dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
56216
share rss forum feed


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7

1 recommendation

reply to nwrickert

Farmers State Bank

Submitted phish #31133 is really a voice/telephone vish for phone number (888) 687-5642.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

Expand your moderator at work


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
reply to nwrickert

Salin Bank

The Salin Bank phish #31431 is really a voice/telephone vish for 1-800-681-2713.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1



Lizz
Premium
join:2002-10-22
Fullerton, CA
reply to nwrickert

Re: [Phish] Telephone phishing thread

From Merchants National Bank Mon Oct 6 11:00:37 2008
Return-Path: <info@merchantsnat.com>
Authentication-Results: mta102.sbc.mail.mud.yahoo.com from=merchantsnat.com; domainkeys=neutral (no sig)
Received: from 72.242.21.146 (EHLO flpi119.prodigy.net) (207.115.20.159) by mta102.sbc.mail.mud.yahoo.com with SMTP; Mon, 06 Oct 2008 11:13:20 -0700
Received: from russellmassey.com (server.russellmassey.com [72.242.21.146]) by flpi119.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m96IDFL3030348 for <xxxxx@pacbell.net>; Mon, 6 Oct 2008 11:13:19 -0700
Received: from User ([68.213.58.58]) by russellmassey.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Oct 2008 14:00:37 -0400
From: 
"Merchants National Bank"<info@merchantsnat.com>  
Add sender to Contacts
Subject: MNB - Fraud Alert
Date: Mon, 6 Oct 2008 13:00:37 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Message-ID: <SERVERYYclEohn9Nhkr00005660@russellmassey.com>
Content-Length: 876
Compact Headers
 
ADVISORY: Some members and non-members of Merchants National Bank have received fraudulent emails.
 
This email was NOT issued by Merchants National Bank, and should be deleted.
 
Do not follow the instructions in the email. Do not click the link.
 
For security reasons we have deactivated your debit card.
 
Please contact us at (888) 425-2294 to activate your debit card.
 


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

American National Bank Of Texas:

 
 Return-Path:     <memberservice@anbtx.com>
Authentication-Results: mta230.mail.re4.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 67.79.177.26 (EHLO wsrv1.wiringtech.local) (67.79.177.26) by mta230.mail.re4.yahoo.com with SMTP; Tue, 14 Oct 2008 04:10:11 -0700
Received: from User ([68.191.184.90]) by wsrv1.wiringtech.local with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Oct 2008 07:04:42 -0400
Reply-To: <no-reply@anbtx.com>
From: 
"American National Bank of Texas"<memberservice@anbtx.com>  
 
Subject: Important Notification
Date: Tue, 14 Oct 2008 06:06:31 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: memberservice@anbtx.com
Message-ID: <WSRV1zmtlefFc8gc4aR00004b9c@wsrv1.wiringtech.local>
Content-Length: 670
 
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.
 
Therefore, to prevent unauthorized access to your American National Bank of Texas
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*
 
To reactivate your debit card , please call: +1(805-617-4170)
 
Copyright © 2008  American National Bank of Texas. All rights reserved.
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Two more from ANB Texas, with a different phone number:

  Return-Path:     <suspended@anbtx.com>
Authentication-Results: mta244.mail.re2.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 216.126.204.132 (EHLO mail.acninc.net) (216.126.204.132) by mta244.mail.re2.yahoo.com with SMTP; Tue, 14 Oct 2008 15:02:07 -0700
Received: from User [208.69.57.85] by mail.acninc.net with ESMTP (SMTPD32-8.15) id A4F9581009C; Tue, 14 Oct 2008 14:45:45 -0600
Reply-To: <suspended@anbtx.com>
From: 
"American National Bank of Texas"<suspended@anbtx.com>  
 
Subject: Important Member Service Information !
Date: Tue, 14 Oct 2008 16:45:43 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <200810141445360.SM01716@User>
Content-Length: 688
 
Dear Customer,
 
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.
 
Therefore, to prevent unauthorized access to your American National Bank of Texas
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*
 
To reactivate your debit card , please call: +1(804-684-8586)
 
Copyright © 2008 American National Bank of Texas. All Rights Reserved.
 

