It’s been a while since something this blatant came down the wire:
Sorry for the delays towards making the payment, Please see attachment for proof of payment by verifying your email and password through the attached outlook duc transfer page to access the POP. Kindly confirm payment. Thanks CFO Sharon Williams
The “transfer page,” cleverly named “Wire Receipt.htm,” is some Base64-encoded garbage that I am not about to look at.
Weird aspects of this mailing:
- Sender is identified as “Sharon Smith,” not “Williams,” though the email address given is sharonw at stantrade.com.
- This line appears in the header:
X-Source-Args: /usr/bin/php /home/tcfofcha/public_html/mc.php
Is it possible that these folks have been hijacked?