gsm8
join:2004-09-29
Renton, WA
 ·Comcast
1 edit | irs refund
I got this which is funny because I got my refund allready  :
Internal Revenue Service
reply-toaccess@irs.guv,
to
dateTue, May 13, 2008 at 1:16 PM
subjectUnited States Department of the Treasury.
Tax Notification
Internal Revenue Service (IRS)
United States Department of the Treasury
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.
Please submit the tax refund request and allow us
6-9 days in order to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.
To access the form for your tax refund, click here hxxp://212.0.147.105/tax.html.
Regards,
Internal Revenue Service
Document Reference: (92054568 |
|
voogru
join:2001-07-22
| 212.0.147.105 = [ ]
(Asked whois.afrinic.net:43 about 212.0.147.105)
inetnum: 212.0.147.96 - 212.0.147.111
netname: MAZAR-INT
descr: Mazar Int Co.LTD
country: SD
admin-c: AEEA1-AFRINIC
tech-c: MAA2-AFRINIC
tech-c: MAA3-AFRINIC
status: ASSIGNED PA
mnt-lower: MNT-HIBA
mnt-by: SUDATEL-MNT
source: AFRINIC Filtered
parent: 212.0.128.0 - 212.0.159.255
person: Abd Elrahim Elshekh Ahmed
address: Sudan - Khartoum
phone: 249 183 783315
e-mail: a_daboura@hotmail.com
fax-no: 249 183 770366
nic-hdl: AEEA1-AFRINIC
source: AFRINIC Filtered
person: Mohammed Ahmed Abbas
address: Sudan - Khartoum
phone: 249 9226 52660
e-mail: Eng.abbas41@gmail.com
fax-no: 249 183 770366
nic-hdl: MAA2-AFRINIC
source: AFRINIC Filtered
person: Marwa Abdelhameed Ahmed
address: Sudan - Khartoum
phone: 249 9122 92048
e-mail: marwa_16@hotmail.com
fax-no: 249 183 770366
nic-hdl: MAA3-AFRINIC
source: AFRINIC Filtered |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to gsm8
Bad Phish.  |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs: | I had one sent to me that went to squidworx.com that looked decent. |
|
Kibbles
Premium
join:1999-07-31
Mission Viejo, CA
| reply to Doctor Olds
Wow...it actually asks for the PIN ?
I wonder how many have actually filled the form?
--
»www.angryrenter.com/ |
|
SmokChsr
Who let the magic smoke out?
Premium
join:2006-03-17
Saint Augustine, FL | reply to gsm8
I just received one of these and is wanted to go to..
»www.autotutto.com/www.irs.gov/index.htm |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
|
Another bad phish.  |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
1 edit | reply to gsm8
My mom got one of these in her Yahoo email that Phishtracker
could not decode because the URL was obfuscated into hex:
Tax Notification
Internal Revenue Service (IRS)
United States Department of the Treasury
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.
Please submit the tax refund request and allow us
6-9 days in order to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.
To access the form for your tax refund, click here.
Regards,
Internal Revenue Service
Document Reference: (92054568).
The link leads to: hxxp://0xd327a4dc/usage.html, which
converts to 211.39.164.220 (ignoring the 0x at the
beginning). The original URL leads to a spammy search
page at searchportal.information.com (which appears to be
in the MVPS hosts file).
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | The link leads to: hxxp://0xd327a4dc/usage.html That seems to be the same as phish #28259
It appears to have been taken down.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14 |
|
ropeguru
Premium
join:2001-01-25
Bridgeport, WV
clubs:
 ·VOIPo
1 edit | reply to gsm8
Looks like they have moved servers??
hxxp://nol2.nol.com.my/sorinel/.secure/.service/.form/refund.php
Which redirects to:
hxxp://www.belleitaliatours.com/main/components/com_jce/secure/online_form/www.irs.gov/0,,id=96596,00.html
Got this one this morning.
Headers for email. Serverpronto is my email server.
Received: from mail.saccocarpet.com (static-71-249-214-220.nycmny.east.verizon.net [71.249.214.220])
by sp2919c.serverpronto.com (8.13.8/8.13.8) with ESMTP id m57D7pGO008575
for ; Sat, 7 Jun 2008 09:07:52 -0400
Received: from User ([75.91.72.59]) by mail.saccocarpet.com with Microsoft SMTPSVC(6.0.3790.3959); |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
4 edits | Main Page:
Inputs Page 1:
Inputs Page 2:
This one (1) above is currently up and so far has not been reported enough like the other two (2) previous addresses which triggers in Firefox to show the Phish Warning Overlay.
Did you read the notes there? LOL
said by scammers :
Note:
▪ For security reasons, we will record your ip-address and date.
▪ Deliberate wrong inputs are criminally pursued and indicted.
I double-dog dare them to try to indicted me. LOL The Fools. Off to enter "wrong inputs" now. 
UPDATE: Looks like they are MIA LOL
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