Second message has the same phone number and message body,
but different headers:

 Return-Path:     <memberservice@anbtx.com>
Authentication-Results: mta119.mail.re1.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 67.58.160.20 (HELO mail.zitomedia.net) (67.58.160.20) by mta119.mail.re1.yahoo.com with SMTP; Tue, 14 Oct 2008 15:24:52 -0700
Received: (qmail 24961 invoked from network); 14 Oct 2008 22:24:51 -0000
Received: from unknown (HELO User) (lucas@68.191.184.90) by mail.zitomedia.com with SMTP; Tue, 14 Oct 2008 18:24:51 -0400
Reply-To: <no-reply@anbtx.com>
From: 
"American National Bank of Texas"<memberservice@anbtx.com>  
 
Subject: Important Member Service Information !
Date: Tue, 14 Oct 2008 17:24:51 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Content-Length: 667
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

One from Uniter Heritage Credit Union:

 Return-Path:     <service@uhcu.org>
Authentication-Results: mta435.mail.mud.yahoo.com from=uhcu.org; domainkeys=neutral (no sig)
Received: from 194.116.199.143 (EHLO thb-mta-05.emailfiltering.com) (194.116.199.143) by mta435.mail.mud.yahoo.com with SMTP; Wed, 15 Oct 2008 03:34:41 -0700
Received: from host217-41-113-124.in-addr.btopenworld.com ([217.41.113.124]) by thb-mta-05.emailfiltering.com with emfmta (version 3.6.5.44.1.r-3.2.3-libc2.3.2) vanilla id 3044468324 ; Wed, 15 Oct 2008 11:34:40 +0100
Received: from User ([68.191.184.90]) by mail.bbs.eu.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Oct 2008 11:33:10 +0100
Reply-To: <no-reply@uhcu.org>
From: 
"United Heritage C.U"<service@uhcu.org>  
 
Subject: Important Member Service Information !
Date: Wed, 15 Oct 2008 05:34:39 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: service@uhcu.org
Message-ID: <BBS-SVR01R4T3XJVVfA00001c3e@mail.bbs.eu.com>
Content-Length: 735
 
Dear Member:
 
According to our clients needs United Heritage Credit Union is currently launching a new
security system that will improve the level of member service we can provide.
 
We strongly urge that all our members need to update their credit card within
the next 48 hours, so we can add them to our new database.
 
To start the update process call us now on our service number : +1(818) 824 4009
 
Sorry for any inconvenience this may cause!
 
Sincerely,
Jenny Laudadio
Marketing director, United Heritage Credit Union.
 
---------------------------------------------------------------------------------- --
Scanned by BBS MessageAngel for viruses and unwanted content.
Powered by emailsystems. Visit www.bbs.eu.com/messageangel
 

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

Resource bank. Phone number is 815-981-4765

Return-Path: accounts@resourcebank.com
Delivery-Date: Tue, 04 Nov 2008 07:57:29 -0600
Received: from mail.nelsonmazda.com (mail.nelsonmazda.com [68.99.76.194])
        by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id mA4DvN65018274
        for <munged@cs.niu.edu>; Tue, 4 Nov 2008 07:57:28 -0600 (CST)
Received: from User ([142.176.87.114]) by mail.nelsonmazda.com with Microsoft SMTPSVC(6.0.3790.3959);
         Tue, 4 Nov 2008 08:01:57 -0600
Reply-To: <do-not-reply@resourcebank.com>
From: "Resource Bank"<accounts@resourcebank.com>
Subject: Notice
Date: Tue, 4 Nov 2008 09:56:07 -0400
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <NAGMAILZkfzDskqC5Et000000cd@mail.nelsonmazda.com>
X-OriginalArrivalTime: 04 Nov 2008 14:01:57.0348 (UTC) FILETIME=[E6615240:01C93E85]
 
<html>
 
<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Resource Bank</title>
</head>
 
