If you guys don't mind, id like for everyone that received one, please send me a PM with your email/first and last name.

 

you don't think someone going through this would set up an anonymous email and send them through a proxy?

well.. you can hope someone would not think of things like that.

 

It appears it was sent using an email spoofer, which anyone with a little programming knowledge can create. That's why they ask you to send your reply to a different email, they don't actually have access to the account they appeared to have sent the email from.

 

They must have HAD some access since they have gotten customer info...

 

Not necessarily, we usually do not have customer email addresses in our DB.

Either way, just another spoofed email scam, ebay and paypal get this all the time.

 

tell me how and i will

 

From sales@exoticperformanceplus.com Sat Sep 1 22:04:21 2007
Return-Path: <sales@exoticperformanceplus.com>
Authentication-Results: mta367.mail.mud.yahoo.com from=exoticperformanceplus.com; domainkeys=neutral (no sig)
Received: from 69.9.36.26 (EHLO crnc1.bug-software.com) (69.9.36.26)
by mta367.mail.mud.yahoo.com with SMTP; Sat, 01 Sep 2007 22:04:20 -0700
Received: (qmail 23421 invoked from network); 2 Sep 2007 05:10:27 -0000
Received: from localhost (127.0.0.1)
by localhost with SMTP; 2 Sep 2007 05:10:27 -0000
From: sales@exoticperformanceplus.com
To: bryan_near@yahoo.com
Subject: TO ALL CUSTOMERS.
Content-Length: 757

 

From sales@exoticperformanceplus.com Sat Sep 1 21:09:24 2007
Return-Path: <sales@exoticperformanceplus.com>
Authentication-Results: mta206.mail.re3.yahoo.com from=exoticperformanceplus.com; domainkeys=neutral (no sig)
Received: from 69.9.36.26 (EHLO crnc1.bug-software.com) (69.9.36.26)
by mta206.mail.re3.yahoo.com with SMTP; Sat, 01 Sep 2007 21:09:23 -0700
Received: (qmail 7139 invoked from network); 2 Sep 2007 04:15:46 -0000
Received: from localhost (127.0.0.1)
by localhost with SMTP; 2 Sep 2007 04:15:46 -0000
From: sales@exoticperformanceplus.com
To: bryan_near@yahoo.com
Subject: For All Recent Customers.
Content-Length: 599

That was the 2nd email I recieved, yahoo email put the 1st one in my inbox and the 2nd email in my spam box, not sure why but they may be different ?

 

I got a couple and deleted them. I was going to call Bob personally as I know him from when I used to live in Fort Wayne. There is no way Bob would send this out.

 

I got one. I forwarded it to Bob.

 

I got four but deleted 3. so i only forwarded the one i had.


INFO:
Date: Sun, 2 Sep 2007 05:03:43 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium
Received: from crnc1.bug-software.com ([69.9.36.26])
by alnrmxc21.comcast.net (alnrmxc21) with SMTP
id <20070902050342a2100mr5b0e>; Sun, 2 Sep 2007 05:03:43 +0000
X-Originating-IP: [69.9.36.26]
Received: (qmail 22293 invoked from network); 2 Sep 2007 05:10:05 -0000
Received: from localhost (127.0.0.1)
by localhost with SMTP; 2 Sep 2007 05:10:05 -0000
From: sales@exoticperformanceplus.com
To: my1989camaroiroc@comcast.net
Subject: TO ALL CUSTOMERS.

Due to a recent database error, we need to input previous customer information. We ask that you send these details listed below to our secure email, give to us by google, at <b>NetScaped2@gmail.com</b> THIS IS MANDATORY FOR ALL CUSTOMERS, Thanks for understanding!

Please Use Subject: VERIFICATION.

Information Needed:

Full Name:
Address:
City:
State:
Zip:
Email:
Home Phone:
Credit Card used for last purchase (this will be encrypted by google):
Expiration Date:
CVC2 Code (3 digits on back of card):

After this information is submitted to Netscaped2@gmail.com , we will reply back with an email confirming your acceptence back into the database! Thank you once again, your patience and helpfullness will NOT go unoticed!

-ExoticPerformancePlus.com-

 

This should seriously be moved to the appropriate forum. Who the hell would look in FI for this?????????

 

hmm who ever is doin it is pretty good, the header isnt sayin much thats for damn sure.

 

I;'m just checking on this now. I forwarded the one that i had opened and was sitting in my old mail. The other 3 were deleted after i read the first one and is already gone frommy recently deleted mail. One had a different subject line. I believe they all appeared to come from sales @ exotic performance plus. The one i forwarded shows thats where it came from.


I opriginally poste dthis in FI as i regularly see the EPP guys in this forum helping everyone out and they are the go to place for prochargers so i usually see most of their customers in here. I figured this would hit the most birds with one stone.

 

Thanks, I appreciate all the info. Hopefully we can get something done about this before someone actually give the info to the scammer. Can't everyone just get a real job!!! Bob

 

Someone is relaying off their localhost to attempt to mask it. They were trying to relay or use a seperate client through yahoo as well (not really hard to do).

The first time it enters the internet, it does so from 69.9.36.26 which resolved to crnc1.bug-software.com. The IP range is owned by a company in New Jersey which appears to be leasing IP space. Tracing bug-software.com back through it's registrar it comes up with:

Name: Domain Admin
Company: PrivacyProtect.org
Address:

P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org

City: Monster
State:
Country: NL
Zip: 2680 AB
Tel No: 45 36946676
Fax No:
Email: contact@PrivacyProtect.org

PrivacyProtect.org is a domain owner obfuscation service which registers domains on someone's behalf to protect their identity.

There are a few other ways to dig out the information but it's very likely it's an oversea's scammer, who probably harvested email addresses from sites EPP vists. It's fairly new to see in common place but the practice basically plays on the assumption and trust people naturally give to small companies with whom they've worked directly in the past. It's easy to be distrustful of phishing emails targeting eBay and large banks since phishing emails are often random and mailed as spam. In this case, it requires a little more work on behalf of the attacker but often produces better results. It's also possible the company that processes EPP's credit card authorizations lost some data or EPP's own database was compromised. I doubt it for an attack such as this however since harvesting email addresses from message boards like these is easy.

If Bob were my client in this case, I would recommend verifying security on whatever storage process customer records are stored in and notifying the online payment processor of the scam attempts. They will likely have a security team who can help investigate.

 

Thanks, you know your stuff! Bob

 

Any time bud. I have the pleasure of weeding through stuff like this for a living lol. But you guys have been super cool to me in the past so if you need/want any help documenting or submitting this, just shoot me a pm.

 

I got one also, but immediately deleted it. I hope noone falls for this...

 

I got one too. It seem like someone from the boards who knows epp customers and somehow got their e-mails