murder_face Posted October 4, 2012 Posted October 4, 2012 I got an email from a company that I never applied to, and they want some pretty personal information. I was wondering if anyone has ever heard of them. I plan to do some poking and prodding of my own, but here is the email and header that I got from them: header: From administration Wed Oct 3 17:42:57 2012 X-Apparently-To: m_otto714@yahoo.com via 98.136.183.40; Wed, 03 Oct 2012 17:43:06 -0700 Return-Path: <admin@office-techs.net> Received-SPF: none (domain of office-techs.net does not designate permitted sender hosts) cnQgb2YgYSBncm93aW5nIHRlY2ggY29tbXVuaXR5IHRoYXQgaGFzIGFjY2Vz cyB0byBmaWVsZCBzZXJ2aWNlIG9wcG9ydHVuaXRpZXMgYXJvdW5kIHRoZSBj b3VudHJ5LiBZb3UgY29tcGxldGVkIHRoZSBmaXJzdCBwYXJ0IG9mIHRoZSBy ZWdpc3RyYXRpb24gYW5kIG5vdyB5b3UgbmVlZCB0byBnaXZlIHVzIHRoZSBm b2xsb3dpbmcgaW5mb3JtYXRpb24gdG8gY29tcGxldGUgeW91cgEwAQEBAQNt dWx0aXBhcnQvcmVsYXRlZAMDMTACA211bHRpcGFydC9hbHRlcm5hdGl2ZQMD NwIDdGV4dC9wbGFpbgMDMAIDdGV4dC9odG1sAwM2AmltYWdlMDAxLmpwZwNp bWFnZS9qcGVnAwMzAmJsYW5rX3c5LnBkZgNhcHBsaWNhdGlvbi9wZGYDAzAC RW1wbG95ZWUgRGlyZWN0IERlcG9zaXQgRW5yb2xsbWVudCBGb3JtLnBkZgNh cHBsaWNhdGlvbi9wZGYDAzA- X-YMailISG: gXw58J4WLDt0jfK8JE.zV6DhtevU.ThPakVSBlEZcDDFb7_C 96TI5Hh9tTCpReyqp4hQ._gP4AVGwFcqYCfJv.szdqxBNdtR7wZjO6T3bbmC JmDuKeUDShm139CmER0eh_lqwv4qr2xwQXX4_YO5endF.XmE8Wh.L7XQMa3l qg8HLXp506j9bcsgDje5azSRCa6_KivEyZ4BvRGCpmXFY2xYUNweftNmWuw1 9JysfXP4fD4V6if7r1G3IiXicVFvFseKfXtXpL97sLfVJaNSc6gc8wQA4d0M QWEtxgiOUvm92TXFWor3KM1wDgDZFeanKX15GRwuiL80NLo90unqORBSktBv SvCrE2nYfDNqMPs1sRPT9fb0TKV_EO019JZ1ePTsFmWE2owEXdcLjQVx6ePe nStdLNh5AHJ7Kz0whfDCcwWXGuXWaBPmzK6zmLVOO89AHzK0c1rQfqDBV4UE Tbb3C8sN9jcwOpl2mWNLUPgnKfjAz8.HDqWSc.zFoixwU.L7ZeRoMzNoh9fl HyJvPdclE1OxGJDJFML6JNZsHVBjKa0g0P18BFIeLz81xnRhiKQqiQ499qNd pHtDmph3AdBk1Nq_8kCqq2ihBJrKe5nbddMhwqfIUDog1q.LcofL5UiKk_8P LbzBnqCbBu4N.txrgR_1P3QV.Sg5TMAO6XK_c2a0A8N2ZtkGL0WjfinRctqw 05j6UWLM.K64Oqt5CI6K3np3G5HspOnwGs_BCN5NMjhrmv.ChHFjKLx2Qb6D AcBHuLkWI5tng_0.L5RnMI.mlNr6CuMcLfKJxPs7JUrIPgvl4Bm.wTFCkCei wmRs5QoveENB2qVBF9GADvkDQsuCBnaXh.OqMZfxgMSh5iXFrP1NoujqIamU Gld4TkR9TMEyptjW32Ksd39GBcVbJkr9fUDTNbyZsdebNnf2K1pvgUT1mPIe wK9F6aXoH6uEZzQn6TEa4CjG6JbjeWD2DnNLPApQxiEPR.U4WnEX.ZQuKpaB o1tT_zIEqji9xJzts0QQI82SU_5khePUKDF5o.oi_ziALXv7oaEQZUszMVjM cGsVfbZ0SQgkB03mHqsnCgNjhXX5zsgeFhrC3jr_f9oC082Mu55MwWZv20wN M9SNlPw2Mei2.wnsQj_y6VtBebCCiLaftALpizVv7eejwkVcN6rwnT68kE7x uKVaekvWBrFvfUYVmdrqlGwCq0YqXv5M_1o4JE_TJ5aui1jsN9c6Cn6M0KJW __fBXasyyOzPxtyNVinsC0qEsLs_bi9IufJK7YC3BGOD3SOLPoAyD4Uxwq5e cNKd5G0Jow-- X-Originating-IP: [173.201.192.104] Authentication-Results: mta1033.mail.ac4.yahoo.com from=office-techs.net; domainkeys=neutral (no sig); from=office-techs.net; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO p3plsmtpa06-03.prod.phx3.secureserver.net) (173.201.192.104) by mta1033.mail.ac4.yahoo.com with SMTP; Wed, 03 Oct 2012 17:43:06 -0700 Received: from BrianKHatcher ([174.26.168.64]) by p3plsmtpa06-03.prod.phx3.secureserver.net with id 6oiy1k00F1Pi1ri01oizwb; Wed, 03 Oct 2012 17:43:04 -0700 From: "administration" <admin@office-techs.net> To: <m_otto714@yahoo.com> Subject: Welcome To Office Techs Date: Wed, 3 Oct 2012 17:42:57 -0700 Message-ID: <006d01cda1c9$332ce0d0$9986a270$@office-techs.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_006E_01CDA18E.86CE08D0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac2hyTK12yTgOYlcSXKi1jKriuWAbA== Content-Language: en-us Content-Length: 416574 email: Welcome to Office Techs! You are now part of a growing tech community that has access to field service opportunities around the country. You completed the first part of the registration and now you need to give us the following information to complete your profile. To stream line service delivery Office Techs uses Work market to dispatch and track work assignments. You will receive an email shortly from Work Market to complete your service profile please provide the following. 1. Picture headshot of yourself this is for the security of our clients . 2. Cell number and cell phone provider name (ie sprint, tmobile etc). 3. Any certifications you may have and the certification numbers . 4. Your skills and tools . In addition to completing your profile we will need you to provide the following information to office techs for payroll processing. W9( attached to this email) this is your contractor payroll information please fill it out and attach it to your reply email. Direct Deposit form (also attached to this email). Direct deposit is not mandatory but will speed up the payroll process. Please Feel free to contact us if you have any further information Office Techs Administration: 623-974-4115 . Thank You Office Techs Administration Team Toll Free: 1-877-202-1176 Local : 623-974-4115 Email: admin@office-techs.net Quote
