dslreports logo
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
56679
share rss forum feed


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

[Phish] Telephone phishing thread

I am hoping this can be made a sticky thread for reporting telephone phishing (includes vishing - voice phish as well as fax phish).

Note that ordinary phishes should be reported to »/phishtrack rather than here.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

Fax phish - 914-293-2651 (paypal)

Excerpts from phish:
Your account access will be limited if in less than 48 hours we do not receive the fax with the information asked.
# (Your case ID for this reason is PP-136-124-102.)
and
Please send us all of the following information so we can verify your identity with our records. (we require a fax in less than 48 hours)

1) Photocopy of a government-issued photo identification (identity card or passport)
2) Photocopy of your credit card (front and back side are required)

Please be informed that the photocopies must be specific and readable otherwise they will not be taken in consideration.

Please send us only one fax message that will contain all the photocopies required.

Please send us the information requested to the fax number or address below.

Faxing from US: 914-293-2651
Faxing from outside US: +1 914-293-2651
Excerpt from mail headers:

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to nwrickert

Re: [Phish] Telephone phishing thread

said by nwrickert:

I am hoping this can be made a sticky thread for reporting telephone phishing (includes vishing - voice phish as well as fax phish).
Agreed.


Kibbles
Premium
join:1999-07-31
Mission Viejo, CA
reply to nwrickert
Would you get in trouble if you fax'd a FBI cover sheet?
Looks like the call goes to NY...or is that forwarded somewhere else?


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
I would guess it might be a VOIP number, in which case it could be anywhere.


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
reply to nwrickert
Hope these are useful to someone...

February 21:
quote:
Visa ATM/Check Card Deactivation
Message from: Customer Service
Date: 02/21/2008

We detected irregular activity on your Gesa ATM/Check Card on 02/20/2008.

For your protection we have had to suspend any future authorizations
being conducted with your Gesa Visa ATM/Check Card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center.

Activation Center: (509) 210-4256 (24 Hour Line)

Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
February 20:
quote:
Dear customer,

Due to recent online fraud, all cardholders are required to contact our Town North Bank, Security Departament at our total free number : 972-546-0398

Contacting this number will enable us to monitor your account closely, and suspend it as soon as we notice any fraudulent activity.

CONTACTING THIS NUMBER IS MANDATORY, OR YOUR CARD WILL BE CONSIDERED A SECURITY RISK AND IT WILL BE BLOCKED FROM ONLINE USAGE !

Please DO NOT reply to any emails asking for sensitive information, as many of our customers have been frauded for considerable ammounts of money.
If you receive any type of email please report it immediately !

Please note the total free number : +1 972-546-0398

Town North Bank Security Departamanet ,
PO Box 814810
Dallas, Texas 75381-4810

Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41

1 recommendation

February 19:
quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 847-481-8194

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 847-481-8194

Copyright © VISA Debit Card, All Rights Reserved
Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
February 13:
quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 805-203-4523

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 805-203-4523

Copyright © VISA Debit Card, All Rights Reserved

Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
February 4:
quote:
Dear Empire Bank Cardholder,

We detected irregular activity on your debit/credit card on 02/03/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Empire Bank is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 929-3209 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Member FDIC · Equal Housing Lender· © 2007 Empire Bank
Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
January 23:
quote:
Dear Cardholder,

We detected irregular activity on your debit card on 01/22/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

To reactivate your account, you must contact us at (800) 564-9401 and fallow the instructions .

Copyright © National Credit Union Administration .

Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
January 23:
quote:
Dear PUDCU Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Snohomish County PUD Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 319-9621 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

© 2008 Snohomish County PUD Credit Union
Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41

1 edit
January 21:
quote:
Dear Listerhill Credit Union Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Listerhill Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 554-8147 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Headers:

That's just about it for 2008 so far. I won't bore you guys with copies of vish emails from 2007, unless you think they'll be useful...

