Jump to content

Recommended Posts

Posted

I got an email from a company that I never applied to, and they want some pretty personal information. I was wondering if anyone has ever heard of them. I plan to do some poking and prodding of my own, but here is the email and header that I got from them:

header:

From administration Wed Oct 3 17:42:57 2012

X-Apparently-To: m_otto714@yahoo.com via 98.136.183.40; Wed, 03 Oct 2012 17:43:06 -0700

Return-Path: <admin@office-techs.net>

Received-SPF: none (domain of office-techs.net does not designate permitted sender hosts)

cnQgb2YgYSBncm93aW5nIHRlY2ggY29tbXVuaXR5IHRoYXQgaGFzIGFjY2Vz

cyB0byBmaWVsZCBzZXJ2aWNlIG9wcG9ydHVuaXRpZXMgYXJvdW5kIHRoZSBj

b3VudHJ5LiBZb3UgY29tcGxldGVkIHRoZSBmaXJzdCBwYXJ0IG9mIHRoZSBy

ZWdpc3RyYXRpb24gYW5kIG5vdyB5b3UgbmVlZCB0byBnaXZlIHVzIHRoZSBm

b2xsb3dpbmcgaW5mb3JtYXRpb24gdG8gY29tcGxldGUgeW91cgEwAQEBAQNt

dWx0aXBhcnQvcmVsYXRlZAMDMTACA211bHRpcGFydC9hbHRlcm5hdGl2ZQMD

NwIDdGV4dC9wbGFpbgMDMAIDdGV4dC9odG1sAwM2AmltYWdlMDAxLmpwZwNp

bWFnZS9qcGVnAwMzAmJsYW5rX3c5LnBkZgNhcHBsaWNhdGlvbi9wZGYDAzAC

RW1wbG95ZWUgRGlyZWN0IERlcG9zaXQgRW5yb2xsbWVudCBGb3JtLnBkZgNh

cHBsaWNhdGlvbi9wZGYDAzA-

X-YMailISG: gXw58J4WLDt0jfK8JE.zV6DhtevU.ThPakVSBlEZcDDFb7_C

96TI5Hh9tTCpReyqp4hQ._gP4AVGwFcqYCfJv.szdqxBNdtR7wZjO6T3bbmC

JmDuKeUDShm139CmER0eh_lqwv4qr2xwQXX4_YO5endF.XmE8Wh.L7XQMa3l

qg8HLXp506j9bcsgDje5azSRCa6_KivEyZ4BvRGCpmXFY2xYUNweftNmWuw1

9JysfXP4fD4V6if7r1G3IiXicVFvFseKfXtXpL97sLfVJaNSc6gc8wQA4d0M

QWEtxgiOUvm92TXFWor3KM1wDgDZFeanKX15GRwuiL80NLo90unqORBSktBv

SvCrE2nYfDNqMPs1sRPT9fb0TKV_EO019JZ1ePTsFmWE2owEXdcLjQVx6ePe

nStdLNh5AHJ7Kz0whfDCcwWXGuXWaBPmzK6zmLVOO89AHzK0c1rQfqDBV4UE

Tbb3C8sN9jcwOpl2mWNLUPgnKfjAz8.HDqWSc.zFoixwU.L7ZeRoMzNoh9fl

HyJvPdclE1OxGJDJFML6JNZsHVBjKa0g0P18BFIeLz81xnRhiKQqiQ499qNd

pHtDmph3AdBk1Nq_8kCqq2ihBJrKe5nbddMhwqfIUDog1q.LcofL5UiKk_8P

LbzBnqCbBu4N.txrgR_1P3QV.Sg5TMAO6XK_c2a0A8N2ZtkGL0WjfinRctqw

05j6UWLM.K64Oqt5CI6K3np3G5HspOnwGs_BCN5NMjhrmv.ChHFjKLx2Qb6D

AcBHuLkWI5tng_0.L5RnMI.mlNr6CuMcLfKJxPs7JUrIPgvl4Bm.wTFCkCei

wmRs5QoveENB2qVBF9GADvkDQsuCBnaXh.OqMZfxgMSh5iXFrP1NoujqIamU

Gld4TkR9TMEyptjW32Ksd39GBcVbJkr9fUDTNbyZsdebNnf2K1pvgUT1mPIe

wK9F6aXoH6uEZzQn6TEa4CjG6JbjeWD2DnNLPApQxiEPR.U4WnEX.ZQuKpaB

o1tT_zIEqji9xJzts0QQI82SU_5khePUKDF5o.oi_ziALXv7oaEQZUszMVjM

cGsVfbZ0SQgkB03mHqsnCgNjhXX5zsgeFhrC3jr_f9oC082Mu55MwWZv20wN

M9SNlPw2Mei2.wnsQj_y6VtBebCCiLaftALpizVv7eejwkVcN6rwnT68kE7x

uKVaekvWBrFvfUYVmdrqlGwCq0YqXv5M_1o4JE_TJ5aui1jsN9c6Cn6M0KJW

__fBXasyyOzPxtyNVinsC0qEsLs_bi9IufJK7YC3BGOD3SOLPoAyD4Uxwq5e

cNKd5G0Jow--

X-Originating-IP: [173.201.192.104]

