dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
56418
share rss forum feed


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

Pentagon Federal Credit Union Phish

As before, the only thing changed was the name in the
X-Apparently-To header.
X-Apparently-To: x@yahoo.com via 66.163.178.140; Thu, 27 Mar 2008 19:46:30 -0700
X-YahooFilteredBulk:65.105.120.87
X-Originating-IP:[65.105.120.87]
Return-Path:<service@penfed.org>
Authentication-Results:mta506.mail.mud.yahoo.com from=penfed.org; domainkeys=neutral (no sig)
Received:from 65.105.120.87 (EHLO webmail.iconnectu.net) (65.105.120.87) by mta506.mail.mud.yahoo.com with SMTP; Thu, 27 Mar 2008 19:46:30 -0700
Received:from User [207.166.116.186] by webmail.iconnectu.net with ESMTP (SMTPD32-6.06) id AC88B3DC004A; Thu, 27 Mar 2008 21:48:40 -0500
Reply-to:<service@penfed.org>
From:"service@penfed.org" <service@penfed.org>  Add Mobile Alert
Subject:Pentagon Federal Credit Union Account Suspended
Date:Fri, 28 Mar 2008 10:40:50 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="_iso-2022-jp$ESC"
Content-Transfer-Encoding:7bit
X-Priority:1
X-MSMail-Priority:High
X-Mailer:Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2800.1081
Message-Id:<200803272149182.SM02700@User>
Content-Length:284
 
Dear Pentagon Federal Credit Union Customer, 
 
   ACCOUNT SUSPENDED
 
Your account has been suspended for invalid billing information
 provided.
 
To activate your account please call the security department at
 856-431-1109
 
Thank You
 
Pentagon Federal Credit Union Security Department
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


removed
Premium,VIP
join:2002-02-08
Houston, TX
kudos:40
reply to nwrickert
VISA - local number to me in Houston. Scary.

quote:
> VISA Security Department temporary disabled your account.

Verified by VISA will never ask you any information via e-mail. Call this number (832)772-7857 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: 832-772-7857- Toll Free

© 2001-2008 Visa. All Rights Reserved.

This message was sent to Email Id :

WPTLLOFITJBTPCIRFUNZMICCCONJSFMEEMUDLO
Headers:
X-Greylist: delayed 870 seconds by postgrey-1.23 at coral.dslreports.com; Fri, 28 Mar 2008 12:49:54 EDT
Received: from costanzosbakery.com (mail.costanzosbakery.com [72.45.146.150])
by mail.dslr.net (Postfix) with ESMTP id 4CF4D4374F
for <removed@dslr.net>; Fri, 28 Mar 2008 12:49:54 -0400 (EDT)
Received: from User ([209.132.209.130]) by costanzosbakery.com with Microsoft SMTPSVC(6.0.3790.1830);
 Fri, 28 Mar 2008 12:11:22 -0400
Reply-To: <do-not-reply@visa.com>
From: "VISA"<security@visa.com>
Subject: VISA Security Department temporary disabled your account. 
Date: Fri, 28 Mar 2008 09:11:21 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVER2003HrdZ6Vzvd00006939@costanzosbakery.com>
X-OriginalArrivalTime: 28 Mar 2008 16:11:22.0725 (UTC) FILETIME=[5D9D1150:01C890EE]
To: undisclosed-recipients:;
 

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

[Phish] Credit Union 1 vish (ATM card)

Card Deactivation
Message from: Customer Service
Date: 04/02/2008
We detected irregular activity on your ATM/Check Card on 04/02/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 722-3235 (24 Hour Line)
Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2008 Credit Union 1. All Rights Reserved.

Return-Path: <creditunion1@membersecurity.com>
Received: from delagarzafence.com (2003-sbs.delagarzafence.com [68.91.246.105])
        by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m32INure009129
        for <munged@cs.niu.edu>; Wed, 2 Apr 2008 13:24:01 -0500 (CDT)
Received: from User ([65.66.160.78]) by delagarzafence.com with Microsoft SMTPSVC(6.0.3790.3959);
         Wed, 2 Apr 2008 11:52:13 -0500
Reply-To: <noreply@membersecurity.com>
From: "Credit Union 1"<creditunion1@membersecurity.com>
Subject: Card Deactivation
Date: Wed, 2 Apr 2008 11:53:00 -0500
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <2003-SBS5W3xNbMrRn00000073e@delagarzafence.com>
X-OriginalArrivalTime: 02 Apr 2008 16:52:13.0280 (UTC) FILETIME=[E652D600:01C894E1]
 
<p><font face="Arial">&nbsp;&nbsp;<img src="http://boxbownow.com/a/header.gif" width="339" height="92"></font></p>
<p><font face="Arial"> </font><font face="Arial">&nbsp;  <font size="2"><strong>Card Deactivation <br />
</strong></font></font><strong><font size="2" face="Arial">&nbsp; Message from: Customer Service<br />
&nbsp; Date: 04/02/2008</font></strong></p>
<p><font face="Arial">&nbsp;<font size="2"> We detected irregular activity on your          ATM/Check Card on 04/02/2008.<br />
</font></font><font face="Arial">&nbsp;<font size="2"> </font></font><font size="2" face="Arial">For your protection we have had to suspend any future authorizations<b
r>
&nbsp; being conducted with
your         card</font><font size="2">.</font></p>
<p><font size="2" face="Arial">&nbsp; For your security we have deactivate your card.</font></p>
<p><font size="2" face="Arial">&nbsp; How to activate/re-activate your card ?</font></p>
<p><font size="2" face="Arial">&nbsp; You may stop by your branch or call our Activation Center. <br>
  <br>
&nbsp; <strong><font color="#CC0000">Activation Center:  (866) 722-3235 (24 Hour Line)</font></strong></font></p>
<p><font size="2" face="Arial">&nbsp; Our automated system allows you to quickly activate your card.<br />
&nbsp; We apologize for any inconvenience this may cause<font size="1">.</font></font></p>
<p><font size="2" face="Arial">&nbsp;&nbsp;Copyright &copy; 2008 Credit Union 1.          All Rights Reserved.</font><font face="Arial"><br />
  </font><br>
</p>
 

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

This one apparently from CUNA regarding the Wal-Mart data
breach seems to be quite suspicious. It had me fooled for
a minute, until I looked more closely at the headers. Nice try.

