Булбанк измама scam phishing fraud

1. Return-Path: <lepidoptera@server.quedyon.in>
2. Received: from mx3.mail.bg ([unix socket])
3.      by stor3 (Cyrus 2.5.10-Debian-2.5.10-3) with LMTPA;
4.      Fri, 17 Apr 2020 11:51:08 +0300
5. X-Sieve: CMU Sieve 2.4
6. X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on stor3.stor3
7. X-Spam-Flag: YES
8. X-Spam-Level: *****
9. X-Spam-Status: Yes, score=5.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
10.     HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,LOCAL_GENERATED_BY_PHP,
11.     MIME_HTML_ONLY,PHP_ORIG_SCRIPT,SPF_HELO_PASS,SPF_PASS,
12.     TO_NO_BRKTS_FROM_MSSP,TVD_SPACE_RATIO_MINFP,T_DKIM_INVALID,
13.     T_REMOTE_IMAGE shortcircuit=no autolearn=no autolearn_force=no
14.     version=3.4.2
15. X-Spam-Report:
16.     *  1.0 LOCAL_GENERATED_BY_PHP Generated by a PHP script
17.     * -0.0 SPF_PASS SPF: sender matches SPF record
18.     * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
19.     *  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
20.     *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
21.     *      [score: 0.5000]
22.     *  0.0 HTML_MESSAGE BODY: HTML included in message
23.     *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
24.     *       valid
25.     *  0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
26.     *      tag
27.     *  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
28.     *  2.0 PHP_ORIG_SCRIPT Sent by bot & other signs
29.     *  0.0 TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
30.     *  0.0 T_REMOTE_IMAGE Message contains an external image
31.     *  0.0 TVD_SPACE_RATIO_MINFP Space ratio
32. Received-SPF: pass (server.quedyon.in: 107.172.154.252 is authorized to use 'lepidoptera@server.quedyon.in' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mx3.mail.bg; identity=mailfrom; envelope-from="lepidoptera@server.quedyon.in"; helo=server.quedyon.in; client-ip=107.172.154.252
33. Authentication-Results: mx3.mail.bg; dkim=pass (2048-bit key)
34.     header.i=@lepidopteraresearchfoundation.org; dkim-adsp=none
35. Received: from server.quedyon.in (server.quedyon.in [107.172.154.252])
36.     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
37.     (No client certificate requested)
38.     by mx3.mail.bg (Postfix) with ESMTPS id 2A38A410CD7D
39.     for <@mail.bg>; Fri, 17 Apr 2020 11:51:08 +0300 (EEST)
40. DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
41.     d=lepidopteraresearchfoundation.org; s=default; h=Date:Message-Id:From:
42.     Content-Type:MIME-Version:Subject:To:Sender:Reply-To:Cc:
43.     Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
44.     Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
45.     References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
46.     List-Owner:List-Archive; bh=luxZSKglZDN/+6k6644d9XVMFtPnv1GZ7YdoVaFYwQ4=; b=E
47.     OAFcg/Qgvx37vAtA/jpbR9WVcjRxs/Vhbb9jrtDkynfCHYwz7fMFYJHcC5vbPidOK7arXxB+hw3rF
48.     doUxnXmmO37cvQhSu4nUQQsl1r9ytJa26F4SeRS63wzNXeVALwb4oV5cah08lUt9VEn5lOVwE1j3j
49.     ybJYuhdtVjhp4T35DdDA2dguylJ30CWsaBnWoLEDrtcvvtnLikWToV9G/yNawhASgpaayOc8uFIOk
50.     jruLTNk9dtF573fBKgYnqieXK0b1gCmDOq74JhDzoiKgpUhOgHxDERf0OuHwNH0avqTUghr3eBJyj
51.     DVkQpqz8292A+kDBViIZooF22NaUqv3FA==;
52. Received: from lepidoptera by server.quedyon.in with local (Exim 4.93)
53.     (envelope-from <lepidoptera@server.quedyon.in>)
54.     id 1jPMi2-0002gd-3i
55.     for @mail.bg; Fri, 17 Apr 2020 14:20:50 +0530
56. To: @mail.bg
57. Subject: =?UTF-8?B?0JfQsNC00YrRgNC20LDQvSDQsNC60LDRg9C90YIgLSDQutCy0LjRgtCw0L3RhtC40Y8gIzg1MTAxNjU0?=
58. X-PHP-Script: www.lepidopteraresearchfoundation.org/data-cms/Йорд.php for 105.71.149.81
59. X-PHP-Originating-Script: 1004:.php
60. MIME-Version: 1.0
61. Content-Type: text/html; charset=UTF-8
62. From: UniCredit Bulbank<unicredit@bulbank.com>
63. Message-Id: <E1jPMi2-0002gd-3i@server.quedyon.in>
64. Date: Fri, 17 Apr 2020 14:20:50 +0530
65. X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
66. X-AntiAbuse: Primary Hostname - server.quedyon.in
67. X-AntiAbuse: Original Domain - mail.bg
68. X-AntiAbuse: Originator/Caller UID/GID - [1004 993] / [47 12]
69. X-AntiAbuse: Sender Address Domain - server.quedyon.in
70. X-Get-Message-Sender-Via: server.quedyon.in: authenticated_id: lepidoptera/only user confirmed/virtual account not confirmed
71. X-Authenticated-Sender: server.quedyon.in: lepidoptera
72. X-Source:
73. X-Source-Args:
74. X-Source-Dir:
75.  