Infiltrator Posted October 4, 2012 Posted October 4, 2012 Never heard of this guys, and I had a quick look at their website, even though they seem to be legit and professionals, I have my doubts about them. If you have never applied or hired any services from them, there could be something fishy going on. Do NOT reply to their emai, especially with your personal information. It could well be a scam, trying to steal personal information and other sensitive information from you. Quote
Pwnd2Pwnr Posted October 4, 2012 Posted October 4, 2012 Do you think it was a spear-phishing attempt? Look at the name.... Brian K Hatcher? Brian Catcher.... lol... sounds like they want to sell you something or steal all of your creds. Quote
digip Posted October 4, 2012 Posted October 4, 2012 (edited) Unless you actually applied somewhere for a job, or with their site, a temp agency(who should have given you a heads up and the info) sounds like a straight up phishing email, or some form of scam, but either way, you NEVER, I don't care how legit it seems, send personal info in an email to anyone you don't know, especially when a tax form is attached! Even if you applied for a job somewhere, put your resume online, they found you on a classified job board, etc, never send info like this to people in an email if you have never specifically spoken with these people or know of their services, and even then, if you DID applay with them, they would have your info needed already. (Also, if the W9 attached was a PDF, DO NOT OPEN IT!!! Could be all real company info to look legit, but the W9 form COULD BE A BOOBY TRAPPED FILE! They should always link you to the IRS site to get a true W9!!) This looks straight up phishing, for god knows what they would use it for, but also the W9 file, could be a metasploit file used to gain access to your machine! Who knows what they will do with the info you give them too, maybe have a page or thing they send out to sell their services, with faces of people and contact info, like recruiters, temp agency type stuff, and the person sending you the email, may need to meet a quota and just slap some info together to keep their own job, but either way, don't open the file. You can, go tothe IRS website, download a W9, and then do md5sum comparisons on the two forms. If they differ, then the file they sent you was tampered with! Phone number is Arizona, website is godaddy(which, is also Arizona for nearly all thir IP addresses anyway - Geoip IP data for 174.26.168.64 which looks like the path it was sent from godaddy (which almost always resolve to Scotsdale, AZ) - http://maps.google.c....6119,-111.8906 ) 174.26.168.64 is Qwest 174-26-168-64.phnx.qwest.net ( so probably sent from her ISP ) The W9 form, most likely, will ask for your SS#, full name, address, etc, which once they have, can open credit cards in your name, or any other number of things, and since its a w9 and they are a supposed business, can use it to file taxes on yor behalf as if they paid you, and then write it off at the end of the year like you were one of their consultants and they get a kick back on the taxes. Phone number in email: http://tnid.us/lookup/6239744115/ Whois on office-techs.net - http://www.ewhois.co...fice-techs.net/ is 50.63.219.1, also godaddy. Facebook page: http://www.facebook....&_fb_noscript=1 Check their favicon.ico site! -- http://www.officetec...net/favicon.ico == http://www.officetec...westoffice.net/ Compare: http://office-techs.net/contact.html http://www.officetec...et/contact.html "Will the real Office Techs, please stand up, please stand up..." /cue slim shady music Registrant name, look at the spelling!! Registrant: Ofice Techs Domain Name: OFFICE-TECHS.NET Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS21.DOMAINCONTROL.COM Name Server: NS22.