As before, the only thing changed is the name in the X-
Apparently-To: header:

X-Apparently-To: x@yahoo.com via 66.163.178.135; Sun, 06 Apr 2008 10:14:58 -0700
X-YahooFilteredBulk:217.40.42.57
X-Originating-IP:[217.40.42.57]
Return-Path:<customerservice@cona.com>
Authentication-Results:mta134.mail.re3.yahoo.com from=; domainkeys=neutral (no sig)
Received:from 217.40.42.57 (EHLO erissrv1.eris.org.uk) (217.40.42.57) by mta134.mail.re3.yahoo.com with SMTP; Sun, 06 Apr 2008 10:14:57 -0700
Received:from cona.com ([74.7.27.50]) by erissrv1.eris.org.uk with Microsoft SMTPSVC(5.0.2195.6713); Sun, 6 Apr 2008 17:36:49 +0100
From:CUNA@  Add Mobile Alert
To:nataleemorse@yahoo.com
Subject:Wal-Mart Stores, Inc. Data Breach Announcment
Date:06 Apr 2008 11:36:39 -0500
Message-ID:<20080406113639.BCE6A283E7E711F5@from.header.has.no.domain>
MIME-Version:1.0
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding:quoted-printable
Return-Path:customerservice@cona.com
X-OriginalArrivalTime:06 Apr 2008 16:36:49.0531 (UTC) FILETIME=[6960ECB0:01C89804]
Content-Length:2742
 
WAL-MART STORES, INC. DATA BREACH ANNOUNCMENT
 
April/06/2008
 
CUNA is aware of the recent data breach at Wal-Mart Stores, Inc. and is taking
proactive steps to address the situation. The Customer Security Team at CUNA
is currently gathering information regarding the data breach and will react swiftly
in the best interests of its customers, including the re-issue of compromised
cards if necessary.
 
It is important to note that CUNA has effective fraud monitoring systems in
place and is constantly reviewing our accounts for fraudulent and/or suspicious
activity. The security of your account is very important to us.
 
Moving forward, we recommend that all CUNA customers review their account
activity on an ongoing basis and report to us any suspicious activity. In addition,
it is recommended that customers activate "Enhanced Card Security" to block 
 
Please call Customer Care at 1-800-794-9672, to activate (Enhanced Card Security)
for your debit or credit card.
 
Due to the extensive news coverage of this event, there have been reports of other
scams. If you receive a phone call or email from someone claiming to be from
Visa, or MasterCard DO NOT provide them with any personal or account information
Please visit http://www.nophishing.org/ for further information regarding fraud.
 
Finally, you may continue to use your debit card. Customers who have been affected
by the data breach will be notified, and be given further instructions via postal mail. If
you have immediate questions regarding your account, please contact Customer Care
at 1-800-794-9672, option 1.
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2
reply to nwrickert
I got a Franklin. I called the number. There's a semi-realistic TRS on it that asks for the card number, PIN, expiration date.

I put in completely bogus info (like 1234567812345678 for the card number). After a brief pause, it came back with "card, PIN or expiration are not valid, please reenter." So, I made up different info. It took it, said the card is now active and valid worldwide and ended.

I called back a few more times. Sometimes I gave it identical data, others not. It took it all just the same.

It seems that it tries to make it seem legit to get someone to reenter the info to make sure they've got a live one. However, they farkled it and it doesn't catch mismatches.

This would be great rainy-day fun wasting their time and flooding them with bogus data if it wasn't a toll-free number that captures the number you're calling from regardless of caller id blocking. (Anyone near a pay phone wanna give it a go and see if they're stupid enough to not have blocked pay station callers?)

=====

Return-Path:
Received: from mail.im3.com [216.201.16.126] by mail.ultimahosts.com with SMTP;
Fri, 11 Apr 2008 16:25:02 -0400
Received: from User (unverified [72.28.171.9]) by cartman.im3.com
(Vircom SMTPRS 4.4.568.66) with ESMTP id ;
Fri, 11 Apr 2008 15:53:41 -0400
X-Modus-BlackList: bankfranklin@franklinsecurity.com=OK
X-Modus-Audit: FALSE;0;0;0
Reply-To:
From: "Franklin Bank"
Subject: Card Deactivation
Date: Fri, 11 Apr 2008 15:53:36 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Rcpt-To:
X-SmarterMail-Spam: SPF_None

Card Deactivation
Message from: Customer Service
Date: 04/10/2008
We detected irregular activity on your ATM/Check Card on 04/10/2008.
For your protection we have had to suspend any future authorizations being
conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 578-0984 (24 Hour Line)

Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2006 Franklin Bank. All Rights Reserved.
--
There is no giant fur-bearing trout.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Another Franklin Bank one:

