[Phish] Telephone phishing thread Page 3

Author

All Replies

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

reply to nwrickert
Farmers State Bank

Submitted phish #31133 is really a voice/telephone vish for phone number (888) 687-5642.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

to forum · permalink ·

· 2008-09-09 18:08:45 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

reply to nwrickert
Salin Bank

The Salin Bank phish #31431 is really a voice/telephone vish for 1-800-681-2713.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

to forum · permalink ·

· 2008-09-24 21:28:53 ·

Lizz
Premium
join:2002-10-22
Fullerton, CA

reply to nwrickert
Re: [Phish] Telephone phishing thread

From Merchants National Bank Mon Oct 6 11:00:37 2008
Return-Path: <info@merchantsnat.com>
Authentication-Results: mta102.sbc.mail.mud.yahoo.com from=merchantsnat.com; domainkeys=neutral (no sig)
Received: from 72.242.21.146 (EHLO flpi119.prodigy.net) (207.115.20.159) by mta102.sbc.mail.mud.yahoo.com with SMTP; Mon, 06 Oct 2008 11:13:20 -0700
Received: from russellmassey.com (server.russellmassey.com [72.242.21.146]) by flpi119.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m96IDFL3030348 for <xxxxx@pacbell.net>; Mon, 6 Oct 2008 11:13:19 -0700
Received: from User ([68.213.58.58]) by russellmassey.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Oct 2008 14:00:37 -0400
From: 
"Merchants National Bank"<info@merchantsnat.com> 
Add sender to Contacts
Subject: MNB - Fraud Alert
Date: Mon, 6 Oct 2008 13:00:37 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Message-ID: <SERVERYYclEohn9Nhkr00005660@russellmassey.com>
Content-Length: 876
Compact Headers
 
ADVISORY: Some members and non-members of Merchants National Bank have received fraudulent emails.
 
This email was NOT issued by Merchants National Bank, and should be deleted.
 
Do not follow the instructions in the email. Do not click the link.
 
For security reasons we have deactivated your debit card.
 
Please contact us at (888) 425-2294 to activate your debit card.

to forum · permalink ·

· 2008-10-06 15:41:31 ·

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

·AT&T U-Verse

reply to nwrickert
American National Bank Of Texas:

Return-Path: <memberservice@anbtx.com>
Authentication-Results: mta230.mail.re4.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 67.79.177.26 (EHLO wsrv1.wiringtech.local) (67.79.177.26) by mta230.mail.re4.yahoo.com with SMTP; Tue, 14 Oct 2008 04:10:11 -0700
Received: from User ([68.191.184.90]) by wsrv1.wiringtech.local with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Oct 2008 07:04:42 -0400
Reply-To: <no-reply@anbtx.com>
From: 
"American National Bank of Texas"<memberservice@anbtx.com> 
 
Subject: Important Notification
Date: Tue, 14 Oct 2008 06:06:31 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: memberservice@anbtx.com
Message-ID: <WSRV1zmtlefFc8gc4aR00004b9c@wsrv1.wiringtech.local>
Content-Length: 670
 
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.
 
Therefore, to prevent unauthorized access to your American National Bank of Texas
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*
 
To reactivate your debit card , please call: +1(805-617-4170)
 
Copyright © 2008 American National Bank of Texas. All rights reserved.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink ·

· 2008-10-14 17:31:47 ·

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

·AT&T U-Verse

reply to nwrickert
Two more from ANB Texas, with a different phone number:

Return-Path: <suspended@anbtx.com>
Authentication-Results: mta244.mail.re2.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)
Received: from 216.126.204.132 (EHLO mail.acninc.net) (216.126.204.132) by mta244.mail.re2.yahoo.com with SMTP; Tue, 14 Oct 2008 15:02:07 -0700
Received: from User [208.69.57.85] by mail.acninc.net with ESMTP (SMTPD32-8.15) id A4F9581009C; Tue, 14 Oct 2008 14:45:45 -0600
Reply-To: <suspended@anbtx.com>
From: 
"American National Bank of Texas"<suspended@anbtx.com> 
 
Subject: Important Member Service Information !
Date: Tue, 14 Oct 2008 16:45:43 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <200810141445360.SM01716@User>
Content-Length: 688
 
Dear Customer,
 
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.
 
Therefore, to prevent unauthorized access to your American National Bank of Texas
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*
 
To reactivate your debit card , please call: +1(804-684-8586)
 
Copyright © 2008 American National Bank of Texas. All Rights Reserved.

