Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00132.outbound.protection.outlook.com [40.107.0.132]) by anna.lesderid.net (Postfix) with ESMTP id EEBB0DB9A6 for <les@fuwafuwa.moe>; Sat, 11 Feb 2017 18:28:37 +0100 (CET)
Received: from VI1PR06MB1823.eurprd06.prod.outlook.com (10.165.237.153) by DB4PR06MB300.eurprd06.prod.outlook.com (10.141.233.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Sat, 11 Feb 2017 17:28:34 +0000
Received: from VI1PR06MB1823.eurprd06.prod.outlook.com ([10.165.237.153]) by VI1PR06MB1823.eurprd06.prod.outlook.com ([10.165.237.153]) with mapi id 15.01.0888.030; Sat, 11 Feb 2017 17:28:33 +0000
From: CARLOS MARTIN PEREZ <carlos.martinperez.ext@telefonica.com>
To: Les De Ridder <les@fuwafuwa.moe>
CC: DS_TSOL_phishing <phishing@telefonica.com>, MADALINA MARIA MARGINEAN <madalinamaria.marginean.ext@telefonica.com>
Subject: RE: We have detected that fuwafuwa.moe is hosting a fraudulent website
Thread-Topic: We have detected that fuwafuwa.moe is hosting a fraudulent website
Thread-Index: AQHSg8WlBa1+vVUoGU6QMPIOlfme3aFixk0AgABtNQCAADLJYIAAp2mg
Date: Sat, 11 Feb 2017 17:28:33 +0000
Message-ID: <VI1PR06MB1823D91F6A4CA71F51A629A3BD470@VI1PR06MB1823.eurprd06.prod.outlook.com>
References: <DB4PR06MB298B4BA591B10D953CB2F7EC9440@DB4PR06MB298.eurprd06.prod.outlook.com> <CALx8yCxdLSc-VTC-42aME3hMO7MVEhm47=KUrh_R2PzK1sSF7w@mail.gmail.com> <DB4PR06MB2985FD2A163C0D1E468CB82C9440@DB4PR06MB298.eurprd06.prod.outlook.com> <CALx8yCxiL2+RBh-t7k0AfJodb7yLb7hcoyKqX_ruX-2P4V22-w@mail.gmail.com> <VI1PR06MB1823F36A7272ED3EF7A271E9BD470@VI1PR06MB1823.eurprd06.prod.outlook.com>
In-Reply-To: <VI1PR06MB1823F36A7272ED3EF7A271E9BD470@VI1PR06MB1823.eurprd06.prod.outlook.com>
Accept-Language: es-ES, en-US
Content-Language: es-ES
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=carlos.martinperez.ext@telefonica.com;
x-originating-ip: [83.35.97.250]
x-ms-office365-filtering-correlation-id: 56c18365-cf94-4b8f-4e5a-08d452a367ac
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:DB4PR06MB300;
x-microsoft-exchange-diagnostics: 1;DB4PR06MB300;7:JZk9E/rITu+twf4aFo2f1Dez7cf0pQkbZY+FZJOfngCJpULekuhPvgArXKd0df51RCNX/En+6ho4ATDN9Pc11QeJpgwqxGLjY9++uArNO7I3whTbCyTauYPoXjhyRCDZH2xv3F0uio6fvh6J9mWhqPPtKkAdEW1ESYVAvaVoIXQjYvVCFFfL40Oazwbn09Li9L5sIrcpKaV4QEJwxAKopiUFgRd18Vdyu+xsgLeKfdX0Fvh8aXbsXKS3wTPQpnhBzb06nV35nAJXj1cT9uVFdZ3CtBiO9o/J3k7oScKO8na2Z+oILY7KeMNtoiYcBLBR//LzsBN+022ONIKfzNeNf8GYtbGa2yzu96khWxM1w+apoWn8OsxkCAQ5SyIboN2JoN4v/OVvi8ZNOk/0+/IDIeq7ON/686ZUuZgxpohmTUT6p0lqJCg/6lO74NBZdMfHWVONfxuYpcCprLo2zOJQWo1lOR0XZdpzsduIGV8tT75sc+5fSLT+LfWrjnkzWYlQkG2BCcIQ7AxnaL15w5kigA==
x-microsoft-antispam-prvs: <DB4PR06MB300D3A0810C609802C15CF9BD470@DB4PR06MB300.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811)(158342451672863)(209352067349851)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123558025)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(6072148);SRVR:DB4PR06MB300;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB300;
x-forefront-prvs: 0215D7173F
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(39450400003)(39840400002)(39860400002)(39410400002)(39850400002)(189002)(199003)(252514010)(24454002)(504964003)(6306002)(54556002)(107886003)(53346004)(2420400007)(4326007)(53386004)(93886004)(86362001)(25786008)(54896002)(38730400002)(2900100001)(606005)(53946003)(733005)(101416001)(6436002)(450100001)(9686003)(236005)(1680700002)(53936002)(7906003)(8936002)(7736002)(345774005)(3280700002)(122556002)(3660700001)(55016002)(33656002)(6916009)(2950100002)(10710500007)(7696004)(54906002)(2906002)(74316002)(99286003)(15650500001)(66066001)(229853002)(5660300001)(106116001)(110136004)(6506006)(189998001)(92566002)(7110500001)(106356001)(6246003)(77096006)(97736004)(54356999)(76176999)(99936001)(81166006)(8676002)(81156014)(105586002)(790700001)(3846002)(6116002)(102836003)(50986999)(68736007)(7099028)(9010500006)(19627235001)(18823205002);DIR:OUT;SFP:1102;SCL:1;SRVR:DB4PR06MB300;H:VI1PR06MB1823.eurprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related; boundary="_012_VI1PR06MB1823D91F6A4CA71F51A629A3BD470VI1PR06MB1823eurp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2017 17:28:33.6387 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB300

Hi again,
 
I have investigated this issue in depth and see that is true, the files are were created using Bootstrap and Jquery but they are also edited to being used ONLY for this phising scam:
 
image001.jpg
 
Another website, if the use this CSS, and JS the websites will look as Correos website style. Although the phisher could upload again this content in the future, if we removed this we could balk them to use this content in the future.
 
Could you help us removing the content this time?
 
Best regards
 
------------------------------------------------------------------
CARLOS MARTIN PEREZ
CyberThreats - Servicio Antifraude
Telefónica España
Tlf:  +34 900102230 (opción 9)
Email: carlos.martinperez.ext@telefonica.com
--------------------------------------------------------------------