Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0134.outbound.protection.outlook.com [104.47.2.134]) by anna.lesderid.net (Postfix) with ESMTP id F2262C016D for <abuse@fuwafuwa.moe>; Tue,
  7 Feb 2017 19:12:48 +0100 (CET)
Received: from DB4PR06MB298.eurprd06.prod.outlook.com (10.141.233.143) by DB4PR06MB300.eurprd06.prod.outlook.com (10.141.233.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Tue, 7 Feb 2017 18:12:44 +0000
Received: from DB4PR06MB298.eurprd06.prod.outlook.com ([fe80::61a7:f513:d2af:d50b]) by DB4PR06MB298.eurprd06.prod.outlook.com ([fe80::61a7:f513:d2af:d50b%15]) with mapi id 15.01.0888.022; Tue, 7 Feb 2017 18:12:43 +0000
From: MADALINA MARIA MARGINEAN <madalinamaria.marginean.ext@telefonica.com>
To: "abuse@fuwafuwa.moe" <abuse@fuwafuwa.moe>
CC: DS_TSOL_phishing <phishing@telefonica.com>
Subject: We have detected that fuwafuwa.moe is hosting a fraudulent website
Thread-Topic: We have detected that fuwafuwa.moe is hosting a fraudulent website
Thread-Index: AdKBbXj5DH/5oMJPRDCOSwuktEss6Q==
Date: Tue, 7 Feb 2017 18:12:43 +0000
Message-ID: <DB4PR06MB29879D5887C12D7E25C18FCC9430@DB4PR06MB298.eurprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: es-ES
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=madalinamaria.marginean.ext@telefonica.com;
x-originating-ip: [81.40.110.204]
x-ms-office365-filtering-correlation-id: ee6abab7-c929-402a-cfa3-08d44f84e982
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:DB4PR06MB300;
x-microsoft-exchange-diagnostics: 1;DB4PR06MB300;7:yLrv4Ge3crI02rXE28BCSMYAyc4nGr8wVDlqXNDQ01vamRDk6VcigDVcf9HF+rx+Ty5aqTV957bvQ2NRMxbBjgcTb2zZScTkMw0W0W6lE9TY3naC0dJFvcmpc7mTHPttVWRhD6K82UTMpL8lPspiFbiyV0nui93wQwiCgGZaRoy4Ga4ZOGrn3toD3drI3cDumZF5fYBSuLDwIhnO20zHWRoOKII6BpgoKGPvg/DTPaIZbItoaJUo4/N1wfMAcZ53kTUXR3YIylKseM5obcM5GRrQDVoaAXbW+CkuS9nsHsjgFqm+27K3OFg/AzetGm4W8WPPLS3I5QSK8hkNuuUpAnBSDHpil22zWb/P+wMaub6PCdB0evNzvTsROB6H7FJRlF1TCQzNCUNL3IyMoWwG0HXLYFEtWRUEGiFeXpYrAKdSmVAt4dEw2UmKGqqnjXY/8p5/yuAxyti5WKHhUhebWREUagLfRlIwFDC4xPqvVpxUoHIbf5UGHWbG6XNh5G5ady3gSkr1g7v/jr0AEmJyyw==
x-microsoft-antispam-prvs: <DB4PR06MB300BEB13A90E79BCFA2F066C9430@DB4PR06MB300.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811)(21748063052155)(231250463719595);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040375)(601004)(2401047)(2017020603029)(20170203043)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123560025)(20161123558025)(20161123555025)(20161123562025)(6072148);SRVR:DB4PR06MB300;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB300;
x-forefront-prvs: 0211965D06
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(39410400002)(39850400002)(39860400002)(39450400003)(39840400002)(199003)(252514010)(189002)(97736004)(99936001)(38730400002)(53936002)(6116002)(33656002)(790700001)(102836003)(8676002)(1730700003)(450100001)(8936002)(2420400007)(54356999)(2900100001)(189998001)(4326007)(3846002)(105586002)(2906002)(7736002)(50986999)(92566002)(3660700001)(74316002)(7110500001)(3280700002)(10710500007)(101416001)(106356001)(66066001)(68736007)(86362001)(5890100001)(6916009)(2351001)(110136004)(5250100002)(55016002)(99286003)(7696004)(9686003)(5630700001)(2501003)(5640700003)(236005)(6506006)(6306002)(15650500001)(81166006)(5660300001)(54896002)(81156014)(107886003)(6436002)(9010500006)(18823205002)(19627235001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB4PR06MB300;H:DB4PR06MB298.eurprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_004_DB4PR06MB29879D5887C12D7E25C18FCC9430DB4PR06MB298eurprd_"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2017 18:12:43.5762 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB300