Authentication-Results: mta1033.mail.ac4.yahoo.com from=office-techs.net; domainkeys=neutral (no sig); from=office-techs.net; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO p3plsmtpa06-03.prod.phx3.secureserver.net) (173.201.192.104)

by mta1033.mail.ac4.yahoo.com with SMTP; Wed, 03 Oct 2012 17:43:06 -0700

Received: from BrianKHatcher ([174.26.168.64])

by p3plsmtpa06-03.prod.phx3.secureserver.net with

id 6oiy1k00F1Pi1ri01oizwb; Wed, 03 Oct 2012 17:43:04 -0700

From: "administration" <admin@office-techs.net>

To: <m_otto714@yahoo.com>

Subject: Welcome To Office Techs

Date: Wed, 3 Oct 2012 17:42:57 -0700

Message-ID: <006d01cda1c9$332ce0d0$9986a270$@office-techs.net>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_006E_01CDA18E.86CE08D0"

X-Mailer: Microsoft Outlook 14.0

Thread-Index: Ac2hyTK12yTgOYlcSXKi1jKriuWAbA==

Content-Language: en-us

Content-Length: 416574

email:

Welcome to Office Techs! You are now part of a growing tech community that has access to field service opportunities around the country.

You completed the first part of the registration and now you need to give us the following information to complete your profile. To stream line service delivery Office Techs uses

Work market to dispatch and track work assignments. You will receive an email shortly from Work Market to complete your service profile please provide the following.

1. Picture headshot of yourself this is for the security of our clients .

2. Cell number and cell phone provider name (ie sprint, tmobile etc).

3. Any certifications you may have and the certification numbers .

4. Your skills and tools .

In addition to completing your profile we will need you to provide the following information to office techs for payroll processing.

W9( attached to this email) this is your contractor payroll information please fill it out and attach it to your reply email.

Direct Deposit form (also attached to this email). Direct deposit is not mandatory but will speed up the payroll process.

Please Feel free to contact us if you have any further information Office Techs Administration: 623-974-4115 .

Thank You

Office Techs Administration Team

Toll Free: 1-877-202-1176

Local : 623-974-4115

Email: admin@office-techs.net

Posted

Never heard of this guys, and I had a quick look at their website, even though they seem to be legit and professionals, I have my doubts about them. If you have never applied or hired any services from them, there could be something fishy going on.

Do NOT reply to their emai, especially with your personal information. It could well be a scam, trying to steal personal information and other sensitive information from you.

Posted

Do you think it was a spear-phishing attempt? Look at the name.... Brian K Hatcher? Brian Catcher.... lol... sounds like they want to sell you something or steal all of your creds.

Posted (edited)

Unless you actually applied somewhere for a job, or with their site, a temp agency(who should have given you a heads up and the info) sounds like a straight up phishing email, or some form of scam, but either way, you NEVER, I don't care how legit it seems, send personal info in an email to anyone you don't know, especially when a tax form is attached!

Even if you applied for a job somewhere, put your resume online, they found you on a classified job board, etc, never send info like this to people in an email if you have never specifically spoken with these people or know of their services, and even then, if you DID applay with them, they would have your info needed already. (Also, if the W9 attached was a PDF, DO NOT OPEN IT!!! Could be all real company info to look legit, but the W9 form COULD BE A BOOBY TRAPPED FILE! They should always link you to the IRS site to get a true W9!!)

This looks straight up phishing, for god knows what they would use it for, but also the W9 file, could be a metasploit file used to gain access to your machine! Who knows what they will do with the info you give them too, maybe have a page or thing they send out to sell their services, with faces of people and contact info, like recruiters, temp agency type stuff, and the person sending you the email, may need to meet a quota and just slap some info together to keep their own job, but either way, don't open the file. You can, go tothe IRS website, download a W9, and then do md5sum comparisons on the two forms. If they differ, then the file they sent you was tampered with!

Phone number is Arizona, website is godaddy(which, is also Arizona for nearly all thir IP addresses anyway - Geoip IP data for 174.26.168.64 which looks like the path it was sent from godaddy (which almost always resolve to Scotsdale, AZ) - http://maps.google.c....6119,-111.8906 )

174.26.168.64 is Qwest 174-26-168-64.phnx.qwest.net ( so probably sent from her ISP )

The W9 form, most likely, will ask for your SS#, full name, address, etc, which once they have, can open credit cards in your name, or any other number of things, and since its a w9 and they are a supposed business, can use it to file taxes on yor behalf as if they paid you, and then write it off at the end of the year like you were one of their consultants and they get a kick back on the taxes.

Phone number in email:

http://tnid.us/lookup/6239744115/

Whois on office-techs.net - http://www.ewhois.co...fice-techs.net/ is 50.63.219.1, also godaddy.

Facebook page: http://www.facebook....&_fb_noscript=1

Check their favicon.ico site! -- http://www.officetec...net/favicon.ico == http://www.officetec...westoffice.net/

Compare:

"Will the real Office Techs, please stand up, please stand up..." /cue slim shady music

Registrant name, look at the spelling!!

Registrant:

Ofice Techs

Domain Name: OFFICE-TECHS.NET
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS21.DOMAINCONTROL.COM
Name Server: NS22.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 08-sep-2012
Creation Date: 08-sep-2012
Expiration Date: 08-sep-2013



Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: OFFICE-TECHS.NET
Created on: 08-Sep-12
Expires on: 08-Sep-13
Last Updated on: 08-Sep-12

Registrant:
Ofice Techs &lt;&lt;-- Can't spell, or impersonating another business, perhaps there is a REAL "Office Techs" company??
12235 W Thunderbird Rd Apt 3104
El Mirage, Arizona 85335
United States
Google map of this address: http://maps.google.com/maps?hl=en&amp;q=33.6119,-111.8906 &lt;&lt;-- This is an apartment complex!!

Administrative Contact:
Mcfarland, Arnita officetechs@qwestoffice.net &lt;&lt;-- http://www.resumebucket.com/ArnitaMcfarland (also Arizona)
^^ Address from resume - http://maps.google.com/maps?hl=en&amp;q=13814+Crocus+Dr.++++Surprise+AZ.+85379&amp;bav=on.2,or.r_gc.r_pw.r_qf.&amp;biw=1436&amp;bih=710&amp;um=1&amp;ie=UTF-8&amp;sa=N&amp;tab=wl
Ofice Techs
12235 W Thunderbird Rd Apt 3104
El Mirage, Arizona 85335
United States
623-974-4115

Technical Contact:
Mcfarland, Arnita officetechs@qwestoffice.net ( This looks like possibly her ISP, since qwest is a telephone and service prodider )
Ofice Techs
12235 W Thunderbird Rd Apt 3104
El Mirage, Arizona 85335
United States
623-974-4115

Domain servers in listed order:
NS21.DOMAINCONTROL.COM
NS22.DOMAINCONTROL.COM

---------------------------------
qwestoffice.net

Domain Name: QWESTOFFICE.NET
Registrar: CSC CORPORATE DOMAINS, INC.
Whois Server: whois.corporatedomains.com
Referral URL: http://www.cscglobal.com
Name Server: A.DNS.QWESTOFFICE.COM
Name Server: B.DNS.QWESTOFFICE.COM
Status: clientTransferProhibited
Updated Date: 13-sep-2007
Creation Date: 11-jul-2006
Expiration Date: 11-jul-2014


Registrant:
Qwest Communications International Inc
Qwest Communications International Inc
1801 California Street
Denver, CO 80202
US
Email: domainadmin@qwest.com &lt;&lt; redirects to http://www.centurylink.com/ so most likley her ISP for officetechs@qwestoffice.net ||| http://qwestoffice.net/ is like the business lines of their internet service, sort of like comcast.net and then their Comcast business services vs residential internet services (I'm assuming, anyway...)

Registrar Name....: CORPORATE DOMAINS, INC.
Registrar Whois...: whois.corporatedomains.com
Registrar Homepage: www.cscprotectsbrands.com

Domain Name: qwestoffice.net

Created on..............: Tue, Jul 11, 2006
Expires on..............: Thu, Jul 11, 2013
Record last updated on..: Mon, Dec 21, 2009

Administrative Contact:
Qwest Communications International Inc
Qwest Communications International Inc
1801 California Street
Denver, CO 80202
US
Phone: +1.8887780053
Email: domainadmin@qwest.com

Technical Contact:
Qwest Communications International
Qwest Communications International
1801 California St
Denver, CO 80202
US
Phone: +1.8887780053
Email: andrew@qwestoffice.com

DNS Servers:

a.dns.qwestoffice.com
b.dns.qwestoffice.com

Also, I would upload the PDF to Virus Total, just to see if it finds anything in it. And if you want to open it, make a viirtual machine, take a snapshot, copy it over to the VM, then open it in the VM and see what happens. Make sure you compare processes running before and after the file ran, and use Wireshark, to see if when opened, the PDF doens't try to connect back to some site. I'd be curious to test it and see what happens when you run it(in a VM of course) and see if it communicates with another system, or exploits your machine. Same with that payroll file they attached.

Edited by digip
Posted

Thanks digip! I woke up this morning ready to get all stalker on them this morning and you did it all for me. The PDF thing is exactly what I was planning on doing back to them. I figured that they wouldn't hesitate to open something that they thought their fishing attempt worked on. I called them a few times from different numbers. The first time the call sounded pretty official until I asked him a question he couldn't answer, then I was hung up on. I called back from another number and messed with him for a little bit until I was hung up on again. Then my wife wanted to get in on the fun so she called them and a lady answered, but she didn't answer as the company. All she said was "hello". So yeah they blew it and I figure I have someone to practice a few things on when I need a break from reading

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...