Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40119.outbound.protection.outlook.com [40.107.4.119]) by anna.lesderid.net (Postfix) with ESMTP id CA70CDB9FF for <les@fuwafuwa.moe>; Fri, 10 Feb 2017 18:21:40 +0100 (CET)
Received: from DB4PR06MB298.eurprd06.prod.outlook.com (10.141.233.143) by DB4PR06MB298.eurprd06.prod.outlook.com (10.141.233.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 17:21:37 +0000
Received: from DB4PR06MB298.eurprd06.prod.outlook.com ([fe80::61a7:f513:d2af:d50b]) by DB4PR06MB298.eurprd06.prod.outlook.com ([fe80::61a7:f513:d2af:d50b%15]) with mapi id 15.01.0888.029; Fri, 10 Feb 2017 17:21:35 +0000
From: MADALINA MARIA MARGINEAN <madalinamaria.marginean.ext@telefonica.com>
To: "les@fuwafuwa.moe" <les@fuwafuwa.moe>
CC: DS_TSOL_phishing <phishing@telefonica.com>
Subject: RE: We have detected that fuwafuwa.moe is hosting a fraudulent website
Thread-Topic: RE: We have detected that fuwafuwa.moe is hosting a fraudulent website
Thread-Index: AdKDwAqPoIDdjrSCSB27zMC/P7kLXw==
Date: Fri, 10 Feb 2017 17:21:35 +0000
Message-ID: <DB4PR06MB298B4BA591B10D953CB2F7EC9440@DB4PR06MB298.eurprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: es-ES
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=madalinamaria.marginean.ext@telefonica.com;
x-originating-ip: [81.40.110.204]
x-ms-office365-filtering-correlation-id: 534d784b-8503-42b0-2b2b-08d451d9441a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:DB4PR06MB298;
x-microsoft-exchange-diagnostics: 1;DB4PR06MB298;7:W44AwIWINQWQnU2tVvf2erPXXD4MCQ1+kd0MhIsoNzJ7r8V7fnqZRfredMtcn8EieZCNsncedWvhqRE03ZbQVzriCeGKHJ/vEOTM+KTrOGnuJVjyq0gI+0Xkt7VdghdNx0FnU9C898F0xzKEEnlTF1qidFQHLId1d6AxDEFjyBcitq8viCLs+bTtVt71tsT+h3TRgDadhWjwRSbcJU6TIY00/ej7U+QqdgnBAfYt9RBdGanEEwwxnggD7SR9ha3gKRJLZMIwDKeJ8kTraZUtM9ZSi8vLaQjtBbxmfFybmRQeE0l+ytAn2YW0VTXyo1unG5jCNEBfWDEDd+3aVHNJ61DA9/N9pyKm1h61YDjhlBoMw9dzeKPwD+GkMYegu86wQlEXCTjiXlq6dYYVyJvTS2TSjbkfPi0GoMxc5OllFjSnnUB9cXdekIGAXEq/G/EboRpV3wH0unaQDjOc5DuGnowv8QgHcz8fZuUSpnJtvXer2XilmMEsJyITBgkDYoGZhc+VIOLsf4fgRJnIPHzqdA==
x-microsoft-antispam-prvs: <DB4PR06MB2980B1FF8D467144A8038E3C9440@DB4PR06MB298.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811)(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123558025)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(6072148);SRVR:DB4PR06MB298;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB298;
x-forefront-prvs: 0214EB3F68
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(39860400002)(39850400002)(39840400002)(39410400002)(39450400003)(189002)(252514010)(199003)(54556002)(53936002)(236005)(54896002)(6306002)(450100001)(6436002)(97736004)(110136004)(107886003)(6506006)(7696004)(5660300001)(53346004)(6916009)(38730400002)(9686003)(74316002)(8676002)(790700001)(1730700003)(81156014)(81166006)(8936002)(229853002)(68736007)(102836003)(6116002)(3846002)(99936001)(106356001)(2906002)(2501003)(86362001)(15650500001)(33656002)(5630700001)(66066001)(10710500007)(2351001)(4326007)(105586002)(101416001)(99286003)(189998001)(7110500001)(2900100001)(55016002)(92566002)(733005)(6246003)(3660700001)(5640700003)(5250100002)(7736002)(2420400007)(54356999)(50986999)(3280700002)(9010500006)(18823205002)(19627235001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB4PR06MB298;H:DB4PR06MB298.eurprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_011_DB4PR06MB298B4BA591B10D953CB2F7EC9440DB4PR06MB298eurprd_"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 17:21:35.7350 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB298

--_011_DB4PR06MB298B4BA591B10D953CB2F7EC9440DB4PR06MB298eurprd_
Content-Type: multipart/related; boundary="_010_DB4PR06MB298B4BA591B10D953CB2F7EC9440DB4PR06MB298eurprd_"; type="multipart/alternative"

--_010_DB4PR06MB298B4BA591B10D953CB2F7EC9440DB4PR06MB298eurprd_
Content-Type: multipart/alternative; boundary="_000_DB4PR06MB298B4BA591B10D953CB2F7EC9440DB4PR06MB298eurprd_"

--_000_DB4PR06MB298B4BA591B10D953CB2F7EC9440DB4PR06MB298eurprd_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dear Les,

These files aren't phishing scam but are being used as part of a phishing s=
cam against the state post office of Spain (Correos y Telegrafos) as my col=
league refer on previosly emails and as you can check on the source code of=
 the deleted phishing scam that is previosly hosted in your servers:

hxxps://a.lainfile.pw/8E/detalle_app-sidioma=3Des_es.htm?//ss/Satellite/sit=
e/pagina-localizador_envios/busqueda-sidioma=3Des_ES

[cid:image001.jpg@01D283C7.7B2D69B0]

These files are a copy of the JS/CSS of the original website of Correos wit=
h the name changed to avoid it could be compared, but if you check the cont=
ent could see that have references to Correos website and paths of the orig=
inal server:

hxxps://p.fuwafuwa.moe/wgzddk.js

             [cid:image002.jpg@01D283C7.7B2D69B0]

Also you can compare the original files on Correos website and the ones tha=
t have been uploaded to your server and see that this is a copy with the sa=
me configuration:

[cid:image003.jpg@01D283C7.7B2D69B0][cid:image004.jpg@01D283C7.7B2D69B0]

And the same MD5:

[cid:image005.jpg@01D283C7.7B2D69B0]
[cid:image006.jpg@01D283C7.7B2D69B0]

You can check by yourself using any progam or website that compare MD5 chec=
ksum of files.

All these evidences are enougth to us to state that these files have been d=
ownloaded since Correos website, modified their filename to avoid detection=
 and uploaded to a diferent server to persist if the phishing site gone and=
 use it on future attacks. This not the first time we seen this tactic and =
this is the reason we request you the delete of this files.

So please, check this information, don't hesitate to request us more inform=
ation or detail if you think that these evidences are not enougth and take =
the actions you consider against this fraudulent files in order to avoid it=
 could be used on future attacks.

Regards.
-----------------------------------------------------------
CyberThreats - Anti-Fraud Service
Telef=F3nica Espa=F1a
Phone: +34 900102230<tel:+34%20900%20102%20230> (option 9)
Email: phishing@telefonica.com<mailto:phishing@telefonica.com>
             servicio.antifraude@telefonica.com<mailto:servicio.antifraude@=
telefonica.com>

-----------------------------------------------------------