Fraudulent email: Sup‎‎‎‎press‎‎‎‎ion de vot‎‎‎‎re nom de doma‎‎‎‎ine chez O‎‎‎‎VH.

Not_OlesNot_Oles Hosting ProviderContent Writer

Today I received a fraudulent email purporting to be from OVH and asking me to click a link to renew a domain registered with OVH.

The email really fooled me for a moment! I even got upset that OVH would send me an email requesting that I renew my domain name when it still was many months before expiration. Moreover, it bothered me that OVH would ask for substantially more funds than the price originally quoted for renewal. Sorry, OVH! You didn't do anything wrong!

I was only after I double checked both whois and also the OVH Cloud Control Panel that I realized the email was fishy. Whois showed what I expected. The OVH Cloud Control Panel had a warning about fraudulent emails.

A quick check of the email's link requested to be clicked showed that the link did not point to OVH. A quick check of the email's headers revealed complete nonsense, such as:

Return-Path: noreply@icann.com
[ . . . ]
Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=85.215.95.85

But, wow! I almost clicked the link in the email!

Here is OVH's page on email fraud.

Old guy! Happy customer of OVH. Tom, not Oles! :-)
Purveyor of fast-as-metal LXC VPSes

Comments

  • Aren't you curious, where the link leads. 😋
    To find out how well structured the psihing page and are there any malware attached?
    Just remembered this video. @Not_Oles Have you watched this?

    Thanked by (3)bikegremlin Ouji MaxKVM

    You have been invited to experience the Waking Up app for free. The app is unlocked for one month. Enjoy.
    https://share.wakingup.com/1cb1d7 (extra signature line removed)

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    @Iroshan464

    Yeah, that's a great video! :)

    If you are interested, the link from the email is http://stkil1.cycle-lagrave.com?cmd=$COMMAND where $COMMAND is a ten character string consisting of upper and lowercase letters and Arabic numerals.

    Hope you have fun if you check it out! And please do let us know what you find.

    Old guy! Happy customer of OVH. Tom, not Oles! :-)
    Purveyor of fast-as-metal LXC VPSes

  • Redirects to ovh.com 🤔

    Thanked by (3)Not_Oles Ouji Unixfy

    You have been invited to experience the Waking Up app for free. The app is unlocked for one month. Enjoy.
    https://share.wakingup.com/1cb1d7 (extra signature line removed)

  • Maybe you need a valid $COMMAND value to see the phishing page, and it redirects to ovh if you don't supply it.

    Thanked by (1)Not_Oles
  • Not_OlesNot_Oles Hosting ProviderContent Writer

    @bugrakoc said:
    Maybe you need a valid $COMMAND value to see the phishing page, and it redirects to ovh if you don't supply it.

    That's what I was thinking too. The question remaining in my mind was whether there was only one or a small number of valid values (perhaps for different OVH services or payment amounts or currencies) or whether the value they gave me was tracking.

    Old guy! Happy customer of OVH. Tom, not Oles! :-)
    Purveyor of fast-as-metal LXC VPSes

  • @Not_Oles My bet is on tracking.

    Thanked by (1)Not_Oles
Sign In or Register to comment.