and because the lack of DKIM and other stuff, Outlook.com easily flagged it as phishing attempt.

    Successful BST (me as buyer) with: Collectorcoins, PipestonePete, JasonRiffeRareCoins

  • rickoricko Posts: 98,724 ✭✭✭✭✭

    Thanks for the alert... I get phishing emails all the time.. and scam emails (Please help me move $25 million dollars etc.)... I never respond or click on them.... usually get about five or six a week...Cheers, RickO

  • specialistspecialist Posts: 956 ✭✭✭✭✭

    We apologize for this problem. Again, we do NOT send phising emails.

    We are still waiting to hear what happened. It is being aggressively worked on

  • cameonut2011cameonut2011 Posts: 10,161 ✭✭✭✭✭

    @specialist said:
    We apologize for this problem. Again, we do NOT send phising emails.

    We are still waiting to hear what happened. It is being aggressively worked on

    There is nothing in this thread for you to apologize for. You cannot control bad actors.

  • specialistspecialist Posts: 956 ✭✭✭✭✭

    I can confirm all customer info is safe and secure. They still do not have an answer.

    I understand nothing about the situation. I just wanted it fixed asap.

  • BStrauss3BStrauss3 Posts: 3,402 ✭✭✭✭✭

    I doubt the target was your Legend account, that's just the hook (think for a sec how you would convert a compromised Legend account into cash?). I'm betting the target was the URL they wanted you to click on.

    That IP address resolved to Digital Ocean's Northeast US data center. There is no DNS on that address. DO is a reputable company, you might consider contacting them at https://www.digitalocean.com/company/contact/#abuse

    -----Burton
    ANA 50 year/Life Member (now "Emeritus")
  • johnny9434johnny9434 Posts: 28,271 ✭✭✭✭✭

    haven't gotten it (yet)

  • TrazTraz Posts: 377 ✭✭✭✭

    Legend is obviously having a website overhaul and it was a mishap on their transition.

    I saw this earlier (we own a military defense company and I do security) but it wasn’t my business to say anything. Since they announced the change I don’t mind speaking up (NOT on their behalf).

    By the way. I like the new sites layout of inventory.

  • HemisphericalHemispherical Posts: 9,370 ✭✭✭✭✭
    edited March 19, 2019 10:37AM

    .

  • HemisphericalHemispherical Posts: 9,370 ✭✭✭✭✭
    edited March 19, 2019 10:38AM

    .

  • HemisphericalHemispherical Posts: 9,370 ✭✭✭✭✭
    edited March 19, 2019 10:38AM

    .

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file