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
March 11:
quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 803-825-4293

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 803-825-4293

Copyright © VISA Debit Card, All Rights Reserved
Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert
March 12: Colonial bank
quote:
Dear Customer,

Colonial Bank temporarily suspended your account.

Reason: Fraud Attempts

To reactivate your account call the toll-free number: 1-334-246-4229

Never access Colonial Bank Web site by clicking on a link provided in an e-mail.
Colonial Bank will never solicit you to provide or update personal or financial
information. And, will never send an e-mail containing links to Web sites.

Copyright 2008 Colonial Bank . All Rights Reserved.

KYDXBXIQSQHWJJWPKRDPWGQCLXDWJFVBUYGUTF

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Phone Phish delivered to my Mom's Yahoo email:


Only thing changed was my mom's email name. I replaced it
with the 'x'.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

Colonial bank (334) 830-4240

Another Colonial bank vish - different phone number
quote:
> Colonial Bank Online department temporary disabled your account.

You no longer have access to the account registered with this email address

After three unsuccessful login attempts your account was temporary disabled until further investigations.

Colonial Bank will never ask you any information via e-mail. Call this number (334) 830-4240 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: (334) 830-4240 - Toll Free

2004-2008 Colonial Bank

KFVIQCXMNBHRXJSRFIYSQJKLNMGFNRBSFENPMZ

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
Got the same one as you did about the 334-830-4240 number. Headers:


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
March 14:
quote:
Dear customer,

VISA Debit Card, Security Departament suspended your acccount.
Reason: Energy Breakdown

After the energy breakdown from 13/03/2008 it appears that some of our hardware is not working properly. The data of five thousands customers stored on computer backup tapes was lost.

Some restrictions applied untill you update your account.

To reactivate your account please call at : 209-683-4515 Please note our number : +1 209-683-4515

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from VISA Debit Card database.
Headers:


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

A Franklin Bank phone phish sent to my mom's Yahoo email:
(I submitted a regular one of these just now to Phishtracker -
it too has a phone number in it as well, probably bogus.)
As with the last one I posted, the only thing changed was
in the X-Apparently-To: field.


--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Pentagon Federal Credit Union Phish

As before, the only thing changed was the name in the
X-Apparently-To header.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:41
reply to nwrickert
VISA - local number to me in Houston. Scary.

quote:
> VISA Security Department temporary disabled your account.

Verified by VISA will never ask you any information via e-mail. Call this number (832)772-7857 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: 832-772-7857- Toll Free

© 2001-2008 Visa. All Rights Reserved.

This message was sent to Email Id :

WPTLLOFITJBTPCIRFUNZMICCCONJSFMEEMUDLO
Headers:

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

[Phish] Credit Union 1 vish (ATM card)

Card Deactivation
Message from: Customer Service
Date: 04/02/2008
We detected irregular activity on your ATM/Check Card on 04/02/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 722-3235 (24 Hour Line)
Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2008 Credit Union 1. All Rights Reserved.


--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

This one apparently from CUNA regarding the Wal-Mart data
breach seems to be quite suspicious. It had me fooled for
a minute, until I looked more closely at the headers. Nice try.

As before, the only thing changed is the name in the X-
Apparently-To: header:


--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2
reply to nwrickert
I got a Franklin. I called the number. There's a semi-realistic TRS on it that asks for the card number, PIN, expiration date.

I put in completely bogus info (like 1234567812345678 for the card number). After a brief pause, it came back with "card, PIN or expiration are not valid, please reenter." So, I made up different info. It took it, said the card is now active and valid worldwide and ended.

I called back a few more times. Sometimes I gave it identical data, others not. It took it all just the same.

It seems that it tries to make it seem legit to get someone to reenter the info to make sure they've got a live one. However, they farkled it and it doesn't catch mismatches.

This would be great rainy-day fun wasting their time and flooding them with bogus data if it wasn't a toll-free number that captures the number you're calling from regardless of caller id blocking. (Anyone near a pay phone wanna give it a go and see if they're stupid enough to not have blocked pay station callers?)