X-Apparently-To: x@yahoo.com via 66.163.178.135; Tue, 15 Apr 2008 09:09:54 -0700
X-YahooFilteredBulk:64.34.200.180
X-Originating-IP:[64.34.200.180]
Return-Path:<bankfranklin@franklin.com>
Authentication-Results:mta112.mail.re3.yahoo.com from=franklin.com; domainkeys=neutral (no sig)
Received:from 64.34.200.180 (EHLO web420.linux-hosting.com) (64.34.200.180) by mta112.mail.re3.yahoo.com with SMTP; Tue, 15 Apr 2008 09:09:53 -0700
Received:from User (72-28-171-009-dhcp.aik.sc.atlanticbb.net [72.28.171.9]) (authenticated bits=0) by web420.linux-hosting.com (8.13.1/8.13.1) with ESMTP id m3FFmMlk010716; Tue, 15 Apr 2008 21:18:22 +0530
Message-Id:<200804151548.m3FFmMlk010716@web420.linux-hosting.com>
Reply-to:<noreply@franklinsecurity.com>
From:"Franklin Bank" <bankfranklin@franklin.com>  Add Mobile Alert
Subject:Card Deactivation
Date:Tue, 15 Apr 2008 12:01:07 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length:563
 
Card Deactivation
Message from: Customer Service
Date: 04/15/2008
 
We detected irregular activity on your ATM/Check Card on 04/15/2008.
For your protection we have had to suspend any future authorizations 
being conducted with your card.
 
For your security we have deactivate your card.
 
How to activate/re-activate your card ?
 
You may stop by your branch or call our Activation Center:
 
Activation Center: (866) 797-5640   (24 Hour Line) 
 
Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.. 
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to nwrickert

Lizz_Vish_Archived

X-Apparently-To: myemail@pacbell.net via 209.191.85.225; Tue, 15 Apr 2008 10:39:54 -0700
X-Originating-IP:[212.85.249.132]
Return-Path:
Authentication-Results:mta121.sbc.mail.mud.yahoo.com from=franklin.com; domainkeys=neutral (no sig)
Received:from 207.115.36.53 (EHLO nlpi024.prodigy.net) (207.115.36.53) by mta121.sbc.mail.mud.yahoo.com with SMTP; Tue, 15 Apr 2008 10:39:52 -0700
X-Header-Overseas:Mail.from.Overseas.source.212.85.249.132
X-Originating-IP:[212.85.249.132]
Received:from node-2.minx.net.uk (node-2.minx.net.uk [212.85.249.132]) by nlpi024.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m3FHdoDY014536 for ; Tue, 15 Apr 2008 12:39:50 -0500
Received:from [195.82.101.89] (helo=mail.QuantumFittedFurniture.co.uk) by node-2.minx.net.uk with esmtp (Exim 4.60) (envelope-from ) id 1JlpIR-0005rN-Og for myemail@pacbell.net; Tue, 15 Apr 2008 18:50:20 +0100
Received:from User ([192.168.0.250] RDNS failed) by mail.QuantumFittedFurniture.co.uk with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Apr 2008 18:29:09 +0100
Reply-to:
From:"Franklin Bank" Add to Address BookAdd to Address Book Add Mobile Alert
Subject:Card Deactivation
Date:Tue, 15 Apr 2008 13:39:36 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID:
X-OriginalArrivalTime:15 Apr 2008 17:29:10.0078 (UTC) FILETIME=[37021DE0:01C89F1E]
X-MINX-Orig-IP:195.82.101.89
X-Spam-Score:2.9 (++)
X-Spam-Level:++
Content-Length:563

Card Deactivation
Message from: Customer Service
Date: 04/15/2008

We detected irregular activity on your ATM/Check Card on 04/15/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center:

Activation Center: (866) 797-5640 (24 Hour Line)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

Yet another Franklin Bank one, trying to look legitimate by
warning recipients of phishing scams. They're not fooling me.

The phone number's likely bogus, and the IP address 72.28.171.9 is likely a botnet zombie (it certainly
isn't one of Franklin's IPs). The Corporate Office
address is real, however.

X-Apparently-To: x@yahoo.com via 66.163.178.140; Mon, 21 Apr 2008 12:15:14 -0700
X-YahooFilteredBulk:8.10.184.138
X-Originating-IP:[8.10.184.138]
Return-Path:<franklinbank@ddsadsa.com>
Authentication-Results:mta250.mail.re3.yahoo.com from=ddsadsa.com; domainkeys=neutral (no sig)
Received:from 8.10.184.138 (EHLO mail.wghco.com) (8.10.184.138) by mta250.mail.re3.yahoo.com with SMTP; Mon, 21 Apr 2008 12:15:14 -0700
Received:from User ([72.28.171.9]) by mail.wghco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 21 Apr 2008 11:49:39 -0700
From:"Franklin Bank" <franklinbank@ddsadsa.com>  Add Mobile Alert
Subject:SECURITY ALERT!
Date:Mon, 21 Apr 2008 14:48:37 -0400
MIME-Version:1.0
Content-Type:text/html; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path:franklinbank@ddsadsa.com
Message-ID:<HENSCHEN7n0swXX1sPt00000677@mail.wghco.com>
X-OriginalArrivalTime:21 Apr 2008 18:49:39.0703 (UTC) FILETIME=[742AE870:01C8A3E0]
X-TM-AS-Product-Ver:SMEX-7.5.0.1243-5.0.1023-15864.001
X-TM-AS-Result:Yes-21.877000-4.000000-31
X-TM-AS-User-Approved-Sender:No
X-TM-AS-User-Blocked-Sender:No
Content-Length:1586
 
  Dear Franklin Bank Customer,
 
  Franklin Bank is aware of new phishing e-mails that are circulating.
  These e-mails request consumers to click a link due to a compromise of a 
  credit card account. You should not respond to this message.
 
  Due to unusual levels of fraud we have had to suspend any future authorizations
  being conducted with your Visa ATM/Check Card.
 
  For your security we have deactivate your card.
 
  How to activate/re-activate your card ?
 
  Call our Card Department: (866) 797-5643
 
 
 
  Our automated system allows you to quickly activate your card.
 
  We apologize for any inconvenience this may cause.
 
