i've noticed all (the ones i'm getting atm) are the work of the same dude (group). they can be identified because they all run from a folder called "rock". often there are multiple scams runing from the same compromised host in the same way a group that used port 4901 used to do a year ago.

they're all running on presumably a preconfigured Apache/2.0.46 (CentOS) Server. why it mentions centOS i dont know cos the hosts are, the ones i've checked, all windows boxes.

the mails tend to be grouped ie in nov it was all barclays, then halifax and lloyds tsb, and now they're all natwest. why i need to receive like 5 a day for the same bank for days I don't know. it's not like they're much different, possibly trying to avoid spam filters but anyone that gets more than a few a day is bound to get suspicious one would think.

examples:- for each bank the email is always identical.









example subject lines, as you can also see there's hidden spam junk on each of the messages