dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
59556

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

[Phish] Telephone phishing thread

I am hoping this can be made a sticky thread for reporting telephone phishing (includes vishing - voice phish as well as fax phish).

Note that ordinary phishes should be reported to »/phishtrack rather than here.
nwrickert

nwrickert

Mod

Fax phish - 914-293-2651 (paypal)

Excerpts from phish:
Your account access will be limited if in less than 48 hours we do not receive the fax with the information asked.
# (Your case ID for this reason is PP-136-124-102.)
and
Please send us all of the following information so we can verify your identity with our records. (we require a fax in less than 48 hours)

1) Photocopy of a government-issued photo identification (identity card or passport)
2) Photocopy of your credit card (front and back side are required)

Please be informed that the photocopies must be specific and readable otherwise they will not be taken in consideration.

Please send us only one fax message that will contain all the photocopies required.

Please send us the information requested to the fax number or address below.

Faxing from US: 914-293-2651
Faxing from outside US: +1 914-293-2651
Excerpt from mail headers:
Received: from hs16.order-vault.net (ftp.hs16.order-vault.net [65.18.148.238])
        by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m1PKWmoK022961
        (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT);
        Mon, 25 Feb 2008 14:32:51 -0600 (CST)
Received: from User ([74.8.99.49])
        (authenticated (0 bits))
        by hs16.order-vault.net (8.11.6/8.11.6) with ESMTP id m1PKVwS20195;
        Mon, 25 Feb 2008 15:31:58 -0500
 

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to nwrickert

Premium Member

to nwrickert

Re: [Phish] Telephone phishing thread

said by nwrickert:

I am hoping this can be made a sticky thread for reporting telephone phishing (includes vishing - voice phish as well as fax phish).
Agreed.

Kibbles
Premium Member
join:1999-07-31
Mission Viejo, CA

Kibbles to nwrickert

Premium Member

to nwrickert
Would you get in trouble if you fax'd a FBI cover sheet?
Looks like the call goes to NY...or is that forwarded somewhere else?

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

I would guess it might be a VOIP number, in which case it could be anywhere.

removed
Premium Member
join:2002-02-08
Houston, TX

removed to nwrickert

Premium Member

to nwrickert
Hope these are useful to someone...

February 21:
quote:
Visa ATM/Check Card Deactivation
Message from: Customer Service
Date: 02/21/2008

We detected irregular activity on your Gesa ATM/Check Card on 02/20/2008.

For your protection we have had to suspend any future authorizations
being conducted with your Gesa Visa ATM/Check Card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center.

Activation Center: (509) 210-4256 (24 Hour Line)

Headers:
Return-path: <gesa@accountsecurity.com>
Envelope-to: gumu@removed.us
Delivery-date: Thu, 21 Feb 2008 14:33:59 -0500
Received: from mail.netafrique.com ([63.219.177.34]:3983 helo=MC100814)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <gesa@accountsecurity.com>)
id 1JSHB5-0000Hc-0J
for gumu@removed.us; Thu, 21 Feb 2008 14:33:58 -0500
Received: from 66-52-78-214.jklmail.com [66.52.78.214] by MC100814 with SMTP;
   Thu, 21 Feb 2008 14:34:28 -0500
Reply-To: <noreply@gesa.com>
From: "Gesa Credit Union"<gesa@accountsecurity.com>
Subject: SECURITY ALERT!
Date: Thu, 21 Feb 2008 11:30:32 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="koi8-u"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Subject: ***SPAM*** SECURITY ALERT!
X-Spam-Status: Yes, score=10.6
X-Spam-Score: 106
X-Spam-Bar: ++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Visa ATM/Check Card Deactivation Message from: Customer Service
Date: 02/21/2008 We detected irregular activity on your Gesa ATM/Check Card
on 02/20/2008. For your protection we have had to suspend any future authorizations
being conducted with your Gesa Visa ATM/Check Card. [...] 
Content analysis details:   (10.6 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 MISSING_MID            Missing Message-Id: header
2.1 SUBJ_ALL_CAPS          Subject is all capitals
1.3 MISSING_HEADERS        Missing To: header
1.0 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
[score: 0.7967]
0.0 HTML_MESSAGE           BODY: HTML included in message
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
1.5 HTML_IMAGE_ONLY_16     BODY: HTML: images with 1200-1600 bytes of words
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

removed

Premium Member

February 20:
quote:
Dear customer,

Due to recent online fraud, all cardholders are required to contact our Town North Bank, Security Departament at our total free number : 972-546-0398

Contacting this number will enable us to monitor your account closely, and suspend it as soon as we notice any fraudulent activity.

CONTACTING THIS NUMBER IS MANDATORY, OR YOUR CARD WILL BE CONSIDERED A SECURITY RISK AND IT WILL BE BLOCKED FROM ONLINE USAGE !

Please DO NOT reply to any emails asking for sensitive information, as many of our customers have been frauded for considerable ammounts of money.
If you receive any type of email please report it immediately !

Please note the total free number : +1 972-546-0398

Town North Bank Security Departamanet ,
PO Box 814810
Dallas, Texas 75381-4810

Headers:
Return-path: <security@townnorthbank.com>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 20 Feb 2008 07:44:37 -0500
Received: from host74.host74-server.com ([66.49.248.230]:46981)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <security@townnorthbank.com>)
id 1JRoJN-0002Qe-Ew
for gumu@removed.us; Wed, 20 Feb 2008 07:44:37 -0500
Received: from User (ev1s-209-62-3-50.ev1servers.net [209.62.3.50] (may be forged))
(authenticated bits=0)
by host74.host74-server.com (8.12.11/8.12.11) with ESMTP id m1KCiNY4010269;
Wed, 20 Feb 2008 07:44:24 -0500
Message-Id: <200802201244.m1KCiNY4010269@host74.host74-server.com>
From: "Town North Bank"<security@townnorthbank.com>
Subject: Urgent Notification
Date: Wed, 20 Feb 2008 06:44:22 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=11.0
X-Spam-Score: 110
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear customer, Due to recent online fraud, all cardholders
are required to contact our Town North Bank, Security Departament at our
total free number : 972-546-0398 Contacting this number will enable us to
monitor your account closely, and suspend it as soon as we notice any fraudulent
activity. [...] 
Content analysis details:   (11.0 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
[score: 0.9726]
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

1 recommendation

removed

Premium Member

February 19:
quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 847-481-8194