  Corporate Office
  9800 Richmond, Suite 680
  Houston, TX 77042
 
  Copyright © 2006 Franklin Bank. All Rights Reserved.
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Another Franklin Bank one, same phone number as before:

X-Apparently-To: x@yahoo.com via 66.163.178.138; Tue, 22 Apr 2008 15:07:58 -0700
X-YahooFilteredBulk:74.52.162.130
X-Originating-IP:[74.52.162.130]
Return-Path:<franklinbank@mesanetworks.net>
Authentication-Results:mta209.mail.re4.yahoo.com from=; domainkeys=neutral (no sig)
Received:from 74.52.162.130 (EHLO mx11.mesanetworks.net) (74.52.162.130) by mta209.mail.re4.yahoo.com with SMTP; Tue, 22 Apr 2008 15:07:56 -0700
Received:(qmail 9582 invoked by uid 509); 22 Apr 2008 11:26:37 -0600
Received:from 72.19.158.63 by mx11.mesanetworks.net (envelope-from <franklinbank@mesanetworks.net>, uid 508) with qmail-scanner-1.25-st-qms (clamdscan: 0.87/2133. spamassassin: 3.0.6. perlscan: 1.25-st-qms. Clear:RC:1(72.19.158.63):. Processed in 0.525889 secs); 22 Apr 2008 17:26:37 -0000
X-Antivirus-MESANETWORKS-Mail-From:franklinbank@mesanetworks.net via mx11.mesanetworks.net
X-Antivirus-MESANETWORKS:1.25-st-qms (Clear:RC:1(72.19.158.63):. Processed in 0.525889 secs Process 9540)
Received:from 72-19-158-63.static.mesanetworks.net (HELO User) (72.19.158.63) by mx11.mesanetworks.net with SMTP; 22 Apr 2008 11:26:36 -0600
Reply-to:<noreply@mesanetworks.net>
From:"Franklin Bank" <franklinbank@mesanetworks.net>  Add Mobile Alert
Subject:SECURITY ALERT!
Date:Tue, 22 Apr 2008 11:26:31 -0600
MIME-Version:1.0
Content-Type:text/html; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus-MESANETWORKS-Message-ID:<120888519710709540@mx11.mesanetworks.net>
Content-Length:1584
 
  Dear Franklin Bank Customer,
 
  Franklin Bank is aware of new phishing e-mails that are circulating.
  These e-mails request consumers to click a link due to a compromise of a 
  credit card account. You should not respond to this message.
 
  Due to unusual levels of fraud we have had to suspend any future authorizations
  being conducted with your Visa ATM/Check Card.
 
  For your security we have deactivate your card.
 
  How to activate/re-activate your card ?
 
  Call our Card Department: (866) 797-5643
 
 
 
  Our automated system allows you to quickly activate your card.
 
  We apologize for any inconvenience this may cause.
 
  Corporate Office
  9800 Richmond, Suite 680
  Houston, TX 77042
 
  Copyright © 2006 Franklin Bank. All Rights Reserved.
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

3 edits
reply to nwrickert
Click for full size
Amarillo National Bank vish:

X-Apparently-To: x@yahoo.com via 66.163.178.133; Thu, 24 Apr 2008 07:31:59 -0700
X-Originating-IP:[65.104.246.242]
Return-Path:<customer_service@anb.com>
Authentication-Results:mta101.mail.re3.yahoo.com from=; domainkeys=neutral (no sig)
Received:from 65.104.246.242 (EHLO mail.kwp.org) (65.104.246.242) by mta101.mail.re3.yahoo.com with SMTP; Thu, 24 Apr 2008 07:31:57 -0700
Received:from ([]) by mail.kwp.org (Merak 4.2.3) with SMTP id KPJ36965 for <x@yahoo.com>; Thu, 24 Apr 2008 09:31:56 -0500
From:Amarillo@  Add Mobile Alert ,
To:x@yahoo.com
Subject:ANB Secure Email Notification
Date:24 Apr 2008 09:29:41 -0500
Message-ID:<20080424092941.2195C1DDD96B4626@from.header.has.no.domain>
MIME-Version:1.0
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding:quoted-printable
Content-Length:1653
 

URLs for both the forged ANB and Verisign logos in the
body of the phish (posted as JPG as it is all html)

ANB: hxxp://jeannemcallister.com/logo.gif
Verisign: hxxp://jeannemcallister.com/logo-verisign.gif

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Lizz
Premium
join:2002-10-22
Fullerton, CA
reply to nwrickert
A vish AND a phish, all in one! (and with all the spamcatcher info in the header, ATT/Yahoo still left it in my inbox, not the bulk )

From Bank of America Fri May 2 06:59:39 2008
X-Apparently-To: XXX@pacbell.net via 209.191.85.223; Fri, 02 May 2008 07:01:12 -0700
X-Originating-IP: [64.97.155.27]
Return-Path:
Authentication-Results: mta136.sbc.mail.re3.yahoo.com from=alerts.bankofamerica.com; domainkeys=neutral (no sig)
Received: from 207.115.20.65 (EHLO flpi096.prodigy.net) (207.115.20.65) by mta136.sbc.mail.re3.yahoo.com with SMTP; Fri, 02 May 2008 07:01:12 -0700
X-Originating-IP: [64.97.155.27]
Received: from sc2.he.tucows.com (smtpout2027.sc2.he.tucows.com [64.97.155.27]) by flpi096.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m42E1Bpw001455 for ; Fri, 2 May 2008 07:01:11 -0700
Received: from sc2-out04.emaildefenseservice.com (64.97.201.174) by sc2.he.tucows.com (7.3.127) id 48188F54000E71E6; Fri, 2 May 2008 13:59:46 +0000
Message-ID: (added by postmaster@globo.com)
X-SpamScore: 96
X-Spamcatcher-Summary: 96,15,0,9ea1071f6304b62f,0631c5bc6dd70dd7,alert@alerts.bankofamerica.com,-,
X-Spamcatcher-Explanation: (33%) BODY: mail is from Bank of America but doesn't contain any Bank of America URLS;(27%) BODY: likely phishing content;(13%) X-MAILER: mail headers not consistent with User Agent "Outlook";(13%) HTML: HTML code not consistent with User Agent "Outlook";(7%) BODY: text/html email has no html tag;(7%) BODY: content type is strictly "text/html";
Received: from User (unknown [41.223.251.88]) (Authenticated sender: atm05@globo.com) by sc2-out04.emaildefenseservice.com (Postfix) with ESMTP; Fri, 2 May 2008 13:59:19 +0000 (UTC)
From: "Bank of America" Add to Address BookAdd to Address Book Add Mobile Alert
Subject: Online Banking Verification
Date: Fri, 2 May 2008 14:59:39 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length: 2867