--_004_DB4PR06MB29879D5887C12D7E25C18FCC9430DB4PR06MB298eurprd_
Content-Type: multipart/alternative; boundary="_000_DB4PR06MB29879D5887C12D7E25C18FCC9430DB4PR06MB298eurprd_"

--_000_DB4PR06MB29879D5887C12D7E25C18FCC9430DB4PR06MB298eurprd_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

To the attention of fuwafuwa.moe webmaster,

Telefonica Espa=F1a is managing the fraudulent actions against Sociedad Est=
atal de Correos y Telegrafos  and all related with Phishing incidents again=
st this company.

We have detected that your website (https://fuwafuwa.moe/) is hosting a fra=
udulent website that offers java script (js) and css files used in a Phishi=
ng scam against Sociedad Estatal de Correos y Telegrafos  from the next URL=
(s):

hxxps://p.fuwafuwa.moe/qgrazk.css
hxxps://p.fuwafuwa.moe/urdelr.css
hxxps://p.fuwafuwa.moe/mdffth.css
hxxps://p.fuwafuwa.moe/nkjcoa.css
hxxps://p.fuwafuwa.moe/ygegkm.js
hxxps://p.fuwafuwa.moe/zdbkvk.js
hxxps://p.fuwafuwa.moe/ovisan.js
hxxps://p.fuwafuwa.moe/ifqnra.js
hxxps://p.fuwafuwa.moe/cbpisx.js
hxxps://p.fuwafuwa.moe/adkeer.js
hxxps://p.fuwafuwa.moe/vrmxsq.js
hxxps://p.fuwafuwa.moe/pyftal.js
hxxps://p.fuwafuwa.moe/mxkqsi.js
hxxps://p.fuwafuwa.moe/amwuzd.js
hxxps://p.fuwafuwa.moe/gtjjkc.js
hxxps://p.fuwafuwa.moe/ihibjo.js
hxxps://p.fuwafuwa.moe/eebxgu.js
hxxps://p.fuwafuwa.moe/hiqigm.js
hxxps://p.fuwafuwa.moe/wgzddk.js
hxxps://p.fuwafuwa.moe/wvczgj.js
hxxps://p.fuwafuwa.moe/cobvtt.js
hxxps://p.fuwafuwa.moe/puplbx.js
hxxps://p.fuwafuwa.moe/vivcvc.css
hxxps://p.fuwafuwa.moe/ypgwbn.css
hxxps://p.fuwafuwa.moe/btcpto.css
hxxps://p.fuwafuwa.moe/esaxve.css

The attacker has used its own servers to upload the files with intent to us=
e them to defraud in case the phishing  is turned off. We need your help in=
 order to prevent them to be used for that purpose. Could you please delete=
 those files?

I attach the evidence that we have found. It is the source of the compromis=
ed page, where you can see the call to your website.

The phishing is located at the following URLs:

hxxps://a.lainfile.pw/8E/detalle_app-sidioma=3Des_es.htm?//ss/Satellite/sit=
e/pagina-localizador_envios/busqueda-sidioma=3Des_ES
hxxps://a.lainfile.pw/7L/1.html

This fraudulent content represents a misuse of the intellectual property of=
 Sociedad Estatal de Correos y Telegrafos , as well as to obtain personal i=
nformation of their customers in order to get fraudulent access into their =
bank accounts, use their credit cards, etc... We need your collaboration fo=
r stopping this fraud, getting offline these fraudulent files.

We keep waiting for your feedback against this incident. If you need furthe=
r information please contact our SOC 24/7 at +34 900 102 230 (option 9)

Best regards.

-----------------------------------------------------------
CyberThreats - Anti-Fraud Service
Telef=F3nica Espa=F1a

Phone: +34 900102230 (option 9)
Email: phishing@telefonica.com<mailto:phishing@telefonica.com>
         servicio.antifraude@telefonica.com<mailto:servicio.antifraude@tele=
fonica.com>
-----------------------------------------------------------


--_000_DB4PR06MB29879D5887C12D7E25C18FCC9430DB4PR06MB298eurprd_