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 847-481-8194

Copyright © VISA Debit Card, All Rights Reserved
Headers:
Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Tue, 19 Feb 2008 12:32:34 -0500
Received: from host101.host101-server.com ([66.49.199.16]:56250)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <debit@visa.com>)
id 1JRWKV-0001Me-9y
for gumu@removed.us; Tue, 19 Feb 2008 12:32:34 -0500
Received: from User (playa-capital74.ucn.net [63.110.44.74] (may be forged))
(authenticated bits=0)
by host101.host101-server.com (8.12.10/8.12.10) with ESMTP id m1JHWAmb003323;
Tue, 19 Feb 2008 12:32:12 -0500
Message-Id: <200802191732.m1JHWAmb003323@host101.host101-server.com>
From: "VISA Debit Card"<debit@visa.com>
Subject: Urgent Notification
Date: Tue, 19 Feb 2008 09:36:34 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by host101.host101-server.com id m1JHWAmb003323
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=10.0
X-Spam-Score: 100
X-Spam-Bar: ++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Customer, VISA Debit Card , Security Departament temporarily
suspended your account. Reason: Fraud Atempts We require you to complete
an account update so we can unlock your account. [...] 
Content analysis details:   (10.0 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
2.0 BAYES_80               BODY: Bayesian spam probability is 80 to 95%
[score: 0.9225]
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

removed

Premium Member

February 13:
quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 805-203-4523

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 805-203-4523

Copyright © VISA Debit Card, All Rights Reserved

Headers:
Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 13 Feb 2008 11:42:35 -0500
Received: from host50-server.com ([66.49.136.205]:42309 helo=host50.host50-server.com)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <debit@visa.com>)
id 1JPKgp-0007YL-VN
for gumu@removed.us; Wed, 13 Feb 2008 11:42:35 -0500
Received: from User (host-209-174-182-70.champaignschools.org [209.174.182.70] (may be forged))
(authenticated bits=0)
by host50.host50-server.com (8.12.10/8.12.10) with ESMTP id m1DGl9M4002562;
Wed, 13 Feb 2008 11:47:09 -0500
Message-Id: <200802131647.m1DGl9M4002562@host50.host50-server.com>
Reply-To: <debit@visa.com>
From: "VISA Debit Cards"<debit@visa.com>
Subject: Urgent Notification
Date: Wed, 13 Feb 2008 10:45:05 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by host50.host50-server.com id m1DGl9M4002562
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=11.0
X-Spam-Score: 110
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Customer, VISA Debit Card , Security Departament temporarily
suspended your account. Reason: Fraud Atempts We require you to complete
an account update so we can unlock your account. [...] 
Content analysis details:   (11.0 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
3.0 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
[score: 0.9858]
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

removed

Premium Member

February 4:
quote:
Dear Empire Bank Cardholder,

We detected irregular activity on your debit/credit card on 02/03/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Empire Bank is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 929-3209 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Member FDIC · Equal Housing Lender· © 2007 Empire Bank
Headers:
Return-path: <gribble.dale+caf_=gumu=removed.us@gmail.com>
Envelope-to: gumu@removed.us
Delivery-date: Mon, 04 Feb 2008 10:49:54 -0500
Received: from ug-out-1314.google.com ([66.249.92.168]:31498)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <gribble.dale+caf_=gumu=removed.us@gmail.com>)
id 1JM3Zu-0001UP-Ow
for gumu@removed.us; Mon, 04 Feb 2008 10:49:54 -0500
Received: by ug-out-1314.google.com with SMTP id q2so17805uge.50
        for <gumu@removed.us>; Mon, 04 Feb 2008 07:49:49 -0800 (PST)
Received: by 10.78.162.4 with SMTP id k4mr12433546hue.66.1202140188297;
        Mon, 04 Feb 2008 07:49:48 -0800 (PST)
X-Forwarded-To: gumu@removed.us
X-Forwarded-For: gribble.dale@gmail.com gumu@removed.us
Delivered-To: gribble.dale@gmail.com
Received: by 10.78.156.16 with SMTP id d16cs104683hue;
        Mon, 4 Feb 2008 07:49:46 -0800 (PST)
Received: by 10.78.137.7 with SMTP id k7mr12431855hud.68.1202140185490;
        Mon, 04 Feb 2008 07:49:45 -0800 (PST)
Received: from centralfloridafair.com (cfsvr1.centralfloridafair.com [64.90.0.1])
        by mx.google.com with ESMTP id p25si1948067hub.29.2008.02.04.07.49.44;
        Mon, 04 Feb 2008 07:49:45 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning info@empirebank.com does not designate 64.90.0.1 as permitted sender) client-ip=64.90.0.1;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning info@empirebank.com does not designate 64.90.0.1 as permitted sender) smtp.mail=info@empirebank.com
Received: from User ([64.62.123.42]) by centralfloridafair.com with Microsoft SMTPSVC(6.0.3790.3959);
 Mon, 4 Feb 2008 10:43:42 -0500
From: "Empire Bank"<info@empirebank.com>
Subject: Irregular Check Card Activity
Date: Mon, 4 Feb 2008 07:48:39 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <CFSVR14Ogddu5qE8DzH0000178c@centralfloridafair.com>
X-OriginalArrivalTime: 04 Feb 2008 15:43:42.0656 (UTC) FILETIME=[B83DE400:01C86744]
X-Spam-Subject: ***SPAM*** Irregular Check Card Activity
X-Spam-Status: Yes, score=11.9
X-Spam-Score: 119
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Empire Bank Cardholder, We detected irregular activity
on your debit/credit card on 02/03/2008. For your security, your online banking
profile has been locked due to inactivity or because of too many failed login
attempts. [...] 
Content analysis details:   (11.9 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
-0.0 SPF_PASS               SPF: sender matches SPF record
1.3 MISSING_HEADERS        Missing To: header
2.5 HTML_IMAGE_ONLY_12     BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE           BODY: HTML included in message
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

removed

Premium Member

January 23:
quote:
Dear Cardholder,

We detected irregular activity on your debit card on 01/22/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

To reactivate your account, you must contact us at (800) 564-9401 and fallow the instructions .

Copyright © National Credit Union Administration .

Headers:
Return-path: <support@ncua.gov>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 23 Jan 2008 23:57:11 -0500
Received: from adsl-75-41-76-14.dsl.chcgil.sbcglobal.net ([75.41.76.14]:6758 helo=emailserver.nmct.net)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <support@ncua.gov>)
id 1JHu9D-0005z9-7J
for gumu@removed.us; Wed, 23 Jan 2008 23:57:11 -0500
Received: from User ([24.65.64.219]) by emailserver.nmct.net with Microsoft SMTPSVC(5.0.2195.6713);
 Wed, 23 Jan 2008 22:50:56 -0600
From: "National Credit Union Administration"<support@ncua.gov>
Subject: Irregular Check Card Activity
Date: Wed, 23 Jan 2008 21:51:18 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <EMAILSERVER66lRCR5Y00000609@emailserver.nmct.net>
X-OriginalArrivalTime: 24 Jan 2008 04:50:56.0625 (UTC) FILETIME=[B4EC9610:01C85E44]
X-Spam-Subject: ***SPAM*** Irregular Check Card Activity
X-Spam-Status: Yes, score=14.9
X-Spam-Score: 149
X-Spam-Bar: ++++++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Cardholder, We detected irregular activity on your debit
card on 01/22/2008. For your security, your online banking profile has been
locked due to inactivity or because of too many failed login attempts. [...]
Content analysis details:   (14.9 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?24.65.64.219>]
0.6 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
1.3 MISSING_HEADERS        Missing To: header
0.0 HTML_MESSAGE           BODY: HTML included in message
1.8 HTML_IMAGE_ONLY_08     BODY: HTML: images with 400-800 bytes of words
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
dynamic-looking rDNS
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

removed

Premium Member

January 23:
quote:
Dear PUDCU Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Snohomish County PUD Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 319-9621 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