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 08-sep-2012 Creation Date: 08-sep-2012 Expiration Date: 08-sep-2013 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: OFFICE-TECHS.NET Created on: 08-Sep-12 Expires on: 08-Sep-13 Last Updated on: 08-Sep-12 Registrant: Ofice Techs <<-- Can't spell, or impersonating another business, perhaps there is a REAL "Office Techs" company?? 12235 W Thunderbird Rd Apt 3104 El Mirage, Arizona 85335 United States Google map of this address: http://maps.google.com/maps?hl=en&q=33.6119,-111.8906 <<-- This is an apartment complex!! Administrative Contact: Mcfarland, Arnita officetechs@qwestoffice.net <<-- http://www.resumebucket.com/ArnitaMcfarland (also Arizona) ^^ Address from resume - http://maps.google.com/maps?hl=en&q=13814+Crocus+Dr.++++Surprise+AZ.+85379&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1436&bih=710&um=1&ie=UTF-8&sa=N&tab=wl Ofice Techs 12235 W Thunderbird Rd Apt 3104 El Mirage, Arizona 85335 United States 623-974-4115 Technical Contact: Mcfarland, Arnita officetechs@qwestoffice.net ( This looks like possibly her ISP, since qwest is a telephone and service prodider ) Ofice Techs 12235 W Thunderbird Rd Apt 3104 El Mirage, Arizona 85335 United States 623-974-4115 Domain servers in listed order: NS21.DOMAINCONTROL.COM NS22.DOMAINCONTROL.COM --------------------------------- qwestoffice.net Domain Name: QWESTOFFICE.NET Registrar: CSC CORPORATE DOMAINS, INC. Whois Server: whois.corporatedomains.com Referral URL: http://www.cscglobal.com Name Server: A.DNS.QWESTOFFICE.COM Name Server: B.DNS.QWESTOFFICE.COM Status: clientTransferProhibited Updated Date: 13-sep-2007 Creation Date: 11-jul-2006 Expiration Date: 11-jul-2014 Registrant: Qwest Communications International Inc Qwest Communications International Inc 1801 California Street Denver, CO 80202 US Email: domainadmin@qwest.com << redirects to http://www.centurylink.com/ so most likley her ISP for officetechs@qwestoffice.net ||| http://qwestoffice.net/ is like the business lines of their internet service, sort of like comcast.net and then their Comcast business services vs residential internet services (I'm assuming, anyway...) Registrar Name....: CORPORATE DOMAINS, INC. Registrar Whois...: whois.corporatedomains.com Registrar Homepage: www.cscprotectsbrands.com Domain Name: qwestoffice.net Created on..............: Tue, Jul 11, 2006 Expires on..............: Thu, Jul 11, 2013 Record last updated on..: Mon, Dec 21, 2009 Administrative Contact: Qwest Communications International Inc Qwest Communications International Inc 1801 California Street Denver, CO 80202 US Phone: +1.8887780053 Email: domainadmin@qwest.com Technical Contact: Qwest Communications International Qwest Communications International 1801 California St Denver, CO 80202 US Phone: +1.8887780053 Email: andrew@qwestoffice.com DNS Servers: a.dns.qwestoffice.com b.dns.qwestoffice.com Also, I would upload the PDF to Virus Total, just to see if it finds anything in it. And if you want to open it, make a viirtual machine, take a snapshot, copy it over to the VM, then open it in the VM and see what happens. Make sure you compare processes running before and after the file ran, and use Wireshark, to see if when opened, the PDF doens't try to connect back to some site. I'd be curious to test it and see what happens when you run it(in a VM of course) and see if it communicates with another system, or exploits your machine. Same with that payroll file they attached. Edited October 4, 2012 by digip Quote
murder_face Posted October 4, 2012 Author Posted October 4, 2012 Thanks digip! I woke up this morning ready to get all stalker on them this morning and you did it all for me. The PDF thing is exactly what I was planning on doing back to them. I figured that they wouldn't hesitate to open something that they thought their fishing attempt worked on. I called them a few times from different numbers. The first time the call sounded pretty official until I asked him a question he couldn't answer, then I was hung up on. I called back from another number and messed with him for a little bit until I was hung up on again. Then my wife wanted to get in on the fun so she called them and a lady answered, but she didn't answer as the company. All she said was "hello". So yeah they blew it and I figure I have someone to practice a few things on when I need a break from reading Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.