New Scam: TV LICENSING INFO: SET UP YOUR DIRECT DEBIT

If it wasn’t a dead give-away based on the all-capitals title, the email header would have been another good hint that this email is not quite legit as I don’t have a TV License for Paraguay (PY domains)

Capture

Sender: info@back.com.py

WHOIS Says: Invalid domain name…

We are unable to perform a lookup for back.com.py. It appears to be an invalid or unsupported domain extension.

(This means that the email was sent with the intention of not working when you hit reply 🙂 )

Headers:

Received: from CO1NAM04HT187.eop-NAM04.prod.protection.outlook.com (2603:10a6:208:3e::33) by AM0PR09MB2692.eurprd09.prod.outlook.com with HTTPS via AM0PR02CA0020.EURPRD02.PROD.OUTLOOK.COM; Tue, 29 Oct 2019 07:53:17 +0000 Received: from CO1NAM04FT027.eop-NAM04.prod.protection.outlook.com (10.152.90.59) by CO1NAM04HT187.eop-NAM04.prod.protection.outlook.com (10.152.91.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2387.20; Tue, 29 Oct 2019 07:53:14 +0000 Authentication-Results: spf=pass (sender IP is 144.208.64.39) smtp.mailfrom=back.com.py; hotmail.com; dkim=pass (signature was verified) header.d=back.com.py;hotmail.com; dmarc=bestguesspass action=none header.from=back.com.py; Received-SPF: Pass (protection.outlook.com: domain of back.com.py designates 144.208.64.39 as permitted sender) receiver=protection.outlook.com; client-ip=144.208.64.39; helo=vps21212.inmotionhosting.com; Received: from vps21212.inmotionhosting.com (144.208.64.39) by CO1NAM04FT027.mail.protection.outlook.com (10.152.90.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.20 via Frontend Transport; Tue, 29 Oct 2019 07:53:14 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:ABC17D4F5C001701A9707D546E104CC5532F4390A269DC0457D4CF596000FD39;UpperCasedChecksum:D30588B47C4D2BE77E084353A00C1DEE051AC930265811B38DA60A2D55372169;SizeAsReceived:1990;Count:19 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=back.com.py ; s=default; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID :Subject:From:To:Date:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=f+sI4t38JdErr8RZbJ0I0/bqUYaPBcdjykFB0J2FQlU=; b=gG7sEPXMqJynFH8Ox3UHZiKOwC uZl5y25FNmn6dqb2EanK2CxY4aeqSsIhzrFdg4ySLj+TxAsmlDi1h0dB5mlXD9N+nvsAvlmkZqsB7 e5MUsdDg7iqHBS5cmqn661YdldDkEt8em72trdH2iVUlnZRo3X8ytVkyiTX7cgErndTf1r/UyQ8Us vxMLf2OpxCIN8r/TTbuQXfL8BdTIWF4pde8YDkJEYTJdQ+EocHIb64WGdQVwTOOConBHdq9oExk0T rgGmrHINkGILR7yDeZBaUJxmLJ0QAjzbsRVaBeZadeAFhqQQi4Cjtx4y6uEqS75mgl/GfsRI2qhVl qWyD87Lg==; Received: from vps55575626.123-vps.co.uk ([37.122.210.43]:42620 helo=localhost.localdomain) by vps21212.inmotionhosting.com with esmtpa (Exim 4.92) (envelope-from ) id 1iPMJV-0002Gv-NA; Tue, 29 Oct 2019 03:53:14 -0400 Date: Tue, 29 Oct 2019 07:53:12 +0000 From: =?UTF-8?B?VFYgTElDRU5TSU5HIElORk8=?= Subject: =?UTF-8?B?U0VUIFVQIFlPVVIgTkVXIERJUkVDVCBERUJJVA==?= Message-ID: X-Mailer: PHPMailer 5.2.2-rc2 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=utf-8 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname – vps21212.inmotionhosting.com X-AntiAbuse: Original Domain – hotmail.com X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12] X-AntiAbuse: Sender Address Domain – back.com.py X-Get-Message-Sender-Via: vps21212.inmotionhosting.com: authenticated_id: info@back.com.py X-Authenticated-Sender: vps21212.inmotionhosting.com: info@back.com.py X-IncomingHeaderCount: 19 Return-Path: info@back.com.py X-MS-Exchange-Organization-ExpirationStartTime: 29 Oct 2019 07:53:14.7461 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 0c7bea12-200e-48ac-6a31-08d75c450da2 X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: EFV:NLI; X-MS-Exchange-Organization-AuthSource: CO1NAM04FT027.eop-NAM04.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-UserLastLogonTime: 10/29/2019 7:03:15 AM X-MS-Office365-Filtering-Correlation-Id: 0c7bea12-200e-48ac-6a31-08d75c450da2 X-MS-TrafficTypeDiagnostic: CO1NAM04HT187: X-MS-Exchange-PUrlCount: 1 X-MS-Exchange-EOPDirect: true X-Sender-IP: 144.208.64.39 X-SID-PRA: INFO@BACK.COM.PY X-SID-Result: PASS X-MS-Exchange-Organization-PCL: 2 X-Microsoft-Antispam: BCL:0; X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Oct 2019 07:53:14.6310 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 0c7bea12-200e-48ac-6a31-08d75c450da2 X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM04HT187 X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.5344697 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2387.009 X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000261)(5061607266)(5061608174)(4900115)(8390131)(8377080)(8386120)(8403011)(4920090)(6515079)(4950130)(4990090); X-Message-Info: 5vMbyqxGkdcNG1AWTY3wj/m0T3TIuhYfQa/3M7ezHvA2gpuTBc3GARuSYmj/P+aemnHUIxAz+0OvBcMHXtHJQrj5DUca9uz1iBg1LEW9zweryUvEydAtk/tue+kd+CKgpPGMKli/5ffoQdPeywM774Bjv9cYmV3qSEPksk9W6VeFEumSiA4lBYLH83WqIBMzIFX896oKaTuVQq0IsHMnYA== X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0z X-Microsoft-Antispam-Message-Info: w5L42I/6OKsFl81gwF3Lsx4Txyqr5SAQmzGBE5TENIu0SIUVJNxghCHdRwp3OGD3Uce57ywtm3Iueq4dg4tIldQfJMr9vq8RA2xtpjlL4RG2ypC1gfJb6XWlgurC2n3f1Q36q4y/X5+g1rRiL/HJle7lDwaFnasU++/JbMuODdaIbqJ25JKHDkctul4/sOl015jl6r+e+DEfEfSIJZuCwOCTWJTtyEGDsQtrUkWBOr28Q4IxYfMr3nuRtMCL0LB0aBkDOoqpzu/vbKIoTpPqxCky8Xg929APUzWuGBxfMLP/WPGZ9518bPmZFWLX5Wk0kpxJjLGD4LhoyP48LLy69Xgciy3FzhRDXgmXF6Uh30K9sPfQzPwDpkHYO2lhsrTSy5Q3WTb/NMjMyzQBU1zMg69IhmaeMym17eXOzUMkUFE0ta7+JwZPkO6iZ9co3t8RNsHBHDavyv57S/NqLqjObrx3GHO7p+APgx7EovwzvDRo0lzsXOeWfIBdlGpcxImEsOOC6+NMbpioMmowmTdpaHnmAF+vuoRaJeMcg1zS9XFGxb/xbhQnM2LdR5/z0BF+O4rh0d+O9acrqOL6xM+08cMmGwnwfYXePql9eKTv5lrezKvOYQC8j9TozoL2Du22zLafLNecvyzJBTJH1cWMv6eFsfQcBSMePkwq2BMVyDSgOc7e4ZoGRscWnlvXYa91WstHwe32W0SqwI7H9cCFtRXYKajZb7KtQftYPUq858udCjXA/hYlqx1QGqr+dMr5l+04YKoSSGUjWWk5rN8XxnJbwVs7DMHbF10N9WpTfJxAz5wzBG+EKZTDXRqwKVru MIME-Version: 1.0

The Email

We'll send you emails from now on
Dear

WE’RE SORRY TO LET YOU KNOW THAT THE TV LICENSE COULD NOT BE AUTOMATICALLY RENEWED.

SOMETHING’S GONE WRONG WITH YOUR PAYMENTS.

AS WE COULDN’T TAKE THE LATEST PAYMENT FROM YOUR BANK ACCOUNT, THIS AMOUNT WILL ALSO NEED TO BE PAID WHEN YOU SET UP YOUR NEW DIRECT DEBIT.

REMEMBER, IF YOU DON’T KEEP UP WITH YOUR PAYMENTS, WE MAY BE FORCED TO CANCEL YOUR LICENSE OR PASS YOUR DETAILS TO A DEBT COLLECTION AGENCY.
TO CHANGE YOUR PAYMENT METHOD, HAVE A LOOK AT ALL YOUR OPTIONS.
SO, ALL YOU NEED TO DO IS MAKE SURE THERE’S ENOUGH MONEY IN YOUR ACCOUNT.
OR , IF YOU PREFER TO PAY THE MISSED AMOUNT NOW, YOU CAN SIGN IN ONLINE AND PAY USING YOUR DEBIT OR CREDIT CARD.
WHILE YOU’RE SIGNED IN, PLEASE MAKE SURE WE HAVE YOUR CORRECT BANK DETAILS.

 Go to your account 
If you manage your account online, you will be able to:
 Book an engineer and manage your appointments
Join Rewards  Continue to your account 
Add Rewards to your online account and get little extras for being with us
Get exciting giveaways, such as free energy with Loyalty Days.

Link goes to https://helypaints.com/rr which appears to be registered by an US company but when clicked goes to Google 🙂 so it was probably already marked as a spam domain.


Domain Name: HELYPAINTS.COM
Registry Domain ID: 1821338719_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2019-07-15T06:34:08Z
Creation Date: 2013-08-12T13:42:35Z
Registrar Registration Expiration Date: 2021-08-12T13:42:35Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Domain Admin
Registrant Organization: Privacy Protect, LLC (PrivacyProtect.org)
Registrant Street: 10 Corporate Drive   
Registrant City: Burlington
Registrant State/Province: MA
Registrant Postal Code: 01803
Registrant Country: US
Registrant Phone: +1.8022274003
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: email@privacyprotect.org
Registry Admin ID: Not Available From Registry
Admin Name: Domain Admin
Admin Organization: Privacy Protect, LLC (PrivacyProtect.org)
Admin Street: 10 Corporate Drive   
Admin City: Burlington
Admin State/Province: MA
Admin Postal Code: 01803
Admin Country: US
Admin Phone: +1.8022274003
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: email@privacyprotect.org
Registry Tech ID: Not Available From Registry
Tech Name: Domain Admin
Tech Organization: Privacy Protect, LLC (PrivacyProtect.org)
Tech Street: 10 Corporate Drive   
Tech City: Burlington
Tech State/Province: MA
Tech Postal Code: 01803
Tech Country: US
Tech Phone: +1.8022274003
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: email@privacyprotect.org
Name Server: dns1.hostingceria.com
Name Server: dns2.hostingceria.com
Name Server: dns3.hostingceria.com
Name Server: dns4.hostingceria.com
DNSSEC: Unsigned
Registrar Abuse Contact Email: email@publicdomainregistry.com
Registrar Abuse Contact Phone: +1.2013775952

Be safe out there. Don’t click on any links and make sure you don’t give out any bank details to anyone without confirming their identity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.