cancel
Showing results for 
Search instead for 
Did you mean: 
wantonc22
Level 7

Your Mailbox Quota Exceeded - From Gmail????

Hi everyone,

I received an email about one of my Gmail accounts. The text shown below.  I ckecked my mail box and it is very clean as I delete all my messages once I read them.  It had a word Validate in the body of the message which was a hyperlink.   The hyoperlinked email address that is not even a Gmail address.  I have deleted this hyperlink  in this posting, so that there is not risk of someone inadvertantly clicking on it.

Does anyone have any idea what this group is trying to achieve.  The Validate link leads to this email address: Address a web forgery so removed mod

My McAfee antivirus is up to date and did not see anything suspicious with this email.    I am suspicious.

Your comments or ideas would be very valued.

Thank you in advance.

ED

"From: removed mod

Sent: Saturday, September 21, 2013 4:09 AM

To: email removed for safety      mod

Subject: Your Mailbox Quota Exceeded

Dear Client,

This is to inform you that your Mailbox Quota limit has been exceeded. To continue using email,you will need to upgrade your Mailbox Quota(please note this is free). Failure to do so,you will be unable to upload additional items to your Drive or photos to Google+, and, after a period of time, incoming messages to your account will be returned to the sender. Note that we will bounce emails until you rectify quota issue.

Validate

We sincerely regret any inconvenience.

Email Team"

Message was edited by: Peacekeeper on 21/09/13 6:55:44 PM

Message was edited by: Peacekeeper on 21/09/13 6:56:28 PM
0 Kudos
6 Replies
wantonc22
Level 7

Re: Your Mailbox Quota Exceeded - From Gmail????

I have done a Google search about suriyenakliyat.com and it appears to be based in Pymouth in England with links back to Turkey.  When I attempted to just open the suriyenakliyat.com web address the browser was diverted to my McAfee software immediately issued it warning that this site is very suspicious.   (Warning I have attempted to delete the hyperlink below, Please do not attempt to open it as it may have consequences for you computer.

"http://www.siteadvisor.com/restricted.html?domain=http:%2F%2Fwww.arinak.com.tr%2Fsuriyenakliye&origi..."

My Mcafee software immediately issued its warning that this site is very suspicious.  So I think I am vindicated in raising this matter here.  I will be sending an email to all my club committee not to open this email.  Just delete it. 

My rule has always been that if you do not know who the email is from just delete and add the emailer to the unwanted list on the antivirus software.

Ed

Message was edited by: wantonc22 on 20/09/13 5:38:24 PM

Message was edited by: wantonc22 on 20/09/13 5:38:45 PM
0 Kudos
Peacekeeper
Level 20

Re: Your Mailbox Quota Exceeded - From Gmail????

Ignore the message as it is trying to entice you to access dangerous sites I tried the top site you posted and got a web forgery warning the link above I have also removed as it appears not safe.

A search of google gets heaps of hits on the email contents you posted this on several email clients so it is a spam/scam. I have asked Hayton who is more skilled than I in web site testing to comment as well.

0 Kudos
exbrit
Level 21

Re: Your Mailbox Quota Exceeded - From Gmail????

I wont pretend to know how your system works as I'm on the consumer side but noticed nobody had responded to you.  Whilst it isn't that hard to run out of mailbox space using GMail, see this entry on the web  http://sidawson.com/2011/02/gmail-storage-quota-exceeded-why-this-happens.html but what you got looks like phishing spam,

I would imagine you need to set up mail filters.

0 Kudos
wantonc22
Level 7

Re: Your Mailbox Quota Exceeded - From Gmail????

Thank you Peacemaker and ExBtrit, you have both confirmed my thoughts.  This one almost got through under my guard, but luckily my habit of reading who the message is from aleted me.  Thanks again.

0 Kudos
exbrit
Level 21

Re: Your Mailbox Quota Exceeded - From Gmail????

Yes it's often hard to tell the bad ones from the good.

0 Kudos
Hayton
Level 18

Re: Your Mailbox Quota Exceeded - From Gmail????

I did a bit of checking. Usually an email like that is designed to get you to go to a website which is infected with malware of some kind. That may not be the case here.

The two URLs involved looked confusing -

http://arinak(dot)com(dot)tr  and  http://suriyenakliyat(dot)com

But http://suriyenakliyat(dot)com  redirects to http://www.arinak(dot)com(dot)tr/suriyenakliye

This page does not appear to be on the official site map.

Edit : Don't worry. Those links look clickable but they don't go anywhere.

Arinak(dot)com is the site of Arina Logistics (or Arinak Lojistik), an apparently legitimate Turkish freight-transportation company transporting goods between Europe and the Middle East - the site is big on logistics, transportation, warehousing, distribution and the supply chain.

Company details are available at http://www.nakliyeilani.com/firmalar/DAE13FC2-378C-45F8-BDF9-5132503A8B8F/arinak-lojistik

Their entire web site has been rated Yellow since at least as far back as June, but Yellow means 'Take Care', not 'Beware Of Infection'.

Sucuri, urlquery and others all say the site has no malware on it. However, the site does have a vulnerability : it is running under an outdated version of WordPress. And WordPress sites have been aggressively targeted recently by hackers for all sorts of reasons, ranging from spam to financial fraud.

What appears to have happened here is that the site has been hacked. The "suriyenakliye" page is a very big clue : "suriye" is "Syria".

I examined the page (incidentally Google Translate does a terrible job of translating Turkish) and either the page has been inserted into the site or the page content has been modified by hackers. Since the content reflects a pro-Assad take on current developments in Syria I would guess the Syrian Electronic Army have paid the site a visit and left their calling card.

Recent reports about their activities have given a few clues to why this site was chosen to be hacked :

http://www.informationweek.com/security/attacks/fbi-warns-of-syrian-electronic-army-hack/240160939

Many of those takedowns were accomplished using cheap-and-easy spear-phishing attacks, often designed to separate victims from their Google login information, which the hackers then use to seize control of Twitter feeds and send further phishing emails

http://www.bbc.co.uk/news/technology-23899140

Brian Krebs, a former Washington Post reporter, wrote that clues discovered when the SEA's own website was hacked earlier in the year pointed towards at least one member of the group being based in neighbouring country Turkey.

http://krebsonsecurity.com/2013/08/who-built-the-syrian-electronic-army/#more-22428

Brian Krebs is no longer so sure that one of the SEA hackers is in Turkey. With the fog of disinformation and dirty tricks washing around the whole Syrian arena at the moment it is not safe to assume that any action like this can be definitely attributed to this or that group or faction. Nevertheless ...

One page in that Syria section is indeed blocked by Google as a phishing page, and with good reason : http://suriyenakliyat(dot)com/newgm.html

Here is the reason why it is blocked. Someone is out to get Gmail account details and passwords ...

suriyenakliyat phishing page.JPG

Edit -

I would guess that the email intended to send the recipient to this hacked page is part of a continuing campaign, although why the campaign is using a Turkish logistics company for the destination is anybody's guess.

Message was edited by: Hayton on 21/09/13 17:06:52 IST
0 Kudos