Second message has the same phone number and message body,
but different headers:

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink ·

· 2008-10-14 21:07:26 ·

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

·AT&T U-Verse

reply to nwrickert
One from Uniter Heritage Credit Union:

Return-Path: <service@uhcu.org>
Authentication-Results: mta435.mail.mud.yahoo.com from=uhcu.org; domainkeys=neutral (no sig)
Received: from 194.116.199.143 (EHLO thb-mta-05.emailfiltering.com) (194.116.199.143) by mta435.mail.mud.yahoo.com with SMTP; Wed, 15 Oct 2008 03:34:41 -0700
Received: from host217-41-113-124.in-addr.btopenworld.com ([217.41.113.124]) by thb-mta-05.emailfiltering.com with emfmta (version 3.6.5.44.1.r-3.2.3-libc2.3.2) vanilla id 3044468324 ; Wed, 15 Oct 2008 11:34:40 +0100
Received: from User ([68.191.184.90]) by mail.bbs.eu.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Oct 2008 11:33:10 +0100
Reply-To: <no-reply@uhcu.org>
From: 
"United Heritage C.U"<service@uhcu.org> 
 
Subject: Important Member Service Information !
Date: Wed, 15 Oct 2008 05:34:39 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc: 
Return-Path: service@uhcu.org
Message-ID: <BBS-SVR01R4T3XJVVfA00001c3e@mail.bbs.eu.com>
Content-Length: 735
 
Dear Member:
 
According to our clients needs United Heritage Credit Union is currently launching a new
security system that will improve the level of member service we can provide.
 
We strongly urge that all our members need to update their credit card within
the next 48 hours, so we can add them to our new database.
 
To start the update process call us now on our service number : +1(818) 824 4009
 
Sorry for any inconvenience this may cause!
 
Sincerely,
Jenny Laudadio
Marketing director, United Heritage Credit Union.
 
---------------------------------------------------------------------------------- --
Scanned by BBS MessageAngel for viruses and unwanted content.
Powered by emailsystems. Visit www.bbs.eu.com/messageangel

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink ·

· 2008-10-15 07:12:24 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

·AT&T U-Verse

·AT&T Midwest

reply to nwrickert
Resource bank. Phone number is 815-981-4765

Return-Path: accounts@resourcebank.com
Delivery-Date: Tue, 04 Nov 2008 07:57:29 -0600
Received: from mail.nelsonmazda.com (mail.nelsonmazda.com [68.99.76.194])
 by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id mA4DvN65018274
 for <munged@cs.niu.edu>; Tue, 4 Nov 2008 07:57:28 -0600 (CST)
Received: from User ([142.176.87.114]) by mail.nelsonmazda.com with Microsoft SMTPSVC(6.0.3790.3959);
 Tue, 4 Nov 2008 08:01:57 -0600
Reply-To: <do-not-reply@resourcebank.com>
From: "Resource Bank"<accounts@resourcebank.com>
Subject: Notice
Date: Tue, 4 Nov 2008 09:56:07 -0400
MIME-Version: 1.0
Content-Type: text/html;
 charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <NAGMAILZkfzDskqC5Et000000cd@mail.nelsonmazda.com>
X-OriginalArrivalTime: 04 Nov 2008 14:01:57.0348 (UTC) FILETIME=[E6615240:01C93E85]
 
<html>
 
<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Resource Bank</title>
</head>
 
<body>
 

&nbsp; Dear Customer, 
&nbsp; Resource Bank 
temporarily suspended your account. 
&nbsp;&nbsp;Reason: Security Issues. 
&nbsp;&nbsp;We need you to complete an account update so we can unlock your account. 
&nbsp;
&nbsp; To start the update 
process 
call at the 
following number : 815-981-4765
&nbsp; 

 
&nbsp;&nbsp;The information provided will be treated in confidence and stored in our 
secure database. 
&nbsp;
<div class="copyright" align="left">
 &nbsp;&nbsp; Copyright <A9> Resource Bank. All Rights Reserved</div>
 
</body>
 
</html>

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.3

to forum · permalink ·

· 2008-11-04 13:55:27 ·

DC DSL
Stays crunchy even in milk
Premium
join:2000-07-30
Washington, DC

·Covad Communications

·Verizon Online DSL

reply to nwrickert
877-214-0565 - Community Financial Members Federal Credit Union

The message:

ADVISORY: Some members and non-members of Community Financial Members Federal Credit Union have received fraudulent emails. This email was NOT issued by Community Financial Members Federal Credit Union, and should be deleted. Do not follow the instructions in the email. Do not click the link. For security reasons we have deactivated your debit card. Please call our toll-free hotline at (877) 214-0565 to activate your debit card.

