dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1106

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

1 edit

Doctor Four

Premium Member

[Phish] Scammers targeting Point Bank customers

I heard something about this tonight on CBS11 TV on their
10 O'Clock news. Pilot Point based Point Bank has been at
the center of a mass phishing attempt originating from
Eastern Europe (Romania most likely). They're also hitting
via phone as well as email.

»cbs11tv.com/consumer/sca ··· 185.html

While I haven't gotten any of these yet in any of my email
accounts, they're hammering my mom's Yahoo email, with many
of them getting into her inbox.

A sample code block from one (I have the original, unaltered
email saved - if it will submit to Phishtracker, I'll do so)

X-Apparently-To: x@yahoo.com via 66.163.178.145; Mon, 24 Dec 2007 11:59:03 -0800
X-Originating-IP:[217.221.58.234]
Return-Path:<update@pointbank.com>
Authentication-Results:mta270.mail.mud.yahoo.com from=PointBank.com; domainkeys=neutral (no sig)
Received:from 217.221.58.234 (EHLO serverw.witox.it) (217.221.58.234) by mta270.mail.mud.yahoo.com with SMTP; Mon, 24 Dec 2007 11:59:03 -0800
Received:from User ([212.241.211.169]) by serverw.witox.it with Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Dec 2007 19:08:22 +0100
From:"PointBank" <update@PointBank.com>  Add to Address BookAdd to Address Book  Add Mobile Alert
Subject:Update Your Account!
Date:Mon, 24 Dec 2007 19:16:29 +0100
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2800.1081
Bcc:
Return-Path:update@PointBank.com
Message-ID:<SERVERWzPYWYqBPd8RV00001787@serverw.witox.it>
X-OriginalArrivalTime:24 Dec 2007 18:08:22.0500 (UTC) FILETIME=[F87B7A40:01C84657]
Content-Length:499
 
Dear Customer,
 
PointBank temporarily suspended your account.
Reason: Billing failure.
We require you to complete an account update so we can unlock your
account.
 
To start the update process click the link below
 
hxxp://www.pointbank-update.com/
 
The information provided will be treated in confidence and stored in
our secure database.
If you fail to provide required information your account will be
automatically deleted from PointBank database. 
 
Copyright &copy;2007 PointBank, All Rights Reserved
 

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

1 edit

garys_2k

Premium Member

The real url that the link would send you to didn't come through. Could you find that and post it?

Edit: the www.pointbank-update.com doesn't come back with a valid dns reply for me -- was that the actual link or the one visible in the phish?

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert

Mod

Sure it did. It is "http://www.pointbank-update.com/", and the domain "pointbank-update.com" was registered Tuesday via Yahoo domains. It looks as if Yahoo has already pulled DNS for the domain.
nwrickert

nwrickert to Doctor Four

Mod

to Doctor Four
Yes, phishtracker should take that, provided you leave the "http" and don't change it to "hxxp".

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four

Premium Member

I can change it back again, though there are likely to be
many more of these. She's seen as many as 6 or more a day
(counting both those in the inbox and those in Bulk Mail)
come through.
Doctor Four

2 edits

Doctor Four

Premium Member

Just submitted two of them to Phishtracker, the original of
the one from Monday, and another from today.

I tried the URL from today's, and the one in the link itself
is merely a redirect to the actual phish, which I also
submitted through Firefox as a web forgery. The former one
in my OP appears to be dead - OpenDNS gives me a server
failure on it.

Also, the number of these she's gotten has gone way down
since last night's newscast about the scam. There was only
the one today. I wonder if there could be someone locally
who is in on it.