© 2008 Snohomish County PUD Credit Union
Headers:
Return-path: <account@pudcu.com>
Envelope-to: gumu@removed.us
Delivery-date: Wed, 23 Jan 2008 11:17:32 -0500
Received: from [76.12.61.28] (port=4637 helo=ds134642-1)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <account@pudcu.com>)
id 1JHiI4-0006LC-EV
for gumu@removed.us; Wed, 23 Jan 2008 11:17:32 -0500
Received: from s0106003065fb8258.fm.shawcable.net [24.65.64.219] by ds134642-1 with SMTP;
   Wed, 23 Jan 2008 23:16:04 -0500
From: "PUDCU"<account@pudcu.com>
Subject: Irregular Activity
Date: Wed, 23 Jan 2008 09:15:27 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Subject: ***SPAM*** Irregular Activity
X-Spam-Status: Yes, score=15.7
X-Spam-Score: 157
X-Spam-Bar: +++++++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear PUDCU Cardholder, We detected irregular activity on your
debit/credit card on 01/21/2008. For your security, your online banking profile
has been locked due to inactivity or because of too many failed login attempts.
[...] 
Content analysis details:   (15.7 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.0 MISSING_MID            Missing Message-Id: header
0.1 RDNS_NONE              Delivered to trusted network by a host with no rDNS
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?24.65.64.219>]
0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
1.3 MISSING_HEADERS        Missing To: header
2.5 HTML_IMAGE_ONLY_12     BODY: HTML: images with 800-1200 bytes of words
0.0 HTML_MESSAGE           BODY: HTML included in message
1.5 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.1 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 
removed

1 edit

removed

Premium Member

January 21:
quote:
Dear Listerhill Credit Union Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Listerhill Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 554-8147 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Headers:
Return-path: <callus@listerhill.com>
Envelope-to: removed@laredo.root--servers.net
Delivery-date: Mon, 21 Jan 2008 11:10:17 -0500
Received: from removed by laredo.root--servers.net with local-bsmtp (Exim 4.68)
(envelope-from <callus@listerhill.com>)
id 1JGzDx-0004sI-91
for removed@laredo.root--servers.net; Mon, 21 Jan 2008 11:10:17 -0500
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
laredo.root--servers.net
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.7 required=4.5 tests=AWL,BAYES_95,
FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HTML_IMAGE_ONLY_16,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,INVALID_TZ_EST,MIME_HTML_ONLY,
MISSING_HEADERS,MISSING_MID,RCVD_NUMERIC_HELO,RDNS_NONE autolearn=spam
version=3.2.3
X-Spam-Report: 
*  0.0 MISSING_MID Missing Message-Id: header
*  0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
*  2.7 INVALID_TZ_EST Invalid date in header (wrong EST timezone)
*  2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
*  1.3 MISSING_HEADERS Missing To: header
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
*      [score: 0.9517]
*  1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  1.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
*  0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
*  0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
*  0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
*  3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
* -1.7 AWL AWL: From: address is in the auto white-list
Received: from [75.144.105.41] (port=3039 helo=mail)
by laredo.root--servers.net with smtp (Exim 4.68)
(envelope-from <callus@listerhill.com>)
id 1JGzDx-0004sC-4R
for gumu@removed.us; Mon, 21 Jan 2008 11:10:13 -0500
X-DN-AuthenticatedSender: WJNMJ6Y49E9A33NMKKNEHR39FEECX49W-7N7XuX6kOrPPID+RQx8MCC0DUOpXVR+x6PY47D02NwesRKSVkkrKacEUZe6cnhv/---
Received: from 24.65.64.219 ([24.65.64.219])
          by mail (DeskNow) with SMTP ID 180;
          Mon, 21 Jan 2008 10:15:03 -0600 (EST)
From: "Listerhill Credit Union"<callus@listerhill.com>
Subject: *****SPAM***** Irregular Check Card Activity
Date: Mon, 21 Jan 2008 09:10:11 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Spam-Prev-Subject: Irregular Check Card Activity
Message-Id: <E1JGzDx-0004sI-91@laredo.root--servers.net>
 

That's just about it for 2008 so far. I won't bore you guys with copies of vish emails from 2007, unless you think they'll be useful...
removed

removed

Premium Member

March 11:
quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 803-825-4293

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 803-825-4293

Copyright © VISA Debit Card, All Rights Reserved
Headers:
Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Tue, 11 Mar 2008 10:39:18 -0400
Received: from mail.altayyargroup.com ([212.100.194.83]:38490)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <debit@visa.com>)
id 1JZ5dJ-0001w6-Sf
for gumu@removed.us; Tue, 11 Mar 2008 10:39:18 -0400
Received: from User ([10.65.28.1]) by mail.altayyargroup.com with Microsoft SMTPSVC(6.0.3790.3959);
 Tue, 11 Mar 2008 17:41:43 +0300
Reply-To: <debit@visa.com>
From: "VISA Debit Card"<debit@visa.com>
CC: gump13@hotmail.com,gumpond@netscape.com,gumshoe@uscyber.com,gumu@removed.us,gunadanu@hotmail.com
Subject: Urgent Notification!
Date: Tue, 11 Mar 2008 15.51.35 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <MAILfMS9stbDEa7fzCL00004a24@mail.altayyargroup.com>
X-OriginalArrivalTime: 11 Mar 2008 14:41:44.0380 (UTC) FILETIME=[06D8FFC0:01C88386]
X-Spam-Subject: ***SPAM*** Urgent Notification!
X-Spam-Status: Yes, score=13.4
X-Spam-Score: 134
X-Spam-Bar: +++++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear Customer, VISA Debit Card , Security Departament temporarily
suspended your account. Reason: Fraud Atempts We require you to complete
an account update so we can unlock your account. [...] 
Content analysis details:   (13.4 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
1.2 INVALID_DATE           Invalid Date: header (not RFC 2822)
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.0 DATE_IN_PAST_12_24     Date: is 12 to 24 hours before Received: date
2.9 SUSPICIOUS_RECIPS      Similar addresses in recipient list
1.3 MISSING_HEADERS        Missing To: header
1.0 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
[score: 0.6898]
0.0 FM_IS_IT_OUR_ACCOUNT   Is it our account?
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

March 12: Colonial bank
quote:
Dear Customer,

Colonial Bank temporarily suspended your account.