<body>
 
<font size="2" face="Arial, Helvetica, sans-serif">
<p>&nbsp; Dear Customer, </p>
<p><b><font color="#000000">&nbsp; Resource Bank </font></b>
temporarily suspended your account.<br>
<b><font color="#000000">&nbsp;&nbsp;Reason:</font></b> Security Issues.<br>
&nbsp;&nbsp;We need you to complete an account update so we can unlock your account.<br>
&nbsp;</p>
<p>&nbsp; <b>To start the update 
process </b>
</font><b><font face="Arial, Helvetica, sans-serif" size="2">call at the 
following number : 815-981-4765</font></b></p>
<p><b><font face="Arial, Helvetica, sans-serif" size="2">&nbsp; </font></b>
<font size="2" face="Arial, Helvetica, sans-serif">
<br>
&nbsp;&nbsp;The information provided will be treated in confidence and stored in our 
secure database.<br>
&nbsp;</font></p>
<div class="copyright" align="left">
        <font size="1" color="#000000" face="Arial, Helvetica, sans-serif">&nbsp;&nbsp; Copyright <A9> Resource Bank. All Rights Reserved</font></div>
 
</body>
 
</html>
 

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.3


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2
reply to nwrickert

877-214-0565 - Community Financial Members Federal Credit Union

The message:

ADVISORY: Some members and non-members of Community Financial Members Federal Credit Union have received fraudulent emails. This email was NOT issued by Community Financial Members Federal Credit Union, and should be deleted. Do not follow the instructions in the email. Do not click the link. For security reasons we have deactivated your debit card. Please call our toll-free hotline at (877) 214-0565 to activate your debit card.


Headers:

Return-Path: <support@cfcu.org>
Received: from dukecmfep05.coxmail.com [68.99.120.40] by mail.rueckgauer.com with SMTP;
   Tue, 18 Nov 2008 15:46:44 -0500
Received: from User ([24.248.209.212]) by dukecmmtar02.coxmail.com
          (InterMail vM.6.01.06.05 201-2131-130-106-20070212) with SMTP
          id <20081118194108.LMXS4924.dukecmmtar02.coxmail.com@User>;
          Tue, 18 Nov 2008 14:41:08 -0500
From: "Community Financial Members Federal Credit Union"<support@cfcu.org>
Subject: Contact Us!
Date: Tue, 18 Nov 2008 13:40:56 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20081118194108.LMXS4924.dukecmmtar02.coxmail.com@User>
X-Rcpt-To: <xxxx@rueckgauer.com>
X-SmarterMail-Spam: SPF_None
 

It's so touching how much they care for "members and non-members" alike, and have deactivated my debit card for me!

Frickin morons...they couldn't even send well-formed HTML!

--
There is no giant fur-bearing trout.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

Click for full size
800-523-8103 Capital One

Sent to my mother's Yahoo email. Only thing changed is the first part of the To: address

 
 Return-Path:     <mailout04@westnotificationsgroup.com>
Authentication-Results: mta198.mail.ac4.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 208.34.106.236 (EHLO vocal-net.net) (208.34.106.236) by mta198.mail.ac4.yahoo.com with SMTP; Thu, 27 Nov 2008 23:35:42 -0800
Received: from westnotificationsgroup.com (unverified [72.54.106.166]) by ntvop4.netaccnt.net (Vircom SMTPRS 4.5.654.13) with ESMTP id <B0142103054@ntvop4.netaccnt.net> for <nataleemorse@yahoo.com>; Fri, 28 Nov 2008 02:10:33 -0500
From: 
"Capital One" <service@capitaone.com> <216.57.96.8 (HELO mailout04.westnotificationsgroup.com)>  
 
To: x@yahoo.com
Subject: Capital One Alert: Irregular Credit Card Activity
Date: 28 Nov 2008 00:13:11 -0700
Message-ID: <20081128001311.B0F742BDBB2F8318@capitaone.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Length: 3634
 
Irregular Credit Card Activity
 
Account:  Capital One® credit card
Date:  11/28/2008
 
We detected irregular activity on your Capital One® credit card on 11/28/2008. For your protection, you must verify this activity before you can continue using your card.
 