Dear Valued Bank of America Online Customer:

IMPORTANT: Your online account information must be confirmed and verified to ensure uninterrupted service.

To enhance the level of service you receive with Bank of America Online Services, we regularly review the online banking accounts. We have issued this warning message to inform you that we have detected a slight error in your account information. This might be due to either of the following reasons:.
bullet A recent change in your personal information ( i.e.change of address).
bullet Submiting invalid information during the initial sign up process.
bullet An inability to accurately verify your selected option of payment due to an internal error within our processors.

As a result, we require you to confirm and verify your account information By Clicking Here and completing the confirmation process.

Note
However, failure to confirm and verify your account information will result in temporarily account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you have any question regarding this, please call us at 888-692-5949, 24 hours a day, seven days a week. or simply Sign In to Online Banking and click on "Help".

Thank you for banking at Bank of America. We look forward to serving your financial needs for many years to come.


Lizz
Premium
join:2002-10-22
Fullerton, CA
So you all don't think I'm nuts, the "simply sign on" is a link to a phishing site which DOES show in phishtracker.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to nwrickert
Delivered-To: no.job.needed@gmail.com
Received: by 10.142.155.4 with SMTP id c4cs16970wfe;
        Wed, 14 May 2008 08:55:10 -0700 (PDT)
Received: by 10.35.28.12 with SMTP id f12mr2105619pyj.45.1210780510055;
        Wed, 14 May 2008 08:55:10 -0700 (PDT)
Return-Path: <test@telus.net>
Received: from defout.telus.net (defout.telus.net [199.185.220.240])
        by mx.google.com with ESMTP id f24si4254145pyh.26.2008.05.14.08.55.09;
        Wed, 14 May 2008 08:55:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of test@telus.net designates 199.185.220.240 as permitted sender) client-ip=199.185.220.240;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of test@telus.net designates 199.185.220.240 as permitted sender) smtp.mail=test@telus.net
Received: from priv-edtnaa16.telusplanet.net ([206.116.132.29])
          by priv-edtnes25.telusplanet.net
          (InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP
          id <20080514155450.QWUB16573.priv-edtnes25.telusplanet.net@priv-edtnaa16.telusplanet.net>;
          Wed, 14 May 2008 09:54:50 -0600
Received: from User (d206-116-132-29.bchsia.telus.net [206.116.132.29])
by priv-edtnaa16.telusplanet.net (BorderWare MXtreme Infinity Mail Firewall) with SMTP
id 83448V1ULV; Wed, 14 May 2008 09:55:09 -0600 (MDT)
From: "test" <test@telus.net>
Subject: fdfdfdfdfd55
Date: Wed, 14 May 2008 08:55:10 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20080514155509.83448V1ULV@priv-edtnaa16.telusplanet.net>
To: undisclosed-recipients:;
 
Dear MasterCard customer, 
 
We regret to inform you that we have received numerous fraudulent emails which ask for personal
account information. The emails contained links to fraudulent pages that looked legit. 
 
Please remember that we will never ask for personal account information via email or web pages. 
 
Because of this we are launching a new security system to make MasterCard accounts more secure
and safe. To take advatage of our new consumer Identity Theft Protection Program we had to
deactivate access to your card account. 
 
To activate it please call us immediately at (615) 348-6681
 
Activation is free of charge and will take place as soon as you finish the activation process. 
 
? 1994-2008 MasterCard. All rights reserved.
 


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

EPPIcard vish 772-924-0104

Email message text:

Dear EPPICard member,

We recently reviewed your account, and suspect that your EPPICard account may
have been accessed from an unauthorized computer. This may be due to changes
in your IP address or location. Protecting the security of your account and
the EPPICard network is our primary concern. Therefor, we have temporarily
blocked your banking account.

To unlock your account call our toll free number: 772-924-0104

To protect your account please follow the instructions below:
- NEVER SHARE YOUR PASSWORD with other persons
- ALWAYS LOG OFF after using your online account
- NEVER access EPPICard`s website by clicking on a link provided in an e-mail

We apologize for any inconvenience this may cause, and appreciate your
assistance in helping us maintaining the integrity of the entire EPPICard System.

Thank you,
EPPICard Security Advisor.

Copyright 2008 EPPICard - The safe and secure way to acces your payments.


Headers:
Return-Path: <notice@eppicard.com>
Received: from NYSWEB.COM ([64.65.53.19])
        by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id m4LFYOsj010468
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
        for <x@x>; Wed, 21 May 2008 10:34:29 -0500 (CDT)
Message-Id: <200805211534.m4LFYOsj010468@mp.cs.niu.edu>
Received: (qmail 19262 invoked from network); 21 May 2008 10:52:33 -0400
Received: from tutlani.com (HELO User) (207.210.93.11)
  by nacentertainment.com with SMTP; 21 May 2008 10:52:33 -0400
Reply-To: <do-not-reply@eppicard.com>
From: "EPPICard"<notice@eppicard.com>
To: x@x, x@x, x@x,
        x@x, x@x, x@x,
        x@x, x@x,
        x@x, x@x
Subject: Urgent Notification!
Date: Wed, 21 May 2008 10:52:33 -0400
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

1 edit
reply to nwrickert

Re: [Phish] Telephone phishing thread

Click for full size
AA/Citibank Vish (also submitted to Phishtracker - see below) - posted
here because there's also a telephone number.