Reason: Fraud Attempts

To reactivate your account call the toll-free number: 1-334-246-4229

Never access Colonial Bank Web site by clicking on a link provided in an e-mail.
Colonial Bank will never solicit you to provide or update personal or financial
information. And, will never send an e-mail containing links to Web sites.

Copyright 2008 Colonial Bank . All Rights Reserved.

KYDXBXIQSQHWJJWPKRDPWGQCLXDWJFVBUYGUTF
Return-Path: <online@colonialbank.com>
Received: from neptune.webfusion.co.uk (neptune.webfusion.co.uk [212.67.202.9])
        by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m2CDKBmL001529
        (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT)
        for <munged@cs.niu.edu>; Wed, 12 Mar 2008 08:20:17 -0500 (CDT)
Message-Id: <200803121320.m2CDKBmL001529@mp.cs.niu.edu>
Received: from adsl-67-37-18-250.dsl.bcvloh.ameritech.net ([67.37.18.250] helo=User)
        by neptune.webfusion.co.uk with esmtpa (Exim 4.54)
        id 1JZQsM-0007eZ-Ce; Wed, 12 Mar 2008 13:20:10 +0000
Reply-To: <do-not-reply@colonialbank.com>
From: "Colonial Bank"<online@colonialbank.com>
Subject: Colonial Bank temporarily suspended your account.
Date: Wed, 12 Mar 2008 09:20:12 -0400
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to nwrickert

Premium Member

to nwrickert
Phone Phish delivered to my Mom's Yahoo email:

 
X-Apparently-To: x@yahoo.com via 66.163.178.133; Wed, 12 Mar 2008 13:34:09 -0700
X-YahooFilteredBulk:64.40.243.82
X-Originating-IP:[64.40.243.82]
Return-Path:<netspend@netspendsecurity.com>
Authentication-Results:mta358.mail.mud.yahoo.com from=netspendsecurity.com; domainkeys=neutral (no sig)
Received:from 64.40.243.82 (EHLO mail.travinfo1.net) (64.40.243.82) by mta358.mail.mud.yahoo.com with SMTP; Wed, 12 Mar 2008 13:34:08 -0700
Received:from User ([65.101.57.222]) by mail.travinfo1.net (Merak 7.6.4) with ASMTP id VOV40501; Wed, 12 Mar 2008 14:49:50 -0500
Reply-to:<noreply@netspend.com>
From:"NetSpend" <netspend@netspendsecurity.com>  Add Mobile Alert
Subject:SECURITY ALERT!
Date:Wed, 12 Mar 2008 12:49:49 -0700
MIME-Version:1.0
Content-Type:text/html; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length:2383
 
  Card Deactivation
  Message from: Customer Service
  Date: 03/12/2008
 
  We detected irregular activity on your NetSpend® Card on 03/11/2008.
 
  For your protection we have had to suspend any future authorizations
  being conducted with your NetSpend® Card.
 
  For your security we have deactivate your card.
 
  How to activate/re-activate your card ?
 
  You may stop by your branch or call our Activation Center.
 
  Activation Center: (888) 721-9034 (24 Hour Line)
 
  Our automated system allows you to quickly activate your card.
 
  We apologize for any inconvenience this may cause.
 
 
NetSpend Corporation 
Card Department 
PO Box 2136
Austin, TX 78768-2136  
 

Only thing changed was my mom's email name. I replaced it
with the 'x'.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Colonial bank (334) 830-4240

Another Colonial bank vish - different phone number
quote:
> Colonial Bank Online department temporary disabled your account.

You no longer have access to the account registered with this email address

After three unsuccessful login attempts your account was temporary disabled until further investigations.

Colonial Bank will never ask you any information via e-mail. Call this number (334) 830-4240 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: (334) 830-4240 - Toll Free

2004-2008 Colonial Bank

KFVIQCXMNBHRXJSRFIYSQJKLNMGFNRBSFENPMZ
Return-Path: <update@colonialbank.com>
Received: from EXTRANET.COMUNICACION (extranet.tecfa.com [62.93.180.61])
        by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m2DIbLDr024400
        for <munged@cs.niu.edu>; Thu, 13 Mar 2008 13:37:26 -0500 (CDT)
Received: from User ([67.37.18.250]) by EXTRANET.COMUNICACION with Microsoft SMTPSVC(5.0.2195.6713);
         Thu, 13 Mar 2008 19:47:44 +0100
Reply-To: <update@colonialcolonial.com>
From: "Colonial Bank"<update@colonialbank.com>
Subject: Colonial Bank Online department temporary disabled your account. 
Date: Thu, 13 Mar 2008 14:37:20 -0400
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <EXTRANETEEmYDKFJ2I10000216a@EXTRANET.COMUNICACION>
X-OriginalArrivalTime: 13 Mar 2008 18:47:44.0828 (UTC) FILETIME=[B9961FC0:01C8853A]
 

removed
Premium Member
join:2002-02-08
Houston, TX

removed

Premium Member

Got the same one as you did about the 334-830-4240 number. Headers:
Return-path: <colonial@colonialbank.com>
Envelope-to: gumu@removed.us
Delivery-date: Thu, 13 Mar 2008 14:45:01 -0400
Received: from ptb-relay02.plus.net ([212.159.14.213]:39583)
by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <colonial@colonialbank.com>)
id 1JZsQC-0000MG-Ly
for gumu@removed.us; Thu, 13 Mar 2008 14:45:00 -0400
Received: from [213.162.106.173] (helo=nicholasashley.com)
 by ptb-relay02.plus.net with esmtp (Exim) id 1JZsQ7-0005RM-TY
for gumu@removed.us; Thu, 13 Mar 2008 18:44:52 +0000
Received: from User ([86.157.156.37]) by nicholasashley.com with Microsoft SMTPSVC(6.0.3790.1830);
 Thu, 13 Mar 2008 18:44:50 +0000
Reply-To: <colonial@colonialbank.com>
From: "Colonial Bank"<colonial@colonialbank.com>
Subject: NOTICE ID:                                             DIITNVWFWE
Date: Thu, 13 Mar 2008 18:46:49 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <SERVER-1odYE4KveYKW000065e5@nicholasashley.com>
X-OriginalArrivalTime: 13 Mar 2008 18:44:50.0810 (UTC) FILETIME=[51DD15A0:01C8853A]
X-TM-AS-Product-Ver: SMEX-7.2.0.1122-5.0.1023-15786.000
X-TM-AS-Result: No--2.268900-5.000000-31
X-Plusnet-Relay: 708a69074e485b1aed8d28228d722ef2
X-Spam-Subject: ***SPAM*** NOTICE ID:                                             DIITNVWFWE
X-Spam-Status: Yes, score=11.2
X-Spam-Score: 112
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  > Colonial Bank Online department temporary disabled your
account. You no longer have access to the account registered with this email
address After three unsuccessful login attempts your account was temporary
disabled until further investigations. [...] 
Content analysis details:   (11.2 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 0.9907]
1.5 DNS_FROM_RFC_BOGUSMX   RBL: Envelope sender in bogusmx.rfc-ignorant.org
2.1 SUBJ_ALL_CAPS          Subject is all capitals
1.3 MISSING_HEADERS        Missing To: header
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
-0.2 AWL                    AWL: From: address is in the auto white-list
X-Spam-Flag: YES
 
removed

removed

Premium Member

March 14:
quote:
Dear customer,

VISA Debit Card, Security Departament suspended your acccount.
Reason: Energy Breakdown