Please call us immediately at 1-800-523-8103 or collect using the number listed on the back of your card. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.
 
 
 
Important Information from Capital One
 
Contact Us | Privacy
 
This e-mail was sent to you and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.
 
The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.
 
Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.
 
©2008 Capital One. Capital One is a federally registered service mark. All rights reserved. 15000 Capital One Drive, Attn: 12038-0111, Richmond, Virginia 23238. To contact us by mail, please use the following address: Capital One, PO Box 30285, Salt Lake City, Utah 84130-0285.
 
09860 023 001
 

The attached logo is the one the phisher used. They left off "what's in your wallet?", which normally is positioned beginning right below the 'One' part of the name.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

1 recommendation

reply to nwrickert

Click for full size
U.S. Bank telephone phish (there were two of these, with the same image and telephone number):

#1:
  Return-Path:     <rtkxxo@yahoo.com>
Authentication-Results: mta569.mail.mud.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 68.230.240.9 (EHLO eastrmmtao103.cox.net) (68.230.240.9) by mta569.mail.mud.yahoo.com with SMTP; Tue, 09 Dec 2008 16:10:50 -0800
Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao103.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20081210001049.DUTA18445.eastrmmtao103.cox.net@eastrmimpo03.cox.net>; Tue, 9 Dec 2008 19:10:49 -0500
Received: from User ([70.187.22.254]) by eastrmimpo03.cox.net with bizsmtp id pCAj1a0085Uvfce02CAkUW; Tue, 09 Dec 2008 19:10:48 -0500 a=gMMwTlpgCVsA:10 a=nDDMXIyUaCkA:10 a=oJL9TIRMo0YA:10 a=HWowFZCwAAAA:8 a=6VBaUAmcAAAA:8 a=vzUeNKtdRj-0HKc1hJIA:9
Reply-To: rtkxxo@yahoo.com
From: 
U.S. Bank<rtkxxo@yahoo.com>  
Subject: Multiple password failures ! Please call our 24-hours Security Department
Date: Wed, 10 Dec 2008 01:14:07 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <20081210001049.DUTA18445.eastrmmtao103.cox.net@eastrmimpo03.cox.net>
Content-Length: 173
 

#2
 Return-Path:     <dsmxzu@yahoo.com>
Authentication-Results: mta149.mail.re1.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 68.230.240.13 (EHLO eastrmmtai106.cox.net) (68.230.240.13) by mta149.mail.re1.yahoo.com with SMTP; Tue, 09 Dec 2008 15:16:23 -0800
Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao107.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20081209231458.FIYS4842.eastrmmtao107.cox.net@eastrmimpo03.cox.net>; Tue, 9 Dec 2008 18:14:58 -0500
Received: from User ([70.188.140.60]) by eastrmimpo03.cox.net with bizsmtp id pBEt1a00K1JP2Ge02BEuhr; Tue, 09 Dec 2008 18:14:58 -0500 a=gMMwTlpgCVsA:10 a=5a7zk8gS10wA:10 a=oJL9TIRMo0YA:10 a=HWowFZCwAAAA:8 a=6VBaUAmcAAAA:8 a=vzUeNKtdRj-0HKc1hJIA:9
Reply-To: dsmxzu@yahoo.com
From: 
U.S. Bank<dsmxzu@yahoo.com>  
Subject: Multiple password failures ! Please call our 24-hours Security Department
Date: Wed, 10 Dec 2008 00:18:17 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <20081209231458.FIYS4842.eastrmmtao107.cox.net@eastrmimpo03.cox.net>
Content-Length: 173
 

The body of the email is an image only (the screenshot above). It is clickable, but appears to lead to the real U.S. Bank website.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to nwrickert

Credit Union Access:

 Return-Path:     <card@creditunionaccess.com>
Authentication-Results: mta170.mail.re4.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 68.99.120.49 (EHLO dukecmmtar02.coxmail.com) (68.99.120.49) by mta170.mail.re4.yahoo.com with SMTP; Mon, 15 Dec 2008 21:15:46 -0800
Received: from creditunionaccess.com ([98.191.101.166]) by dukecmmtar02.coxmail.com (InterMail vM.6.01.06.05 201-2131-130-106-20070212) with ESMTP id <20081216051546.XOJQ18528.dukecmmtar02.coxmail.com@creditunionaccess.com> for <x@yahoo.com>; Tue, 16 Dec 2008 00:15:46 -0500
Reply-To: card@creditunionaccess.com
From: 
"Credit Union Access" <card@creditunionaccess.com> <card@creditunionaccess.com>  
To: x@yahoo.com
Subject: Account Status Alert
Date: 15 Dec 2008 22:15:45 -0700
Message-ID: <20081215221545.860840C6428CA82A@creditunionaccess.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Length: 788
 

Dear CU Member:

This is not a promotional e-mail. Please call us immediately at (877) 898-7930 regarding recent restriction placed on your account. We're available 24/7 to take your call.

Please disregard this e-mail if you've already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
CU Fraud Prevention Security Department

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

Capital One vish

A vish for Capital One, at +1(315-235-1392)

said by mail body :
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.

Therefore, to prevent unauthorized access to your Capital One Bank
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*

To reactivate your debit card , please call: +1(315-235-1392)

Copyright Capital One Bank, All Rights Reserved.
Headers:
Return-Path: <service@capitalone.com>
Received: from southeasterngeothermal.com (mail.southeasterngeothermal.com [208.103.1.222])
        by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id n022CGfj008721
        for <*munged*>; Thu, 1 Jan 2009 20:12:22 -0600 (CST)
Received: from User ([207.181.121.72]) by southeasterngeothermal.com with Microsoft SMTPSVC(6.0.3790.3959);
         Sun, 14 Dec 2008 10:08:29 -0500
Reply-To: <no-reply@capitalone.com>
From: "Capital One Services, Inc."<service@capitalone.com>
Subject: Important Member Service Information
Date: Sun, 14 Dec 2008 10:09:12 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <SOUTHEASTERNchAHrey000006c0@southeasterngeothermal.com>
X-OriginalArrivalTime: 14 Dec 2008 15:08:29.0486 (UTC) FILETIME=[D2673CE0:01C95DFD]
 

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

F & M Bank Express Online - vish at (641) 410 2293

said by vish body :
Dear F&M Bank customer,

We are hereby notifying you that we've recently suffered a phishing-Attack. Beca
use we have registered too many frauds we suspended your account. For security r
easons you must call us and provide the requested information so we can verify t
he integrity of your F&M ExpressOnline Banking account. If you fail to complete
the verification in the next 24 hours your account will be blocked.

***************************************************

Call us at: +1 (641) 410 2293 and confirm your identity.

***************************************************

Note: The call is free of charge for you!

Please comply and thanks for understanding.

\251 2009 F&M Bank

Headers:
Return-Path: <billing@myfmbank.com>
Received: from mail.tekonet.de (mail.tekonet.de [194.39.185.4])
        by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id n070egAR027175
        for <munged@cs.niu.edu>; Tue, 6 Jan 2009 18:40:51 -0600 (CST)
Received: by mail.tekonet.de with MERCUR Mailserver (v5.00.19 MTA1LTI1NjQtNjQxNA
==) for <munged@cs.niu.edu>; Tue, 6 Jan 2009 22:28:57 +0100
From: "F&M Bank"<billing@myfmbank.com>
Subject: [URGENT NOTICE] We've recently suffered a phishing-Attack
Date: Tue, 6 Jan 2009 16:56:25 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
To: <munged@cs.niu.edu>
Message-Id: <0901062228579700@mail.tekonet.de>
 

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to nwrickert

Re: [Phish] Paypal vish

Excerpt from vish:

Restore your account .
Please Call our Card Department at 0039-069-165-7836

Received: from mail.bccnews.us (mail.bccnews.us [208.70.72.115])
        by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id n5HGYf0e029439
        for <munged@cs.niu.edu>; Wed, 17 Jun 2009 11:34:46 -0500 (CDT)
Received: from User [207.178.222.51] by mail.bccnews.us with ESMTP
  (SMTPD32-7.07) id A04A3D70040; Wed, 17 Jun 2009 07:40:10 -0700
From: "PayPal"<contact@ppas.com>
Subject: Notice.
Date: Wed, 17 Jun 2009 07:35:48 -0700
 

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.11

MGD
Premium,MVM
join:2002-07-31
kudos:9

said by nwrickert:

Excerpt from vish:

Restore your account .
Please Call our Card Department at 0039-069-165-7836

A foreign number perhaps ?, there are too many digits for it to be a US number

MGD


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7

Yes, I assume foreign.

If I am reading it correctly, the "00" is a prefix for US callers, then the 39 is the international code for Italy.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11


MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

I thought it was Italy, then I wondered how low the IQ of a Phisher would have to be in order to think that a victim would make an international call to Italy to contact PayPal support.

I guess that must be the downside of dropping out of Phishing 101.

MGD


Rowan
Premium
join:2008-10-16
Longview, TX
reply to nwrickert

Re: [Phish] Telephone phishing thread

My SO has a new cell phone -- TWO DAYS OLD -- and has received 6 calls today (one per hour or so). The first few were "caller unknown", but the most recent call showed up as 877-648-0958. I've called that no. from another phone and I get 'invalid number'. They've left no messages, so not sure what they're up to, but Goog sez lots of other ppls are having this recent prob with this same no.

Just thought I'd report in.

~Rowan



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
reply to MGD

Re: [Phish] Paypal vish

Here's where he was routing the calls to
sip:cacat0099@proxy01.sipphone.com


NightVisor
Premium
join:2001-02-28
Rialto, CA

1 recommendation

reply to nwrickert

SMS sent to cell phone

From: 3736

Message:
customer.notification@visa.com / "Card Block Alert". To find out why you receive this alert call 1-877-245-1472. Thank you. /

What happens when I call that number?
"Your credit union has identified your account as having fraudulent entries and your credit card has been blocked. Please stay on the and a credit union security specialist will assist you."

*sounds of call being transfered*

"To assist you with your account, please enter your credit card number"

At that point, I hung up.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by NightVisor:

At that point, I hung up.
Wow! You're in a special class of people.
Off the top of my head I'll say less than 1 in a half million people who receive these respond to them.
Did you call out of irritation or were you initially unsure about the message?

NightVisor
Premium
join:2001-02-28
Rialto, CA

*deadpan* Define "special". *deadpan:end*

I wanted to see what the message hook was. I already knew it was a scam, but the number didn't show up in any search engines. Since this thread (the whole forum, actually) is regularly monitored by Google et al., might as well drop in the number and the message so if someone else searches, they'll find the info.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7

Good thinking. And thanks for posting.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to NightVisor

said by NightVisor:

*deadpan* Define "special". *deadpan:end*

"rare, uncommon, unique..."
in a complimentary way


Avelos

@qwest.net
reply to NightVisor

That's funny, I got the same text today. I noticed that it said receive instead of received after looking at it a couple of times. I didn't even bother calling, especially after that grammatical error. So then I googled (hah it's a verb) the 3878 text number and nothing showed up. Then I searched the message through google and found that people actually gave up their account information lol.


MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to NightVisor

Your number must have been one of the first batches called. It has now shown up on several of the phone number websites:

»800notes.com/Phone.aspx/1-877-245-1472

»whocallsme.com/Phone-Number.aspx/8772451472

»www.callercomplaints.com/SearchR···245-1472

MGD

Expand your moderator at work


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA

1 recommendation

reply to MGD

Re: SMS sent to cell phone

phishing MMS received on cell (t-mobile):

310@tmomail.net: We found a problem in your California account. Call urgently at (888) 666-9128

(Googling that number show numerous similar messages)



SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA

Here's an interesting followup to this after checking my online bill in more details. We have 4 lines on that account and not all numbers are adjacent. Still, all phones received the same text message literally within seconds of each other.

I called t-mobile to see if there are any security measures in place to possibly prevent such things in the future, similar to e.g. spam filters for e-mail.

I am curious if the target numbers were skimmed from the stolen t-mobile data.