X-Apparently-To: x@yahoo.com via 66.163.178.133; Thu, 29 May 2008 15:13:17 -0700
X-YahooFilteredBulk:71.165.227.158
X-Originating-IP:[71.165.227.158]
Return-Path:<american.airlines@aa.com>
Authentication-Results:mta361.mail.mud.yahoo.com from=aa.com; domainkeys=neutral (no sig)
Received:from 71.165.227.158 (EHLO rlmurawski.com) (71.165.227.158) by mta361.mail.mud.yahoo.com with SMTP; Thu, 29 May 2008 15:13:17 -0700
Received:from aa.com ([71.170.119.34]) by rlmurawski.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 29 May 2008 15:05:34 -0700
Reply-to:American.Airlines@aas.com
From:American.Airlines@aa.com  
To:x@yahoo.com
Subject:Citi / AAdvantage MasterCard (Alerting Service)
Date:29 May 2008 16:55:03 -0500
Message-ID:<20080529165503.DE8515CF9B566BEF@aa.com>
MIME-Version:1.0
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding:quoted-printable
Return-Path:American.Airlines@aa.com
X-OriginalArrivalTime:29 May 2008 22:05:34.0265 (UTC) FILETIME=[1E213A90:01C8C1D8]
Content-Length:2060
 

Edit: This did not successfully get parsed by Phishtracker. The
link first leads to hxxp://mail.mrfood.com/logo_servis.gif, but then
redirects to hxxp://mail.opt-al.com/www.citicards.com/cards/wv/copy.doscreenID1214.htm

(The second link has already been reported to Google as a
web forgery, and is still active as of the time of this post.)

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
A Point Bank vish that arrived today:

 Return-Path:     <info@pointbank.com>
Authentication-Results: mta156.mail.re1.yahoo.com from=pointbank.com; domainkeys=neutral (no sig)
Received: from 99.129.23.5 (EHLO web.mavcomp.com) (99.129.23.5) by mta156.mail.re1.yahoo.com with SMTP; Fri, 30 May 2008 05:51:48 -0700
Received: from User ([68.213.182.38]) by web.mavcomp.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 30 May 2008 07:51:04 -0500
From: 
"PointBank"<info@pointbank.com>  
Add sender to Contacts
Subject: Contact Us
Date: Fri, 30 May 2008 08:03:10 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: info@pointbank.com
Message-ID: <WEBNXGjjuH9z7frxNkm00000121@web.mavcomp.com>
Content-Length: 833
 

Dear CardHolder,
Your debit card has open issues
Contact us immediately for assistance.
Toll Free Line: 1-(877)- 596-6749

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
One from WAMU:
From: "WAMU" <office@wamu.com>
 
To: undisclosed-recipients
 
 Return-Path:     <office@wamu.com>
Authentication-Results: mta289.mail.re2.yahoo.com from=wamu.com; domainkeys=neutral (no sig)
Received: from 70.158.128.6 (EHLO POP.brmemc.net) (70.158.128.6) by mta289.mail.re2.yahoo.com with SMTP; Wed, 16 Jul 2008 22:48:25 -0700
Received: from User (unverified [141.164.8.38]) by POP.brmemc.net (Vircom SMTPRS 4.5.654.13) with ESMTP id <B0187023259@POP.brmemc.net>; Wed, 16 Jul 2008 13:51:49 -0400
Reply-To: <do-not-reply@wamu.com>
From: 
"WAMU"<office@wamu.com>  
Add sender to Contacts
Subject: Urgent Notification
Date: Wed, 16 Jul 2008 12:50:52 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Content-Length: 385
 

This part of the message is invisible. I found it by
checking the page source:

"To activate your account please call urgent at 713-481-1635."

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
reply to nwrickert
Ooops. I guess I am a bit late! I just posted a thread about this in the Security Forum. Oh well. The more that hear about it, the better.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
Not a problem.

This thread is mainly for reporting specific instances. So discussing the phenomenon in a different thread is fine.

I'll add a link to your other thread:
»Criminals have now gone 'vishing'
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1
Expand your moderator at work


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7

1 recommendation

reply to nwrickert

Farmers State Bank

Submitted phish #31133 is really a voice/telephone vish for phone number (888) 687-5642.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1
Expand your moderator at work


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
reply to nwrickert

Salin Bank

The Salin Bank phish #31431 is really a voice/telephone vish for 1-800-681-2713.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1


Lizz
Premium
join:2002-10-22
Fullerton, CA
reply to nwrickert

Re: [Phish] Telephone phishing thread

From Merchants National Bank Mon Oct 6 11:00:37 2008
Return-Path: <info@merchantsnat.com>
Authentication-Results: mta102.sbc.mail.mud.yahoo.com from=merchantsnat.com; domainkeys=neutral (no sig)
Received: from 72.242.21.146 (EHLO flpi119.prodigy.net) (207.115.20.159) by mta102.sbc.mail.mud.yahoo.com with SMTP; Mon, 06 Oct 2008 11:13:20 -0700
Received: from russellmassey.com (server.russellmassey.com [72.242.21.146]) by flpi119.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m96IDFL3030348 for <xxxxx@pacbell.net>; Mon, 6 Oct 2008 11:13:19 -0700
Received: from User ([68.213.58.58]) by russellmassey.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Oct 2008 14:00:37 -0400
From: 
"Merchants National Bank"<info@merchantsnat.com>  
Add sender to Contacts
Subject: MNB - Fraud Alert
Date: Mon, 6 Oct 2008 13:00:37 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Message-ID: <SERVERYYclEohn9Nhkr00005660@russellmassey.com>
Content-Length: 876
Compact Headers
 
ADVISORY: Some members and non-members of Merchants National Bank have received fraudulent emails.
 