After the energy breakdown from 13/03/2008 it appears that some of our hardware is not working properly. The data of five thousands customers stored on computer backup tapes was lost.

Some restrictions applied untill you update your account.

To reactivate your account please call at : 209-683-4515 Please note our number : +1 209-683-4515

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from VISA Debit Card database.
Headers:
Return-path: <debit@visa.com>
Envelope-to: gumu@removed.us
Delivery-date: Fri, 14 Mar 2008 08:05:16 -0400
Received: from mail.privatehealthnews.com ([63.84.188.168]:1802)
by laredo.root--servers.net with esmtp (Exim 4.68)
(envelope-from <debit@visa.com>)
id 1Ja8eu-0005A1-PS
for gumu@removed.us; Fri, 14 Mar 2008 08:05:16 -0400
Received: from User [63.246.1.148] by mail.privatehealthnews.com with ESMTP
  (SMTPD-9.20) id A9F40238; Fri, 14 Mar 2008 08:05:08 -0400
From: "VISA Debit Card"<debit@visa.com>
Subject: Urgent Notification
Date: Fri, 14 Mar 2008 12:00:35 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <200803140805858.SM02840@User>
X-Spam-Subject: ***SPAM*** Urgent Notification
X-Spam-Status: Yes, score=11.5
X-Spam-Score: 115
X-Spam-Bar: +++++++++++
X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  Dear customer, VISA Debit Card, Security Departament suspended
your acccount. Reason: Energy Breakdown After the energy breakdown from 13/03/2008
it appears that some of our hardware is not working properly. The data of
five thousands customers stored on computer backup tapes was lost. [...] 
Content analysis details:   (11.5 points, 4.5 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
1.3 MISSING_HEADERS        Missing To: header
0.8 MSOE_MID_WRONG_CASE    MSOE_MID_WRONG_CASE
3.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook
X-Spam-Flag: YES
 

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to nwrickert

Premium Member

to nwrickert

Re: [Phish] Telephone phishing thread

A Franklin Bank phone phish sent to my mom's Yahoo email:
(I submitted a regular one of these just now to Phishtracker -
it too has a phone number in it as well, probably bogus.)
As with the last one I posted, the only thing changed was
in the X-Apparently-To: field.

X-Apparently-To: x@yahoo.com via 66.163.178.140; Fri, 21 Mar 2008 12:47:59 -0700
X-YahooFilteredBulk:65.97.182.163
X-Originating-IP:[65.97.182.163]
Return-Path:<not-reply@bankfranklin.com>
Authentication-Results:mta110.mail.re2.yahoo.com from=bankfranklin.com; domainkeys=neutral (no sig)
Received:from 65.97.182.163 (EHLO mail.1010xl.com) (65.97.182.163) by mta110.mail.re2.yahoo.com with SMTP; Fri, 21 Mar 2008 12:47:59 -0700
Received:from User ([208.69.59.178]) by mail.1010xl.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 21 Mar 2008 14:33:03 -0400
Reply-to:<not-reply@bankfranklin.com>
From:"Franklin Bank" <not-reply@bankfranklin.com> 
Subject:Account Suspended.
Date:Fri, 21 Mar 2008 13:34:15 -0500
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:1
X-MSMail-Priority:High
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path:not-reply@bankfranklin.com
Message-ID:<SBRSBS2oHzGkzMcvsq900002c75@mail.1010xl.com>
X-OriginalArrivalTime:21 Mar 2008 18:33:04.0328 (UTC) FILETIME=[00127C80:01C88B82]
X-TM-AS-Product-Ver:SMEX-7.5.0.1166-5.0.1023-15788.002
X-TM-AS-Result:No--8.198000-5.000000-31
X-TM-AS-User-Approved-Sender:No
X-TM-AS-User-Blocked-Sender:No
Content-Length:361
 
Message from Franklin Bank Customer Service
Account Suspended.
Date: 3/21/2008
 
All Franklin Bank accounts were recently updated with a new security
 enhancement. 
 
Your account has been temporary suspended.
 
To activate your account please call the security department at
 972-704-2837
 
Thank you for banking with Franklin Bank.
Copyright © 2008 Franklin Bank.
 
Doctor Four

Doctor Four to nwrickert

Premium Member

to nwrickert
Pentagon Federal Credit Union Phish

As before, the only thing changed was the name in the
X-Apparently-To header.
X-Apparently-To: x@yahoo.com via 66.163.178.140; Thu, 27 Mar 2008 19:46:30 -0700
X-YahooFilteredBulk:65.105.120.87
X-Originating-IP:[65.105.120.87]
Return-Path:<service@penfed.org>
Authentication-Results:mta506.mail.mud.yahoo.com from=penfed.org; domainkeys=neutral (no sig)
Received:from 65.105.120.87 (EHLO webmail.iconnectu.net) (65.105.120.87) by mta506.mail.mud.yahoo.com with SMTP; Thu, 27 Mar 2008 19:46:30 -0700
Received:from User [207.166.116.186] by webmail.iconnectu.net with ESMTP (SMTPD32-6.06) id AC88B3DC004A; Thu, 27 Mar 2008 21:48:40 -0500
Reply-to:<service@penfed.org>
From:"service@penfed.org" <service@penfed.org>  Add Mobile Alert
Subject:Pentagon Federal Credit Union Account Suspended
Date:Fri, 28 Mar 2008 10:40:50 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="_iso-2022-jp$ESC"
Content-Transfer-Encoding:7bit
X-Priority:1
X-MSMail-Priority:High
X-Mailer:Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2800.1081
Message-Id:<200803272149182.SM02700@User>
Content-Length:284
 
Dear Pentagon Federal Credit Union Customer, 
 
   ACCOUNT SUSPENDED
 
Your account has been suspended for invalid billing information
 provided.
 
To activate your account please call the security department at
 856-431-1109
 
Thank You
 
Pentagon Federal Credit Union Security Department
 

removed
Premium Member
join:2002-02-08
Houston, TX

removed to nwrickert

Premium Member

to nwrickert
VISA - local number to me in Houston. Scary.
quote:
> VISA Security Department temporary disabled your account.

Verified by VISA will never ask you any information via e-mail. Call this number (832)772-7857 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: 832-772-7857- Toll Free

© 2001-2008 Visa. All Rights Reserved.

This message was sent to Email Id :

WPTLLOFITJBTPCIRFUNZMICCCONJSFMEEMUDLO
Headers:
X-Greylist: delayed 870 seconds by postgrey-1.23 at coral.dslreports.com; Fri, 28 Mar 2008 12:49:54 EDT
Received: from costanzosbakery.com (mail.costanzosbakery.com [72.45.146.150])
by mail.dslr.net (Postfix) with ESMTP id 4CF4D4374F
for <removed@dslr.net>; Fri, 28 Mar 2008 12:49:54 -0400 (EDT)
Received: from User ([209.132.209.130]) by costanzosbakery.com with Microsoft SMTPSVC(6.0.3790.1830);
 Fri, 28 Mar 2008 12:11:22 -0400
Reply-To: <do-not-reply@visa.com>
From: "VISA"<security@visa.com>
Subject: VISA Security Department temporary disabled your account. 
Date: Fri, 28 Mar 2008 09:11:21 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVER2003HrdZ6Vzvd00006939@costanzosbakery.com>
X-OriginalArrivalTime: 28 Mar 2008 16:11:22.0725 (UTC) FILETIME=[5D9D1150:01C890EE]
To: undisclosed-recipients:;
 

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

[Phish] Credit Union 1 vish (ATM card)

Card Deactivation
Message from: Customer Service
Date: 04/02/2008
We detected irregular activity on your ATM/Check Card on 04/02/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 722-3235 (24 Hour Line)
Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2008 Credit Union 1. All Rights Reserved.

Return-Path: <creditunion1@membersecurity.com>
Received: from delagarzafence.com (2003-sbs.delagarzafence.com [68.91.246.105])
        by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m32INure009129
        for <munged@cs.niu.edu>; Wed, 2 Apr 2008 13:24:01 -0500 (CDT)
Received: from User ([65.66.160.78]) by delagarzafence.com with Microsoft SMTPSVC(6.0.3790.3959);
         Wed, 2 Apr 2008 11:52:13 -0500
Reply-To: <noreply@membersecurity.com>
From: "Credit Union 1"<creditunion1@membersecurity.com>
Subject: Card Deactivation
Date: Wed, 2 Apr 2008 11:53:00 -0500
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <2003-SBS5W3xNbMrRn00000073e@delagarzafence.com>
X-OriginalArrivalTime: 02 Apr 2008 16:52:13.0280 (UTC) FILETIME=[E652D600:01C894E1]
 
<p><font face="Arial">&nbsp;&nbsp;<img src="http://boxbownow.com/a/header.gif" width="339" height="92"></font></p>
<p><font face="Arial"> </font><font face="Arial">&nbsp;  <font size="2"><strong>Card Deactivation <br />
</strong></font></font><strong><font size="2" face="Arial">&nbsp; Message from: Customer Service<br />
&nbsp; Date: 04/02/2008</font></strong></p>
<p><font face="Arial">&nbsp;<font size="2"> We detected irregular activity on your          ATM/Check Card on 04/02/2008.<br />
</font></font><font face="Arial">&nbsp;<font size="2"> </font></font><font size="2" face="Arial">For your protection we have had to suspend any future authorizations<b
r>
&nbsp; being conducted with
your         card</font><font size="2">.</font></p>
<p><font size="2" face="Arial">&nbsp; For your security we have deactivate your card.</font></p>
<p><font size="2" face="Arial">&nbsp; How to activate/re-activate your card ?</font></p>
<p><font size="2" face="Arial">&nbsp; You may stop by your branch or call our Activation Center. <br>
  <br>
&nbsp; <strong><font color="#CC0000">Activation Center:  (866) 722-3235 (24 Hour Line)</font></strong></font></p>
<p><font size="2" face="Arial">&nbsp; Our automated system allows you to quickly activate your card.<br />
&nbsp; We apologize for any inconvenience this may cause<font size="1">.</font></font></p>
<p><font size="2" face="Arial">&nbsp;&nbsp;Copyright &copy; 2008 Credit Union 1.          All Rights Reserved.</font><font face="Arial"><br />
  </font><br>
</p>
 

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to nwrickert

Premium Member

to nwrickert

Re: [Phish] Telephone phishing thread

This one apparently from CUNA regarding the Wal-Mart data
breach seems to be quite suspicious. It had me fooled for
a minute, until I looked more closely at the headers. Nice try.

As before, the only thing changed is the name in the X-
Apparently-To: header:

X-Apparently-To: x@yahoo.com via 66.163.178.135; Sun, 06 Apr 2008 10:14:58 -0700
X-YahooFilteredBulk:217.40.42.57
X-Originating-IP:[217.40.42.57]
Return-Path:<customerservice@cona.com>
Authentication-Results:mta134.mail.re3.yahoo.com from=; domainkeys=neutral (no sig)
Received:from 217.40.42.57 (EHLO erissrv1.eris.org.uk) (217.40.42.57) by mta134.mail.re3.yahoo.com with SMTP; Sun, 06 Apr 2008 10:14:57 -0700
Received:from cona.com ([74.7.27.50]) by erissrv1.eris.org.uk with Microsoft SMTPSVC(5.0.2195.6713); Sun, 6 Apr 2008 17:36:49 +0100
From:CUNA@  Add Mobile Alert
To:nataleemorse@yahoo.com
Subject:Wal-Mart Stores, Inc. Data Breach Announcment
Date:06 Apr 2008 11:36:39 -0500
Message-ID:<20080406113639.BCE6A283E7E711F5@from.header.has.no.domain>
MIME-Version:1.0
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding:quoted-printable
Return-Path:customerservice@cona.com
X-OriginalArrivalTime:06 Apr 2008 16:36:49.0531 (UTC) FILETIME=[6960ECB0:01C89804]
Content-Length:2742
 
WAL-MART STORES, INC. DATA BREACH ANNOUNCMENT
 
April/06/2008
 
CUNA is aware of the recent data breach at Wal-Mart Stores, Inc. and is taking
proactive steps to address the situation. The Customer Security Team at CUNA
is currently gathering information regarding the data breach and will react swiftly
in the best interests of its customers, including the re-issue of compromised
cards if necessary.
 
It is important to note that CUNA has effective fraud monitoring systems in
place and is constantly reviewing our accounts for fraudulent and/or suspicious
activity. The security of your account is very important to us.
 
Moving forward, we recommend that all CUNA customers review their account
activity on an ongoing basis and report to us any suspicious activity. In addition,
it is recommended that customers activate "Enhanced Card Security" to block 
 
Please call Customer Care at 1-800-794-9672, to activate (Enhanced Card Security)
for your debit or credit card.
 
Due to the extensive news coverage of this event, there have been reports of other
scams. If you receive a phone call or email from someone claiming to be from
Visa, or MasterCard DO NOT provide them with any personal or account information
Please visit http://www.nophishing.org/ for further information regarding fraud.
 
Finally, you may continue to use your debit card. Customers who have been affected
by the data breach will be notified, and be given further instructions via postal mail. If
you have immediate questions regarding your account, please contact Customer Care
at 1-800-794-9672, option 1.
 

DC DSL
There's a reason I'm Command.
Premium Member
join:2000-07-30
Washington, DC
Actiontec GT784WN

DC DSL to nwrickert

Premium Member

to nwrickert
I got a Franklin. I called the number. There's a semi-realistic TRS on it that asks for the card number, PIN, expiration date.

I put in completely bogus info (like 1234567812345678 for the card number). After a brief pause, it came back with "card, PIN or expiration are not valid, please reenter." So, I made up different info. It took it, said the card is now active and valid worldwide and ended.

I called back a few more times. Sometimes I gave it identical data, others not. It took it all just the same.

It seems that it tries to make it seem legit to get someone to reenter the info to make sure they've got a live one. However, they farkled it and it doesn't catch mismatches.

This would be great rainy-day fun wasting their time and flooding them with bogus data if it wasn't a toll-free number that captures the number you're calling from regardless of caller id blocking. (Anyone near a pay phone wanna give it a go and see if they're stupid enough to not have blocked pay station callers?)

=====

Return-Path:
Received: from mail.im3.com [216.201.16.126] by mail.ultimahosts.com with SMTP;
Fri, 11 Apr 2008 16:25:02 -0400
Received: from User (unverified [72.28.171.9]) by cartman.im3.com
(Vircom SMTPRS 4.4.568.66) with ESMTP id ;
Fri, 11 Apr 2008 15:53:41 -0400
X-Modus-BlackList: bankfranklin@franklinsecurity.com=OK
X-Modus-Audit: FALSE;0;0;0
Reply-To:
From: "Franklin Bank"
Subject: Card Deactivation
Date: Fri, 11 Apr 2008 15:53:36 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Rcpt-To:
X-SmarterMail-Spam: SPF_None

Card Deactivation
Message from: Customer Service
Date: 04/10/2008
We detected irregular activity on your ATM/Check Card on 04/10/2008.
For your protection we have had to suspend any future authorizations being
conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 578-0984 (24 Hour Line)

Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2006 Franklin Bank. All Rights Reserved.

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to nwrickert

Premium Member

to nwrickert
Another Franklin Bank one:

X-Apparently-To: x@yahoo.com via 66.163.178.135; Tue, 15 Apr 2008 09:09:54 -0700
X-YahooFilteredBulk:64.34.200.180
X-Originating-IP:[64.34.200.180]
Return-Path:<bankfranklin@franklin.com>
Authentication-Results:mta112.mail.re3.yahoo.com from=franklin.com; domainkeys=neutral (no sig)
Received:from 64.34.200.180 (EHLO web420.linux-hosting.com) (64.34.200.180) by mta112.mail.re3.yahoo.com with SMTP; Tue, 15 Apr 2008 09:09:53 -0700
Received:from User (72-28-171-009-dhcp.aik.sc.atlanticbb.net [72.28.171.9]) (authenticated bits=0) by web420.linux-hosting.com (8.13.1/8.13.1) with ESMTP id m3FFmMlk010716; Tue, 15 Apr 2008 21:18:22 +0530
Message-Id:<200804151548.m3FFmMlk010716@web420.linux-hosting.com>
Reply-to:<noreply@franklinsecurity.com>
From:"Franklin Bank" <bankfranklin@franklin.com>  Add Mobile Alert
Subject:Card Deactivation
Date:Tue, 15 Apr 2008 12:01:07 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length:563
 
Card Deactivation
Message from: Customer Service
Date: 04/15/2008
 
We detected irregular activity on your ATM/Check Card on 04/15/2008.
For your protection we have had to suspend any future authorizations 
being conducted with your card.
 
For your security we have deactivate your card.
 
How to activate/re-activate your card ?
 
You may stop by your branch or call our Activation Center:
 
Activation Center: (866) 797-5640   (24 Hour Line) 
 
Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.. 
 

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to nwrickert

Premium Member

to nwrickert

Lizz_Vish_Archived

X-Apparently-To: myemail@pacbell.net via 209.191.85.225; Tue, 15 Apr 2008 10:39:54 -0700
X-Originating-IP:[212.85.249.132]
Return-Path:
Authentication-Results:mta121.sbc.mail.mud.yahoo.com from=franklin.com; domainkeys=neutral (no sig)
Received:from 207.115.36.53 (EHLO nlpi024.prodigy.net) (207.115.36.53) by mta121.sbc.mail.mud.yahoo.com with SMTP; Tue, 15 Apr 2008 10:39:52 -0700
X-Header-Overseas:Mail.from.Overseas.source.212.85.249.132
X-Originating-IP:[212.85.249.132]
Received:from node-2.minx.net.uk (node-2.minx.net.uk [212.85.249.132]) by nlpi024.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m3FHdoDY014536 for ; Tue, 15 Apr 2008 12:39:50 -0500
Received:from [195.82.101.89] (helo=mail.QuantumFittedFurniture.co.uk) by node-2.minx.net.uk with esmtp (Exim 4.60) (envelope-from ) id 1JlpIR-0005rN-Og for myemail@pacbell.net; Tue, 15 Apr 2008 18:50:20 +0100
Received:from User ([192.168.0.250] RDNS failed) by mail.QuantumFittedFurniture.co.uk with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Apr 2008 18:29:09 +0100
Reply-to:
From:"Franklin Bank" Add to Address BookAdd to Address Book Add Mobile Alert
Subject:Card Deactivation
Date:Tue, 15 Apr 2008 13:39:36 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID:
X-OriginalArrivalTime:15 Apr 2008 17:29:10.0078 (UTC) FILETIME=[37021DE0:01C89F1E]
X-MINX-Orig-IP:195.82.101.89
X-Spam-Score:2.9 (++)
X-Spam-Level:++
Content-Length:563

Card Deactivation
Message from: Customer Service
Date: 04/15/2008

We detected irregular activity on your ATM/Check Card on 04/15/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center:

Activation Center: (866) 797-5640 (24 Hour Line)

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to nwrickert

Premium Member

to nwrickert

Re: [Phish] Telephone phishing thread

Yet another Franklin Bank one, trying to look legitimate by
warning recipients of phishing scams. They're not fooling me.

The phone number's likely bogus, and the IP address 72.28.171.9 is likely a botnet zombie (it certainly
isn't one of Franklin's IPs). The Corporate Office
address is real, however.