76. Задържан акаунт - квитанция #85101654
77. 17 април 2020, 11:50
78. От:
79. UniCredit Bulbank
80. unicredit@bulbank.com
81. До:
82. [няма име]
83.  
84. Етикети:
85. Маркирай
86. Функции
87. Покажи картинките
88. Приложения (0)
89. Запази всички
90. ОТГОВОРИ
91. Отговори на всички
92. Препрати
93. Премести
94. НE Спам
95. Изтрий
96.  
97.  
98.  
99. >> https://www.learnitself.com/wp-content/red.php
100.  
101. > --------------------------------------------
102. > 302 Found
103. > --------------------------------------------
104. Status: 302 Found
105. Code:   302
106. Date:   Fri, 17 Apr 2020 13:31:43 GMT
107. Server: Apache/2
108. Upgrade:    h2,h2c
109. Connection: Upgrade, close
110. X-Powered-By:   PHP/7.1.26
111. Location:   https://bebride.ge/bulbank/blukinfos/
112. Vary:   User-Agent
113. Content-Length: 0
114. Content-Type:   text/html; charset=UTF-8
115.  
116.  
117.  
118. >>> https://bebride.ge/bulbank/blukinfos/
119.  
120. > --------------------------------------------
121. > 200 OK
122. > --------------------------------------------
123. Status: 200 OK
124. Code:   200
125. Connection: close
126. Refresh:    0
127. Content-Type:   text/html; charset=UTF-8
128. Content-Length: 0
129. Date:   Fri, 17 Apr 2020 13:31:43 GMT
130. Server: LiteSpeed
131. Alt-Svc:    quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000
132.  
133.  
134. Scam page HTML
135. <!DOCTYPE html>
136. <html lang="en">
137. <head>
138.     <meta charset="UTF-8">
139.     <title>Bullbank Online</title>
140.     <link rel="shortcut icon" href="https://bulbankonline.bg/favicon.ico" type="image/x-icon">
141.  
142.     <link rel="stylesheet" href="bootstrap.min.css">
143. </head>
144. <body >
145. <style>
146.  
147.     .page{
148.         background-image: url("img/bg.png");
149.          background-repeat: no-repeat;
150.          height:820px;
151.          width: auto;
152.          position: relative;
153.     }
154.     .i2{
155.         margin-left: 240px;
156.         margin-top: 47px;
157.         width: 135px;
158.         border-radius: 15px;
159.         border: none ;
160.        
161.     }
162.    
163.     .i1{
164.         width: 234px;
165.         border-radius: 15px;
166.         border: none ;
167.         margin-top:280px;
168.         margin-left: 240px;
169.        
170.     }
171.     .sub{
172.         margin-left: 306px;
173.         width: 70px;
174.         height: 40px;
175.         font-size: 13px;
176.         margin-top: 40px;
177.  
178.     }
179.     </style>
180. <div class="page">
181. <form method="POST">
182. <input type="text" maxlength="32" class="i1" placeholder="Потребителско име" name="user" required><br>
183. <input type="password" maxlength="32" class="i2" placeholder="Парола" name="password" required><br>
184.     <input type="submit" name="sub" value="Вход" class="btn btn-info sub">
185. </form>
186.     </div>
187.    
188.  
189. </body>
190. </html>