=====

Return-Path:
Received: from mail.im3.com [216.201.16.126] by mail.ultimahosts.com with SMTP;
Fri, 11 Apr 2008 16:25:02 -0400
Received: from User (unverified [72.28.171.9]) by cartman.im3.com
(Vircom SMTPRS 4.4.568.66) with ESMTP id ;
Fri, 11 Apr 2008 15:53:41 -0400
X-Modus-BlackList: bankfranklin@franklinsecurity.com=OK
X-Modus-Audit: FALSE;0;0;0
Reply-To:
From: "Franklin Bank"
Subject: Card Deactivation
Date: Fri, 11 Apr 2008 15:53:36 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Rcpt-To:
X-SmarterMail-Spam: SPF_None

Card Deactivation
Message from: Customer Service
Date: 04/10/2008
We detected irregular activity on your ATM/Check Card on 04/10/2008.
For your protection we have had to suspend any future authorizations being
conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 578-0984 (24 Hour Line)

Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2006 Franklin Bank. All Rights Reserved.
--
There is no giant fur-bearing trout.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Another Franklin Bank one:


--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to nwrickert

Lizz_Vish_Archived

X-Apparently-To: myemail@pacbell.net via 209.191.85.225; Tue, 15 Apr 2008 10:39:54 -0700
X-Originating-IP:[212.85.249.132]
Return-Path:
Authentication-Results:mta121.sbc.mail.mud.yahoo.com from=franklin.com; domainkeys=neutral (no sig)
Received:from 207.115.36.53 (EHLO nlpi024.prodigy.net) (207.115.36.53) by mta121.sbc.mail.mud.yahoo.com with SMTP; Tue, 15 Apr 2008 10:39:52 -0700
X-Header-Overseas:Mail.from.Overseas.source.212.85.249.132
X-Originating-IP:[212.85.249.132]
Received:from node-2.minx.net.uk (node-2.minx.net.uk [212.85.249.132]) by nlpi024.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m3FHdoDY014536 for ; Tue, 15 Apr 2008 12:39:50 -0500
Received:from [195.82.101.89] (helo=mail.QuantumFittedFurniture.co.uk) by node-2.minx.net.uk with esmtp (Exim 4.60) (envelope-from ) id 1JlpIR-0005rN-Og for myemail@pacbell.net; Tue, 15 Apr 2008 18:50:20 +0100
Received:from User ([192.168.0.250] RDNS failed) by mail.QuantumFittedFurniture.co.uk with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Apr 2008 18:29:09 +0100
Reply-to:
From:"Franklin Bank" Add to Address BookAdd to Address Book Add Mobile Alert
Subject:Card Deactivation
Date:Tue, 15 Apr 2008 13:39:36 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID:
X-OriginalArrivalTime:15 Apr 2008 17:29:10.0078 (UTC) FILETIME=[37021DE0:01C89F1E]
X-MINX-Orig-IP:195.82.101.89
X-Spam-Score:2.9 (++)
X-Spam-Level:++
Content-Length:563

Card Deactivation
Message from: Customer Service
Date: 04/15/2008

We detected irregular activity on your ATM/Check Card on 04/15/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center:

Activation Center: (866) 797-5640 (24 Hour Line)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

Yet another Franklin Bank one, trying to look legitimate by
warning recipients of phishing scams. They're not fooling me.

The phone number's likely bogus, and the IP address 72.28.171.9 is likely a botnet zombie (it certainly
isn't one of Franklin's IPs). The Corporate Office
address is real, however.


--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Another Franklin Bank one, same phone number as before:


--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

3 edits
reply to nwrickert
Click for full size
Amarillo National Bank vish:


URLs for both the forged ANB and Verisign logos in the
body of the phish (posted as JPG as it is all html)

ANB: hxxp://jeannemcallister.com/logo.gif
Verisign: hxxp://jeannemcallister.com/logo-verisign.gif

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)