X-Apparently-To: x@yahoo.com via 66.163.178.140; Mon, 21 Apr 2008 12:15:14 -0700
X-YahooFilteredBulk:8.10.184.138
X-Originating-IP:[8.10.184.138]
Return-Path:<franklinbank@ddsadsa.com>
Authentication-Results:mta250.mail.re3.yahoo.com from=ddsadsa.com; domainkeys=neutral (no sig)
Received:from 8.10.184.138 (EHLO mail.wghco.com) (8.10.184.138) by mta250.mail.re3.yahoo.com with SMTP; Mon, 21 Apr 2008 12:15:14 -0700
Received:from User ([72.28.171.9]) by mail.wghco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 21 Apr 2008 11:49:39 -0700
From:"Franklin Bank" <franklinbank@ddsadsa.com>  Add Mobile Alert
Subject:SECURITY ALERT!
Date:Mon, 21 Apr 2008 14:48:37 -0400
MIME-Version:1.0
Content-Type:text/html; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path:franklinbank@ddsadsa.com
Message-ID:<HENSCHEN7n0swXX1sPt00000677@mail.wghco.com>
X-OriginalArrivalTime:21 Apr 2008 18:49:39.0703 (UTC) FILETIME=[742AE870:01C8A3E0]
X-TM-AS-Product-Ver:SMEX-7.5.0.1243-5.0.1023-15864.001
X-TM-AS-Result:Yes-21.877000-4.000000-31
X-TM-AS-User-Approved-Sender:No
X-TM-AS-User-Blocked-Sender:No
Content-Length:1586
 
  Dear Franklin Bank Customer,
 
  Franklin Bank is aware of new phishing e-mails that are circulating.
  These e-mails request consumers to click a link due to a compromise of a 
  credit card account. You should not respond to this message.
 
  Due to unusual levels of fraud we have had to suspend any future authorizations
  being conducted with your Visa ATM/Check Card.
 
  For your security we have deactivate your card.
 
  How to activate/re-activate your card ?
 
  Call our Card Department: (866) 797-5643
 
 
 
  Our automated system allows you to quickly activate your card.
 
  We apologize for any inconvenience this may cause.
 
  Corporate Office
  9800 Richmond, Suite 680
  Houston, TX 77042
 
  Copyright © 2006 Franklin Bank. All Rights Reserved.
 
Doctor Four

Doctor Four to nwrickert

Premium Member

to nwrickert
Another Franklin Bank one, same phone number as before:

X-Apparently-To: x@yahoo.com via 66.163.178.138; Tue, 22 Apr 2008 15:07:58 -0700
X-YahooFilteredBulk:74.52.162.130
X-Originating-IP:[74.52.162.130]
Return-Path:<franklinbank@mesanetworks.net>
Authentication-Results:mta209.mail.re4.yahoo.com from=; domainkeys=neutral (no sig)
Received:from 74.52.162.130 (EHLO mx11.mesanetworks.net) (74.52.162.130) by mta209.mail.re4.yahoo.com with SMTP; Tue, 22 Apr 2008 15:07:56 -0700
Received:(qmail 9582 invoked by uid 509); 22 Apr 2008 11:26:37 -0600
Received:from 72.19.158.63 by mx11.mesanetworks.net (envelope-from <franklinbank@mesanetworks.net>, uid 508) with qmail-scanner-1.25-st-qms (clamdscan: 0.87/2133. spamassassin: 3.0.6. perlscan: 1.25-st-qms. Clear:RC:1(72.19.158.63):. Processed in 0.525889 secs); 22 Apr 2008 17:26:37 -0000
X-Antivirus-MESANETWORKS-Mail-From:franklinbank@mesanetworks.net via mx11.mesanetworks.net
X-Antivirus-MESANETWORKS:1.25-st-qms (Clear:RC:1(72.19.158.63):. Processed in 0.525889 secs Process 9540)
Received:from 72-19-158-63.static.mesanetworks.net (HELO User) (72.19.158.63) by mx11.mesanetworks.net with SMTP; 22 Apr 2008 11:26:36 -0600
Reply-to:<noreply@mesanetworks.net>
From:"Franklin Bank" <franklinbank@mesanetworks.net>  Add Mobile Alert
Subject:SECURITY ALERT!
Date:Tue, 22 Apr 2008 11:26:31 -0600
MIME-Version:1.0
Content-Type:text/html; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus-MESANETWORKS-Message-ID:<120888519710709540@mx11.mesanetworks.net>
Content-Length:1584
 
  Dear Franklin Bank Customer,
 
  Franklin Bank is aware of new phishing e-mails that are circulating.
  These e-mails request consumers to click a link due to a compromise of a 
  credit card account. You should not respond to this message.
 
  Due to unusual levels of fraud we have had to suspend any future authorizations
  being conducted with your Visa ATM/Check Card.
 
  For your security we have deactivate your card.
 
  How to activate/re-activate your card ?
 
  Call our Card Department: (866) 797-5643
 
 
 
  Our automated system allows you to quickly activate your card.
 
  We apologize for any inconvenience this may cause.
 
  Corporate Office
  9800 Richmond, Suite 680
  Houston, TX 77042
 
  Copyright © 2006 Franklin Bank. All Rights Reserved.
 
Doctor Four

3 edits

Doctor Four to nwrickert

Premium Member

to nwrickert
Click for full size
Amarillo National Bank vish:

X-Apparently-To: x@yahoo.com via 66.163.178.133; Thu, 24 Apr 2008 07:31:59 -0700
X-Originating-IP:[65.104.246.242]
Return-Path:<customer_service@anb.com>
Authentication-Results:mta101.mail.re3.yahoo.com from=; domainkeys=neutral (no sig)
Received:from 65.104.246.242 (EHLO mail.kwp.org) (65.104.246.242) by mta101.mail.re3.yahoo.com with SMTP; Thu, 24 Apr 2008 07:31:57 -0700
Received:from ([]) by mail.kwp.org (Merak 4.2.3) with SMTP id KPJ36965 for <x@yahoo.com>; Thu, 24 Apr 2008 09:31:56 -0500
From:Amarillo@  Add Mobile Alert ,
To:x@yahoo.com
Subject:ANB Secure Email Notification
Date:24 Apr 2008 09:29:41 -0500
Message-ID:<20080424092941.2195C1DDD96B4626@from.header.has.no.domain>
MIME-Version:1.0
Content-Type:text/html; charset="iso-8859-1"
Content-Transfer-Encoding:quoted-printable
Content-Length:1653
 

URLs for both the forged ANB and Verisign logos in the
body of the phish (posted as JPG as it is all html)

ANB: hxxp://jeannemcallister.com/logo.gif
Verisign: hxxp://jeannemcallister.com/logo-verisign.gif