ALERT! Sophisticated Phishing Attempt using OF formatting

tomvox1 · Nov 16, 2021

Hi everybody -- hope you're all doing very well.
So, just got hit with what seems like a fairly sophisticated phishing attempt (to me, at least).
This went to my Inbox and not Junk:

When you click on the View Conversation link you get prompted to sign in with your user name & password (even if you are already signed in on other tabs). But the url is not OF but rather something with a forulmts DOT com domain (where you can actually see the templets for this attack if you visit there). Your browser will still prompt you to autofill if you have your login info saved in there despite that discrepancy for some reason.

You will also note that the conversation starter is a real member here but if you click his username link on the email you're redirected to a different member, but actually to the correct Omega Forums site this time. Also, this conversation from the phishing email alert will not exist in your Inbox on the real site.

Finally, if you trace the origin of the email, it comes up as being sent via a "do not reply" from rolexforums DOT com of all things!

Anyway, just a heads up and if you happened to use that dubious link-thru to log in, change your password ASAP.
Be safe out there & all the best,
Tom

BlackTalon · Nov 16, 2021

Thanks for the heads-up.

Fatcat · Nov 16, 2021

Direct to trash already surprising and empty PM , and no email in the forum , bastards 😀)))))

dsio · Nov 16, 2021

Thread about it here, if you clicked the link please change your password immediately

https://omegaforums.net/threads/sca...ation-emails-pretending-to-be-from-of.138814/

vitriol · Nov 16, 2021

Looks like scammers are targeting 4 forums.

MRC · Nov 16, 2021

whois forulmts.com
Domain Name: FORULMTS.COM
Registry Domain ID: 2507605932_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2021-09-17T16:37:06Z
Creation Date: 2020-03-26T14:23:58Z
Registry Expiry Date: 2022-03-26T14:23:58Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS10.VEEBLEHOSTING.COM
Name Server: NS9.VEEBLEHOSTING.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2021-11-16T07:48:46Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: forulmts.com
Registry Domain ID: 2507605932_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2021-11-11T07:00:00Z
Creation Date: 2020-03-26T07:00:00Z
Registrar Registration Expiration Date: 2022-03-26T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4805240066
Reseller: QHOSTER.COM
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Phillip Frishe
Registrant Organization:
Registrant Street: 55 old military rd
Registrant City: NY
Registrant State/Province: NY
Registrant Postal Code: 10023
Registrant Country: US
Registrant Phone: +1.8177698271
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Phillip Frishe
Admin Organization:
Admin Street: 55 old military rd
Admin City: NY
Admin State/Province: NY
Admin Postal Code: 10023
Admin Country: US
Admin Phone: +1.8177698271
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Phillip Frishe
Tech Organization:
Tech Street: 55 old military rd
Tech City: NY
Tech State/Province: NY
Tech Postal Code: 10023
Tech Country: US
Tech Phone: +1.8177698271
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS9.VEEBLEHOSTING.COM
Name Server: NS10.VEEBLEHOSTING.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2021-11-16T07:00:00Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
Data in our WHOIS database is provided for information purposes only, and to
assist persons in obtaining information about or related to a domain name
registration record. We do not guarantee its accuracy. By submitting a WHOIS
query, you agree to abide by the following terms of use: You agree that you may
use this Data only for lawful purposes and that under no circumstances will you
use this Data to: (1) allow, enable, or otherwise support the transmission of
mass unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes that
apply to us (or our computer systems). The compilation, repackaging,
dissemination or other use of this Data is expressly prohibited without our
prior written consent. We reserve the right to terminate your access to the
WHOIS database at our sole discretion, including without limitation, for
excessive querying of the WHOIS database or for failure to otherwise abide by
this policy. We reserve the right to modify these terms at any time.

The registration details may be complete lies of course, but perhaps there are some leads to the perps here.

Evitzee · Nov 16, 2021

These days one has to be very careful in anything you get in any email or message, the classic Nigerian prince goofy emails are easy to spot, but the more sophisticated attempts to get your data can be tricky. Stay vigilant.

vitriol · Nov 16, 2021

Evitzee
Nigerian prince

I haven't heard from him for a while. Do you know how is he doing?

JwRosenthal · Nov 16, 2021

vitriol
I haven't heard from him for a while. Do you know how is he doing?

Apparently he and his father made up. Really glad I could help him out like that, he did give me $5m for my troubles, so that was nice. Did he not write you back?

kev1976t · Nov 16, 2021

you have to be so careful these days

ALERT! Sophisticated Phishing Attempt using OF formatting

tomvox1

BlackTalon

Fatcat

dsio

vitriol

MRC

Evitzee

vitriol

JwRosenthal

kev1976t

Similar threads

WARNING: Phishing attack to steal your OF password

Hands-On With The Patek Philippe Calatrava 5227 - Is 39mm Still Sophisticated Enough?

Recent Scamming/Phishing Attempts. Don't be a Victim!