This email was NOT issued by Merchants National Bank, and should be deleted.
 
Do not follow the instructions in the email. Do not click the link.
 
For security reasons we have deactivated your debit card.
 
Please contact us at (888) 425-2294 to activate your debit card.
 


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
American National Bank Of Texas:

 
 Return-Path:     <memberservice@anbtx.com>
Authentication-Results: mta230.mail.re4.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 67.79.177.26 (EHLO wsrv1.wiringtech.local) (67.79.177.26) by mta230.mail.re4.yahoo.com with SMTP; Tue, 14 Oct 2008 04:10:11 -0700
Received: from User ([68.191.184.90]) by wsrv1.wiringtech.local with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Oct 2008 07:04:42 -0400
Reply-To: <no-reply@anbtx.com>
From: 
"American National Bank of Texas"<memberservice@anbtx.com>  
 
Subject: Important Notification
Date: Tue, 14 Oct 2008 06:06:31 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: memberservice@anbtx.com
Message-ID: <WSRV1zmtlefFc8gc4aR00004b9c@wsrv1.wiringtech.local>
Content-Length: 670
 
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.
 
Therefore, to prevent unauthorized access to your American National Bank of Texas
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*
 
To reactivate your debit card , please call: +1(805-617-4170)
 
Copyright © 2008  American National Bank of Texas. All rights reserved.
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
Two more from ANB Texas, with a different phone number:

  Return-Path:     <suspended@anbtx.com>
Authentication-Results: mta244.mail.re2.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 216.126.204.132 (EHLO mail.acninc.net) (216.126.204.132) by mta244.mail.re2.yahoo.com with SMTP; Tue, 14 Oct 2008 15:02:07 -0700
Received: from User [208.69.57.85] by mail.acninc.net with ESMTP (SMTPD32-8.15) id A4F9581009C; Tue, 14 Oct 2008 14:45:45 -0600
Reply-To: <suspended@anbtx.com>
From: 
"American National Bank of Texas"<suspended@anbtx.com>  
 
Subject: Important Member Service Information !
Date: Tue, 14 Oct 2008 16:45:43 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <200810141445360.SM01716@User>
Content-Length: 688
 
Dear Customer,
 
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.
 
Therefore, to prevent unauthorized access to your American National Bank of Texas
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*
 
To reactivate your debit card , please call: +1(804-684-8586)
 
Copyright © 2008 American National Bank of Texas. All Rights Reserved.
 

Second message has the same phone number and message body,
but different headers:

 Return-Path:     <memberservice@anbtx.com>
Authentication-Results: mta119.mail.re1.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 67.58.160.20 (HELO mail.zitomedia.net) (67.58.160.20) by mta119.mail.re1.yahoo.com with SMTP; Tue, 14 Oct 2008 15:24:52 -0700
Received: (qmail 24961 invoked from network); 14 Oct 2008 22:24:51 -0000
Received: from unknown (HELO User) (lucas@68.191.184.90) by mail.zitomedia.com with SMTP; Tue, 14 Oct 2008 18:24:51 -0400
Reply-To: <no-reply@anbtx.com>
From: 
"American National Bank of Texas"<memberservice@anbtx.com>  
 
Subject: Important Member Service Information !
Date: Tue, 14 Oct 2008 17:24:51 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Content-Length: 667
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert
One from Uniter Heritage Credit Union:

 Return-Path:     <service@uhcu.org>
Authentication-Results: mta435.mail.mud.yahoo.com from=uhcu.org; domainkeys=neutral (no sig)
Received: from 194.116.199.143 (EHLO thb-mta-05.emailfiltering.com) (194.116.199.143) by mta435.mail.mud.yahoo.com with SMTP; Wed, 15 Oct 2008 03:34:41 -0700
Received: from host217-41-113-124.in-addr.btopenworld.com ([217.41.113.124]) by thb-mta-05.emailfiltering.com with emfmta (version 3.6.5.44.1.r-3.2.3-libc2.3.2) vanilla id 3044468324 ; Wed, 15 Oct 2008 11:34:40 +0100
Received: from User ([68.191.184.90]) by mail.bbs.eu.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Oct 2008 11:33:10 +0100
Reply-To: <no-reply@uhcu.org>
From: 
"United Heritage C.U"<service@uhcu.org>  
 
Subject: Important Member Service Information !
Date: Wed, 15 Oct 2008 05:34:39 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: service@uhcu.org
Message-ID: <BBS-SVR01R4T3XJVVfA00001c3e@mail.bbs.eu.com>
Content-Length: 735
 
Dear Member:
 
According to our clients needs United Heritage Credit Union is currently launching a new
security system that will improve the level of member service we can provide.
 
We strongly urge that all our members need to update their credit card within
the next 48 hours, so we can add them to our new database.
 
To start the update process call us now on our service number : +1(818) 824 4009
 
Sorry for any inconvenience this may cause!
 
Sincerely,
Jenny Laudadio
Marketing director, United Heritage Credit Union.
 