Headers:

It's so touching how much they care for "members and non-members" alike, and have deactivated my debit card for me!

Frickin morons...they couldn't even send well-formed HTML!

--
There is no giant fur-bearing trout.

to forum · permalink ·

· 2008-11-19 07:03:47 ·

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

·AT&T U-Verse

reply to nwrickert
Re: [Phish] Telephone phishing thread

800-523-8103 Capital One

Sent to my mother's Yahoo email. Only thing changed is the first part of the To: address

Return-Path: <mailout04@westnotificationsgroup.com>
Authentication-Results: mta198.mail.ac4.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 208.34.106.236 (EHLO vocal-net.net) (208.34.106.236) by mta198.mail.ac4.yahoo.com with SMTP; Thu, 27 Nov 2008 23:35:42 -0800
Received: from westnotificationsgroup.com (unverified [72.54.106.166]) by ntvop4.netaccnt.net (Vircom SMTPRS 4.5.654.13) with ESMTP id <B0142103054@ntvop4.netaccnt.net> for <nataleemorse@yahoo.com>; Fri, 28 Nov 2008 02:10:33 -0500
From: 
"Capital One" <service@capitaone.com> <216.57.96.8 (HELO mailout04.westnotificationsgroup.com)> 
 
To: x@yahoo.com
Subject: Capital One Alert: Irregular Credit Card Activity
Date: 28 Nov 2008 00:13:11 -0700
Message-ID: <20081128001311.B0F742BDBB2F8318@capitaone.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Length: 3634
 
Irregular Credit Card Activity
 
Account: Capital One® credit card
Date: 11/28/2008
 
We detected irregular activity on your Capital One® credit card on 11/28/2008. For your protection, you must verify this activity before you can continue using your card.
 
Please call us immediately at 1-800-523-8103 or collect using the number listed on the back of your card. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account.
 
 
 
Important Information from Capital One
 
Contact Us | Privacy
 
This e-mail was sent to you and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.
 
The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.
 
Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.
 
©2008 Capital One. Capital One is a federally registered service mark. All rights reserved. 15000 Capital One Drive, Attn: 12038-0111, Richmond, Virginia 23238. To contact us by mail, please use the following address: Capital One, PO Box 30285, Salt Lake City, Utah 84130-0285.
 
09860 023 001

The attached logo is the one the phisher used. They left off "what's in your wallet?", which normally is positioned beginning right below the 'One' part of the name.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink ·

· 2008-11-28 04:36:53 ·

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

·AT&T U-Verse

reply to nwrickert

U.S. Bank telephone phish (there were two of these, with the same image and telephone number):

#1:

Return-Path: <rtkxxo@yahoo.com>
Authentication-Results: mta569.mail.mud.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 68.230.240.9 (EHLO eastrmmtao103.cox.net) (68.230.240.9) by mta569.mail.mud.yahoo.com with SMTP; Tue, 09 Dec 2008 16:10:50 -0800
Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao103.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20081210001049.DUTA18445.eastrmmtao103.cox.net@eastrmimpo03.cox.net>; Tue, 9 Dec 2008 19:10:49 -0500
Received: from User ([70.187.22.254]) by eastrmimpo03.cox.net with bizsmtp id pCAj1a0085Uvfce02CAkUW; Tue, 09 Dec 2008 19:10:48 -0500 a=gMMwTlpgCVsA:10 a=nDDMXIyUaCkA:10 a=oJL9TIRMo0YA:10 a=HWowFZCwAAAA:8 a=6VBaUAmcAAAA:8 a=vzUeNKtdRj-0HKc1hJIA:9
Reply-To: rtkxxo@yahoo.com
From: 
U.S. Bank<rtkxxo@yahoo.com> 
Subject: Multiple password failures ! Please call our 24-hours Security Department
Date: Wed, 10 Dec 2008 01:14:07 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <20081210001049.DUTA18445.eastrmmtao103.cox.net@eastrmimpo03.cox.net>
Content-Length: 173