---------------------------------------------------------------------------------- --
Scanned by BBS MessageAngel for viruses and unwanted content.
Powered by emailsystems. Visit www.bbs.eu.com/messageangel
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert
Resource bank. Phone number is 815-981-4765

Return-Path: accounts@resourcebank.com
Delivery-Date: Tue, 04 Nov 2008 07:57:29 -0600
Received: from mail.nelsonmazda.com (mail.nelsonmazda.com [68.99.76.194])
        by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id mA4DvN65018274
        for <munged@cs.niu.edu>; Tue, 4 Nov 2008 07:57:28 -0600 (CST)
Received: from User ([142.176.87.114]) by mail.nelsonmazda.com with Microsoft SMTPSVC(6.0.3790.3959);
         Tue, 4 Nov 2008 08:01:57 -0600
Reply-To: <do-not-reply@resourcebank.com>
From: "Resource Bank"<accounts@resourcebank.com>
Subject: Notice
Date: Tue, 4 Nov 2008 09:56:07 -0400
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <NAGMAILZkfzDskqC5Et000000cd@mail.nelsonmazda.com>
X-OriginalArrivalTime: 04 Nov 2008 14:01:57.0348 (UTC) FILETIME=[E6615240:01C93E85]
 
<html>
 
<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Resource Bank</title>
</head>
 
<body>
 
<font size="2" face="Arial, Helvetica, sans-serif">
<p>&nbsp; Dear Customer, </p>
<p><b><font color="#000000">&nbsp; Resource Bank </font></b>
temporarily suspended your account.<br>
<b><font color="#000000">&nbsp;&nbsp;Reason:</font></b> Security Issues.<br>
&nbsp;&nbsp;We need you to complete an account update so we can unlock your account.<br>
&nbsp;</p>
<p>&nbsp; <b>To start the update 
process </b>
</font><b><font face="Arial, Helvetica, sans-serif" size="2">call at the 
following number : 815-981-4765</font></b></p>
<p><b><font face="Arial, Helvetica, sans-serif" size="2">&nbsp; </font></b>
<font size="2" face="Arial, Helvetica, sans-serif">
<br>
&nbsp;&nbsp;The information provided will be treated in confidence and stored in our 
secure database.<br>
&nbsp;</font></p>
<div class="copyright" align="left">
        <font size="1" color="#000000" face="Arial, Helvetica, sans-serif">&nbsp;&nbsp; Copyright <A9> Resource Bank. All Rights Reserved</font></div>
 
</body>
 
</html>
 

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.3


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2
reply to nwrickert

877-214-0565 - Community Financial Members Federal Credit Union

The message:
ADVISORY: Some members and non-members of Community Financial Members Federal Credit Union have received fraudulent emails. This email was NOT issued by Community Financial Members Federal Credit Union, and should be deleted. Do not follow the instructions in the email. Do not click the link. For security reasons we have deactivated your debit card. Please call our toll-free hotline at (877) 214-0565 to activate your debit card.


Headers:

Return-Path: <support@cfcu.org>
Received: from dukecmfep05.coxmail.com [68.99.120.40] by mail.rueckgauer.com with SMTP;
   Tue, 18 Nov 2008 15:46:44 -0500
Received: from User ([24.248.209.212]) by dukecmmtar02.coxmail.com
          (InterMail vM.6.01.06.05 201-2131-130-106-20070212) with SMTP
          id <20081118194108.LMXS4924.dukecmmtar02.coxmail.com@User>;
          Tue, 18 Nov 2008 14:41:08 -0500
From: "Community Financial Members Federal Credit Union"<support@cfcu.org>
Subject: Contact Us!
Date: Tue, 18 Nov 2008 13:40:56 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20081118194108.LMXS4924.dukecmmtar02.coxmail.com@User>
X-Rcpt-To: <xxxx@rueckgauer.com>
X-SmarterMail-Spam: SPF_None
 

It's so touching how much they care for "members and non-members" alike, and have deactivated my debit card for me!

Frickin morons...they couldn't even send well-formed HTML!

--
There is no giant fur-bearing trout.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

Click for full size
800-523-8103 Capital One

Sent to my mother's Yahoo email. Only thing changed is the first part of the To: address

 
 Return-Path:     <mailout04@westnotificationsgroup.com>
Authentication-Results: mta198.mail.ac4.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 208.34.106.236 (EHLO vocal-net.net) (208.34.106.236) by mta198.mail.ac4.yahoo.com with SMTP; Thu, 27 Nov 2008 23:35:42 -0800
Received: from westnotificationsgroup.com (unverified [72.54.106.166]) by ntvop4.netaccnt.net (Vircom SMTPRS 4.5.654.13) with ESMTP id <B0142103054@ntvop4.netaccnt.net> for <nataleemorse@yahoo.com>; Fri, 28 Nov 2008 02:10:33 -0500
From: 
"Capital One" <service@capitaone.com> <216.57.96.8 (HELO mailout04.westnotificationsgroup.com)>  
 
To: x@yahoo.com
Subject: Capital One Alert: Irregular Credit Card Activity
Date: 28 Nov 2008 00:13:11 -0700
Message-ID: <20081128001311.B0F742BDBB2F8318@capitaone.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Length: 3634
 
Irregular Credit Card Activity
 
Account:  Capital One® credit card
Date:  11/28/2008
 
We detected irregular activity on your Capital One® credit card on 11/28/2008. For your protection, you must verify this activity before you can continue using your card.
 
Please call us immediately at 1-800-523-8103 or collect using the number listed on the back of your card. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.
 
 
 
Important Information from Capital One
 
Contact Us | Privacy
 
This e-mail was sent to you and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.
 
The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.
 
Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.
 
©2008 Capital One. Capital One is a federally registered service mark. All rights reserved. 15000 Capital One Drive, Attn: 12038-0111, Richmond, Virginia 23238. To contact us by mail, please use the following address: Capital One, PO Box 30285, Salt Lake City, Utah 84130-0285.
 
09860 023 001
 

The attached logo is the one the phisher used. They left off "what's in your wallet?", which normally is positioned beginning right below the 'One' part of the name.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)