Return-Path: <dsmxzu@yahoo.com>
Authentication-Results: mta149.mail.re1.yahoo.com from=; domainkeys=neutral (no sig)
Received: from 68.230.240.13 (EHLO eastrmmtai106.cox.net) (68.230.240.13) by mta149.mail.re1.yahoo.com with SMTP; Tue, 09 Dec 2008 15:16:23 -0800
Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao107.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20081209231458.FIYS4842.eastrmmtao107.cox.net@eastrmimpo03.cox.net>; Tue, 9 Dec 2008 18:14:58 -0500
Received: from User ([70.188.140.60]) by eastrmimpo03.cox.net with bizsmtp id pBEt1a00K1JP2Ge02BEuhr; Tue, 09 Dec 2008 18:14:58 -0500 a=gMMwTlpgCVsA:10 a=5a7zk8gS10wA:10 a=oJL9TIRMo0YA:10 a=HWowFZCwAAAA:8 a=6VBaUAmcAAAA:8 a=vzUeNKtdRj-0HKc1hJIA:9
Reply-To: dsmxzu@yahoo.com
From: 
U.S. Bank<dsmxzu@yahoo.com> 
Subject: Multiple password failures ! Please call our 24-hours Security Department
Date: Wed, 10 Dec 2008 00:18:17 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Message-Id: <20081209231458.FIYS4842.eastrmmtao107.cox.net@eastrmimpo03.cox.net>
Content-Length: 173

The body of the email is an image only (the screenshot above). It is clickable, but appears to lead to the real U.S. Bank website.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink ·

· 2008-12-09 23:03:39 ·

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

·AT&T U-Verse

reply to nwrickert
Credit Union Access:

Dear CU Member:

This is not a promotional e-mail. Please call us immediately at (877) 898-7930 regarding recent restriction placed on your account. We're available 24/7 to take your call.

Please disregard this e-mail if you've already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
CU Fraud Prevention Security Department

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink ·

· 2008-12-16 10:16:29 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

·AT&T U-Verse

·AT&T Midwest

reply to nwrickert
Capital One vish

A vish for Capital One, at +1(315-235-1392)

said by mail body :
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.

Therefore, to prevent unauthorized access to your Capital One Bank
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*

To reactivate your debit card , please call: +1(315-235-1392)

Copyright Capital One Bank, All Rights Reserved.

Headers:

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5

to forum · permalink ·

· 2009-01-01 21:19:36 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

·AT&T U-Verse

·AT&T Midwest

reply to nwrickert
F & M Bank Express Online - vish at (641) 410 2293

said by vish body :
Dear F&M Bank customer,

We are hereby notifying you that we've recently suffered a phishing-Attack. Beca
use we have registered too many frauds we suspended your account. For security r
easons you must call us and provide the requested information so we can verify t
he integrity of your F&M ExpressOnline Banking account. If you fail to complete
the verification in the next 24 hours your account will be blocked.

***************************************************

Call us at: +1 (641) 410 2293 and confirm your identity.

***************************************************

Note: The call is free of charge for you!

Please comply and thanks for understanding.

\251 2009 F&M Bank

Headers:

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5

to forum · permalink ·

· 2009-01-06 20:13:52 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

·AT&T U-Verse

·AT&T Midwest

reply to nwrickert
Re: [Phish] Paypal vish

Excerpt from vish:

Restore your account .
Please Call our Card Department at 0039-069-165-7836

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.11

to forum · permalink ·

· 2009-06-17 17:43:10 ·

MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL

said by nwrickert

:

Excerpt from vish:

Restore your account .
Please Call our Card Department at 0039-069-165-7836

A foreign number perhaps ?, there are too many digits for it to be a US number

MGD

to forum · permalink ·

· 2009-06-22 19:26:00 ·

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

Yes, I assume foreign.

If I am reading it correctly, the "00" is a prefix for US callers, then the 39 is the international code for Italy.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11

to forum · permalink ·

· 2009-06-22 19:57:45 ·

MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL

I thought it was Italy, then I wondered how low the IQ of a Phisher would have to be in order to think that a victim would make an international call to Italy to contact PayPal support.

I guess that must be the downside of dropping out of Phishing 101.

MGD

to forum · permalink ·

· 2009-06-22 21:34:40 ·

Rowan
Premium
join:2008-10-16
Longview, TX

reply to nwrickert
Re: [Phish] Telephone phishing thread

My SO has a new cell phone -- TWO DAYS OLD -- and has received 6 calls today (one per hour or so). The first few were "caller unknown", but the most recent call showed up as 877-648-0958. I've called that no. from another phone and I get 'invalid number'. They've left no messages, so not sure what they're up to, but Goog sez lots of other ppls are having this recent prob with this same no.

Just thought I'd report in.

~Rowan

to forum · permalink ·

· 2009-06-24 20:53:33 ·

SnowyOne
Premium
join:2003-04-05
Kailua, HI

reply to MGD
Re: [Phish] Paypal vish

Here's where he was routing the calls to
sip:cacat0099@proxy01.sipphone.com

to forum · permalink ·

· 2009-06-27 09:15:20 ·


Tuesday, 24-Nov 12:09:13	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF