[Phish] Telephone phishing thread in Spam, Scam and Phishbusters

Re: SMS sent to cell phone

Wed, 16 Sep 2009 14:42:46 EDT

SYNACK : Here's an interesting followup to this after checking my online bill in more details. We have 4 lines on that account and not all numbers are adjacent. Still, all phones received the same text message literally within seconds of each other.

I called t-mobile to see if there are any security measures in place to possibly prevent such things in the future, similar to e.g. spam filters for e-mail.

I am curious if the target numbers were skimmed from the stolen t-mobile data.

Re: SMS sent to cell phone

Fri, 28 Aug 2009 13:55:55 EDT

SYNACK : phishing MMS received on cell (t-mobile):

310@tmomail.net: We found a problem in your California account. Call urgently at (888) 666-9128

(Googling that number show numerous similar messages)

Re: SMS sent to cell phone

Mon, 03 Aug 2009 01:21:25 EDT

MGD : Your number must have been one of the first batches called. It has now shown up on several of the phone number websites:

»800notes.com/Phone.aspx/1-877-245-1472

»whocallsme.com/Phone-Number.aspx/8772451472

»www.callercomplaints.com/SearchR···245-1472

MGD

Re: SMS sent to cell phone

Sun, 02 Aug 2009 23:36:49 EDT

anon : That's funny, I got the same text today. I noticed that it said receive instead of received after looking at it a couple of times. I didn't even bother calling, especially after that grammatical error. So then I googled (hah it's a verb) the 3878 text number and nothing showed up. Then I searched the message through google and found that people actually gave up their account information lol.

Re: SMS sent to cell phone

Sun, 02 Aug 2009 22:19:26 EDT

SnowyOne :

said by NightVisor :

*deadpan* Define "special". *deadpan:end*

"rare, uncommon, unique..."
in a complimentary way

Re: SMS sent to cell phone

Sun, 02 Aug 2009 21:25:37 EDT

nwrickert : Good thinking. And thanks for posting.

Re: SMS sent to cell phone

Sun, 02 Aug 2009 21:15:42 EDT

NightVisor : *deadpan* Define "special". *deadpan:end*

I wanted to see what the message hook was. I already knew it was a scam, but the number didn't show up in any search engines. Since this thread (the whole forum, actually) is regularly monitored by Google et al., might as well drop in the number and the message so if someone else searches, they'll find the info.

Re: SMS sent to cell phone

Sun, 02 Aug 2009 20:29:59 EDT

SnowyOne :

said by NightVisor :

At that point, I hung up.

Wow! You're in a special class of people.
Off the top of my head I'll say less than 1 in a half million people who receive these respond to them.
Did you call out of irritation or were you initially unsure about the message?

SMS sent to cell phone

Sun, 02 Aug 2009 17:04:22 EDT

NightVisor : From: 3736

Message:
customer.notification@visa.com / "Card Block Alert". To find out why you receive this alert call 1-877-245-1472. Thank you. /

What happens when I call that number?
"Your credit union has identified your account as having fraudulent entries and your credit card has been blocked. Please stay on the and a credit union security specialist will assist you."

*sounds of call being transfered*

"To assist you with your account, please enter your credit card number"

At that point, I hung up.

Re: [Phish] Paypal vish

Sat, 27 Jun 2009 09:15:20 EDT

SnowyOne : Here's where he was routing the calls to
sip:cacat0099@proxy01.sipphone.com

Re: [Phish] Telephone phishing thread

Wed, 24 Jun 2009 20:53:33 EDT

Rowan : My SO has a new cell phone -- TWO DAYS OLD -- and has received 6 calls today (one per hour or so). The first few were "caller unknown", but the most recent call showed up as 877-648-0958. I've called that no. from another phone and I get 'invalid number'. They've left no messages, so not sure what they're up to, but Goog sez lots of other ppls are having this recent prob with this same no.

Just thought I'd report in.

~Rowan

Re: [Phish] Paypal vish

Mon, 22 Jun 2009 21:34:40 EDT

MGD : I thought it was Italy, then I wondered how low the IQ of a Phisher would have to be in order to think that a victim would make an international call to Italy to contact PayPal support.

I guess that must be the downside of dropping out of Phishing 101.

MGD

Re: [Phish] Paypal vish

Mon, 22 Jun 2009 19:57:45 EDT

nwrickert : Yes, I assume foreign.

If I am reading it correctly, the "00" is a prefix for US callers, then the 39 is the international code for Italy.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11

Re: [Phish] Paypal vish

Mon, 22 Jun 2009 19:26:00 EDT

MGD :

said by nwrickert :

Excerpt from vish:

Restore your account .
Please Call our Card Department at 0039-069-165-7836

A foreign number perhaps ?, there are too many digits for it to be a US number

MGD

Re: [Phish] Paypal vish

Wed, 17 Jun 2009 17:43:10 EDT

nwrickert : Excerpt from vish:

Restore your account .
Please Call our Card Department at 0039-069-165-7836

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.11

F & M Bank Express Online - vish at (641) 410 2293

Tue, 06 Jan 2009 20:13:52 EDT

nwrickert :

said by vish body :
Dear F&M Bank customer,

We are hereby notifying you that we've recently suffered a phishing-Attack. Beca
use we have registered too many frauds we suspended your account. For security r
easons you must call us and provide the requested information so we can verify t
he integrity of your F&M ExpressOnline Banking account. If you fail to complete
the verification in the next 24 hours your account will be blocked.

***************************************************

Call us at: +1 (641) 410 2293 and confirm your identity.

***************************************************

Note: The call is free of charge for you!

Please comply and thanks for understanding.

\251 2009 F&M Bank

Headers:

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5

Capital One vish

Thu, 01 Jan 2009 21:19:36 EDT

nwrickert : A vish for Capital One, at +1(315-235-1392)

said by mail body :
In our terms and contidions you have agreed to state that your
account must always be under your control or those you designate
at all times. We have noticed some activity related to your account that
indicates that order parties may have tried gaining access or control of your
information in your account.

Therefore, to prevent unauthorized access to your Capital One Bank
Internet Banking account,you are limited to five failed login attempts in
a 24-hour period. You have exceeded this number of attempts.*

To reactivate your debit card , please call: +1(315-235-1392)

Copyright Capital One Bank, All Rights Reserved.

Headers:

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5

Re: [Phish] Telephone phishing thread

Tue, 16 Dec 2008 10:16:29 EDT

Doctor Four : Credit Union Access:

Dear CU Member:

This is not a promotional e-mail. Please call us immediately at (877) 898-7930 regarding recent restriction placed on your account. We're available 24/7 to take your call.

Please disregard this e-mail if you've already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
CU Fraud Prevention Security Department

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Tue, 09 Dec 2008 23:03:39 EDT

Doctor Four : U.S. Bank telephone phish (there were two of these, with the same image and telephone number):

#1:

Return-Path: <rtkxxo@yahoo.com>Authentication-Results: mta569.mail.mud.yahoo.com from=; domainkeys=neutral (no sig)Received: from 68.230.240.9 (EHLO eastrmmtao103.cox.net) (68.230.240.9) by mta569.mail.mud.yahoo.com with SMTP; Tue, 09 Dec 2008 16:10:50 -0800Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao103.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20081210001049.DUTA18445.eastrmmtao103.cox.net@eastrmimpo03.cox.net>; Tue, 9 Dec 2008 19:10:49 -0500Received: from User ([70.187.22.254]) by eastrmimpo03.cox.net with bizsmtp id pCAj1a0085Uvfce02CAkUW; Tue, 09 Dec 2008 19:10:48 -0500 a=gMMwTlpgCVsA:10 a=nDDMXIyUaCkA:10 a=oJL9TIRMo0YA:10 a=HWowFZCwAAAA:8 a=6VBaUAmcAAAA:8 a=vzUeNKtdRj-0HKc1hJIA:9Reply-To: rtkxxo@yahoo.comFrom: U.S. Bank<rtkxxo@yahoo.com> Subject: Multiple password failures ! Please call our 24-hours Security DepartmentDate: Wed, 10 Dec 2008 01:14:07 +0100MIME-Version: 1.0Content-Type: text/html; charset="Windows-1251"Content-Transfer-Encoding: 7bitMessage-Id: <20081210001049.DUTA18445.eastrmmtao103.cox.net@eastrmimpo03.cox.net>Content-Length: 173

Return-Path: <dsmxzu@yahoo.com>Authentication-Results: mta149.mail.re1.yahoo.com from=; domainkeys=neutral (no sig)Received: from 68.230.240.13 (EHLO eastrmmtai106.cox.net) (68.230.240.13) by mta149.mail.re1.yahoo.com with SMTP; Tue, 09 Dec 2008 15:16:23 -0800Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao107.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20081209231458.FIYS4842.eastrmmtao107.cox.net@eastrmimpo03.cox.net>; Tue, 9 Dec 2008 18:14:58 -0500Received: from User ([70.188.140.60]) by eastrmimpo03.cox.net with bizsmtp id pBEt1a00K1JP2Ge02BEuhr; Tue, 09 Dec 2008 18:14:58 -0500 a=gMMwTlpgCVsA:10 a=5a7zk8gS10wA:10 a=oJL9TIRMo0YA:10 a=HWowFZCwAAAA:8 a=6VBaUAmcAAAA:8 a=vzUeNKtdRj-0HKc1hJIA:9Reply-To: dsmxzu@yahoo.comFrom: U.S. Bank<dsmxzu@yahoo.com> Subject: Multiple password failures ! Please call our 24-hours Security DepartmentDate: Wed, 10 Dec 2008 00:18:17 +0100MIME-Version: 1.0Content-Type: text/html; charset="Windows-1251"Content-Transfer-Encoding: 7bitMessage-Id: <20081209231458.FIYS4842.eastrmmtao107.cox.net@eastrmimpo03.cox.net>Content-Length: 173

The body of the email is an image only (the screenshot above). It is clickable, but appears to lead to the real U.S. Bank website.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Fri, 28 Nov 2008 04:36:53 EDT

Doctor Four : 800-523-8103 Capital One

Sent to my mother's Yahoo email. Only thing changed is the first part of the To: address

Return-Path: <mailout04@westnotificationsgroup.com>Authentication-Results: mta198.mail.ac4.yahoo.com from=; domainkeys=neutral (no sig)Received: from 208.34.106.236 (EHLO vocal-net.net) (208.34.106.236) by mta198.mail.ac4.yahoo.com with SMTP; Thu, 27 Nov 2008 23:35:42 -0800Received: from westnotificationsgroup.com (unverified [72.54.106.166]) by ntvop4.netaccnt.net (Vircom SMTPRS 4.5.654.13) with ESMTP id <B0142103054@ntvop4.netaccnt.net> for <nataleemorse@yahoo.com>; Fri, 28 Nov 2008 02:10:33 -0500From: "Capital One" <service@capitaone.com> <216.57.96.8 (HELO mailout04.westnotificationsgroup.com)> To: x@yahoo.comSubject: Capital One Alert: Irregular Credit Card ActivityDate: 28 Nov 2008 00:13:11 -0700Message-ID: <20081128001311.B0F742BDBB2F8318@capitaone.com>MIME-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printableContent-Length: 3634 Irregular Credit Card Activity Account: Capital One® credit cardDate: 11/28/2008 We detected irregular activity on your Capital One® credit card on 11/28/2008. For your protection, you must verify this activity before you can continue using your card. Please call us immediately at 1-800-523-8103 or collect using the number listed on the back of your card. We will review the activity on your account with you and upon verification, we will remove any restrictions placed on your account. Important Information from Capital One Contact Us | Privacy This e-mail was sent to you and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted. The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances. Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail. ©2008 Capital One. Capital One is a federally registered service mark. All rights reserved. 15000 Capital One Drive, Attn: 12038-0111, Richmond, Virginia 23238. To contact us by mail, please use the following address: Capital One, PO Box 30285, Salt Lake City, Utah 84130-0285. 09860 023 001

The attached logo is the one the phisher used. They left off "what's in your wallet?", which normally is positioned beginning right below the 'One' part of the name.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

877-214-0565 - Community Financial Members Federal Credit Union

Wed, 19 Nov 2008 07:03:47 EDT

DC DSL : The message:

ADVISORY: Some members and non-members of Community Financial Members Federal Credit Union have received fraudulent emails. This email was NOT issued by Community Financial Members Federal Credit Union, and should be deleted. Do not follow the instructions in the email. Do not click the link. For security reasons we have deactivated your debit card. Please call our toll-free hotline at (877) 214-0565 to activate your debit card.

Headers:

It's so touching how much they care for "members and non-members" alike, and have deactivated my debit card for me!

Frickin morons...they couldn't even send well-formed HTML!

--
There is no giant fur-bearing trout.

Re: [Phish] Telephone phishing thread

Tue, 04 Nov 2008 13:55:27 EDT

nwrickert : Resource bank. Phone number is 815-981-4765

Return-Path: accounts@resourcebank.comDelivery-Date: Tue, 04 Nov 2008 07:57:29 -0600Received: from mail.nelsonmazda.com (mail.nelsonmazda.com [68.99.76.194]) by mp.cs.niu.edu (8.14.3/8.14.3) with ESMTP id mA4DvN65018274 for <munged@cs.niu.edu>; Tue, 4 Nov 2008 07:57:28 -0600 (CST)Received: from User ([142.176.87.114]) by mail.nelsonmazda.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 4 Nov 2008 08:01:57 -0600Reply-To: <do-not-reply@resourcebank.com>From: "Resource Bank"<accounts@resourcebank.com>Subject: NoticeDate: Tue, 4 Nov 2008 09:56:07 -0400MIME-Version: 1.0Content-Type: text/html; charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Message-ID: <NAGMAILZkfzDskqC5Et000000cd@mail.nelsonmazda.com>X-OriginalArrivalTime: 04 Nov 2008 14:01:57.0348 (UTC) FILETIME=[E6615240:01C93E85] <html> <head><meta http-equiv="Content-Language" content="en-gb"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Resource Bank</title></head> <body>   Dear Customer,   Resource Bank temporarily suspended your account.   Reason: Security Issues.   We need you to complete an account update so we can unlock your account.    To start the update process call at the following number : 815-981-4765    The information provided will be treated in confidence and stored in our secure database.  <div class="copyright" align="left">    Copyright <A9> Resource Bank. All Rights Reserved</div> </body> </html>

--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.3

Re: [Phish] Telephone phishing thread

Wed, 15 Oct 2008 07:12:24 EDT

Doctor Four : One from Uniter Heritage Credit Union:

Return-Path: <service@uhcu.org>Authentication-Results: mta435.mail.mud.yahoo.com from=uhcu.org; domainkeys=neutral (no sig)Received: from 194.116.199.143 (EHLO thb-mta-05.emailfiltering.com) (194.116.199.143) by mta435.mail.mud.yahoo.com with SMTP; Wed, 15 Oct 2008 03:34:41 -0700Received: from host217-41-113-124.in-addr.btopenworld.com ([217.41.113.124]) by thb-mta-05.emailfiltering.com with emfmta (version 3.6.5.44.1.r-3.2.3-libc2.3.2) vanilla id 3044468324 ; Wed, 15 Oct 2008 11:34:40 +0100Received: from User ([68.191.184.90]) by mail.bbs.eu.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Oct 2008 11:33:10 +0100Reply-To: <no-reply@uhcu.org>From: "United Heritage C.U"<service@uhcu.org> Subject: Important Member Service Information !Date: Wed, 15 Oct 2008 05:34:39 -0500MIME-Version: 1.0Content-Type: text/plain; charset="Windows-1251"Content-Transfer-Encoding: 7bitBcc: Return-Path: service@uhcu.orgMessage-ID: <BBS-SVR01R4T3XJVVfA00001c3e@mail.bbs.eu.com>Content-Length: 735 Dear Member: According to our clients needs United Heritage Credit Union is currently launching a newsecurity system that will improve the level of member service we can provide. We strongly urge that all our members need to update their credit card withinthe next 48 hours, so we can add them to our new database. To start the update process call us now on our service number : +1(818) 824 4009 Sorry for any inconvenience this may cause! Sincerely,Jenny LaudadioMarketing director, United Heritage Credit Union. ---------------------------------------------------------------------------------- --Scanned by BBS MessageAngel for viruses and unwanted content.Powered by emailsystems. Visit www.bbs.eu.com/messageangel

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Tue, 14 Oct 2008 21:07:26 EDT

Doctor Four : Two more from ANB Texas, with a different phone number:

Return-Path: <suspended@anbtx.com>Authentication-Results: mta244.mail.re2.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)Received: from 216.126.204.132 (EHLO mail.acninc.net) (216.126.204.132) by mta244.mail.re2.yahoo.com with SMTP; Tue, 14 Oct 2008 15:02:07 -0700Received: from User [208.69.57.85] by mail.acninc.net with ESMTP (SMTPD32-8.15) id A4F9581009C; Tue, 14 Oct 2008 14:45:45 -0600Reply-To: <suspended@anbtx.com>From: "American National Bank of Texas"<suspended@anbtx.com> Subject: Important Member Service Information !Date: Tue, 14 Oct 2008 16:45:43 -0400MIME-Version: 1.0Content-Type: text/plain; charset="Windows-1251"Content-Transfer-Encoding: 7bitMessage-Id: <200810141445360.SM01716@User>Content-Length: 688 Dear Customer, In our terms and contidions you have agreed to state that youraccount must always be under your control or those you designateat all times. We have noticed some activity related to your account thatindicates that order parties may have tried gaining access or control of yourinformation in your account. Therefore, to prevent unauthorized access to your American National Bank of TexasInternet Banking account,you are limited to five failed login attempts ina 24-hour period. You have exceeded this number of attempts.* To reactivate your debit card , please call: +1(804-684-8586) Copyright © 2008 American National Bank of Texas. All Rights Reserved.

Second message has the same phone number and message body,
but different headers:

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Tue, 14 Oct 2008 17:31:47 EDT

Doctor Four : American National Bank Of Texas:

Return-Path: <memberservice@anbtx.com>Authentication-Results: mta230.mail.re4.yahoo.com from=anbtx.com; domainkeys=neutral (no sig)Received: from 67.79.177.26 (EHLO wsrv1.wiringtech.local) (67.79.177.26) by mta230.mail.re4.yahoo.com with SMTP; Tue, 14 Oct 2008 04:10:11 -0700Received: from User ([68.191.184.90]) by wsrv1.wiringtech.local with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Oct 2008 07:04:42 -0400Reply-To: <no-reply@anbtx.com>From: "American National Bank of Texas"<memberservice@anbtx.com> Subject: Important NotificationDate: Tue, 14 Oct 2008 06:06:31 -0500MIME-Version: 1.0Content-Type: text/plain; charset="Windows-1251"Content-Transfer-Encoding: 7bitBcc: Return-Path: memberservice@anbtx.comMessage-ID: <WSRV1zmtlefFc8gc4aR00004b9c@wsrv1.wiringtech.local>Content-Length: 670 In our terms and contidions you have agreed to state that youraccount must always be under your control or those you designateat all times. We have noticed some activity related to your account thatindicates that order parties may have tried gaining access or control of yourinformation in your account. Therefore, to prevent unauthorized access to your American National Bank of TexasInternet Banking account,you are limited to five failed login attempts ina 24-hour period. You have exceeded this number of attempts.* To reactivate your debit card , please call: +1(805-617-4170) Copyright © 2008 American National Bank of Texas. All rights reserved.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Mon, 06 Oct 2008 15:41:31 EDT

Lizz :

From Merchants National Bank Mon Oct 6 11:00:37 2008Return-Path: <info@merchantsnat.com>Authentication-Results: mta102.sbc.mail.mud.yahoo.com from=merchantsnat.com; domainkeys=neutral (no sig)Received: from 72.242.21.146 (EHLO flpi119.prodigy.net) (207.115.20.159) by mta102.sbc.mail.mud.yahoo.com with SMTP; Mon, 06 Oct 2008 11:13:20 -0700Received: from russellmassey.com (server.russellmassey.com [72.242.21.146]) by flpi119.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m96IDFL3030348 for <xxxxx@pacbell.net>; Mon, 6 Oct 2008 11:13:19 -0700Received: from User ([68.213.58.58]) by russellmassey.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Oct 2008 14:00:37 -0400From: "Merchants National Bank"<info@merchantsnat.com> Add sender to ContactsSubject: MNB - Fraud AlertDate: Mon, 6 Oct 2008 13:00:37 -0500MIME-Version: 1.0Content-Type: text/html; charset="Windows-1251"Content-Transfer-Encoding: 7bitBcc: Message-ID: <SERVERYYclEohn9Nhkr00005660@russellmassey.com>Content-Length: 876Compact Headers ADVISORY: Some members and non-members of Merchants National Bank have received fraudulent emails. This email was NOT issued by Merchants National Bank, and should be deleted. Do not follow the instructions in the email. Do not click the link. For security reasons we have deactivated your debit card. Please contact us at (888) 425-2294 to activate your debit card.

Salin Bank

Wed, 24 Sep 2008 21:28:53 EDT

nwrickert : The Salin Bank phish #31431 is really a voice/telephone vish for 1-800-681-2713.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

Farmers State Bank

Tue, 09 Sep 2008 18:08:45 EDT

nwrickert : Submitted phish #31133 is really a voice/telephone vish for phone number (888) 687-5642.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

Re: [Phish] Telephone phishing thread

Sat, 16 Aug 2008 18:31:16 EDT

nwrickert : Not a problem.

This thread is mainly for reporting specific instances. So discussing the phenomenon in a different thread is fine.

I'll add a link to your other thread:
»Criminals have now gone 'vishing'
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

Re: [Phish] Telephone phishing thread

Sat, 16 Aug 2008 15:53:51 EDT

jaykaykay : Ooops. I guess I am a bit late! I just posted a thread about this in the Security Forum. :( Oh well. The more that hear about it, the better.

Re: [Phish] Telephone phishing thread

Thu, 17 Jul 2008 17:48:02 EDT

Doctor Four : One from WAMU:

This part of the message is invisible. I found it by
checking the page source:

"To activate your account please call urgent at 713-481-1635."

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Fri, 30 May 2008 19:31:55 EDT

Doctor Four : A Point Bank vish that arrived today:

Dear CardHolder,
Your debit card has open issues
Contact us immediately for assistance.
Toll Free Line: 1-(877)- 596-6749

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Thu, 29 May 2008 18:33:38 EDT

Doctor Four : AA/Citibank Vish (~~also submitted to Phishtracker~~ - see below) - posted
here because there's also a telephone number.

Edit: This did not successfully get parsed by Phishtracker. The
link first leads to hxxp://mail.mrfood.com/logo_servis.gif, but then
redirects to hxxp://mail.opt-al.com/www.citicards.com/cards/wv/copy.doscreenID1214.htm

(The second link has already been reported to Google as a
web forgery, and is still active as of the time of this post.)

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

EPPIcard vish 772-924-0104

Wed, 21 May 2008 12:07:33 EDT

nwrickert : Email message text:


Dear EPPICard member,
 
We recently reviewed your account, and suspect that your EPPICard account may
have been accessed from an unauthorized computer. This may be due to changes
in your IP address or location. Protecting the security of your account and 
the EPPICard network is our primary concern. Therefor, we have temporarily
blocked your banking account.
 
To unlock your account call our toll free number: 772-924-0104
 
To protect your account please follow the instructions below:
    - NEVER SHARE YOUR PASSWORD with other persons
    - ALWAYS LOG OFF after using your online account
    - NEVER access EPPICard`s website by clicking on a link provided in an e-mail
 
We apologize for any inconvenience this may cause, and appreciate your
assistance in helping us maintaining the integrity of the entire EPPICard System.
 
Thank you,
EPPICard Security Advisor.
 
Copyright 2008 EPPICard - The safe and secure way to acces your payments.

Headers:

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14

Re: [Phish] Telephone phishing thread

Wed, 14 May 2008 18:07:01 EDT

SnowyOne :

Delivered-To: no.job.needed@gmail.comReceived: by 10.142.155.4 with SMTP id c4cs16970wfe; Wed, 14 May 2008 08:55:10 -0700 (PDT)Received: by 10.35.28.12 with SMTP id f12mr2105619pyj.45.1210780510055; Wed, 14 May 2008 08:55:10 -0700 (PDT)Return-Path: <test@telus.net>Received: from defout.telus.net (defout.telus.net [199.185.220.240]) by mx.google.com with ESMTP id f24si4254145pyh.26.2008.05.14.08.55.09; Wed, 14 May 2008 08:55:09 -0700 (PDT)Received-SPF: pass (google.com: domain of test@telus.net designates 199.185.220.240 as permitted sender) client-ip=199.185.220.240;Authentication-Results: mx.google.com; spf=pass (google.com: domain of test@telus.net designates 199.185.220.240 as permitted sender) smtp.mail=test@telus.netReceived: from priv-edtnaa16.telusplanet.net ([206.116.132.29]) by priv-edtnes25.telusplanet.net (InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP id <20080514155450.QWUB16573.priv-edtnes25.telusplanet.net@priv-edtnaa16.telusplanet.net>; Wed, 14 May 2008 09:54:50 -0600Received: from User (d206-116-132-29.bchsia.telus.net [206.116.132.29])by priv-edtnaa16.telusplanet.net (BorderWare MXtreme Infinity Mail Firewall) with SMTPid 83448V1ULV; Wed, 14 May 2008 09:55:09 -0600 (MDT)From: "test" <test@telus.net>Subject: fdfdfdfdfd55Date: Wed, 14 May 2008 08:55:10 -0700MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Message-Id: <20080514155509.83448V1ULV@priv-edtnaa16.telusplanet.net>To: undisclosed-recipients:; Dear MasterCard customer, We regret to inform you that we have received numerous fraudulent emails which ask for personalaccount information. The emails contained links to fraudulent pages that looked legit. Please remember that we will never ask for personal account information via email or web pages. Because of this we are launching a new security system to make MasterCard accounts more secureand safe. To take advatage of our new consumer Identity Theft Protection Program we had todeactivate access to your card account. To activate it please call us immediately at (615) 348-6681 Activation is free of charge and will take place as soon as you finish the activation process. ? 1994-2008 MasterCard. All rights reserved.

Re: [Phish] Telephone phishing thread

Fri, 02 May 2008 12:46:00 EDT

Lizz : So you all don't think I'm nuts, the "simply sign on" is a link to a phishing site which DOES show in phishtracker.

Re: [Phish] Telephone phishing thread

Fri, 02 May 2008 12:40:30 EDT

Lizz : A vish AND a phish, all in one! (and with all the spamcatcher info in the header, ATT/Yahoo still left it in my inbox, not the bulk :mad:)

From Bank of America Fri May 2 06:59:39 2008
X-Apparently-To: XXX@pacbell.net via 209.191.85.223; Fri, 02 May 2008 07:01:12 -0700
X-Originating-IP: [64.97.155.27]
Return-Path:
Authentication-Results: mta136.sbc.mail.re3.yahoo.com from=alerts.bankofamerica.com; domainkeys=neutral (no sig)
Received: from 207.115.20.65 (EHLO flpi096.prodigy.net) (207.115.20.65) by mta136.sbc.mail.re3.yahoo.com with SMTP; Fri, 02 May 2008 07:01:12 -0700
X-Originating-IP: [64.97.155.27]
Received: from sc2.he.tucows.com (smtpout2027.sc2.he.tucows.com [64.97.155.27]) by flpi096.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m42E1Bpw001455 for ; Fri, 2 May 2008 07:01:11 -0700
Received: from sc2-out04.emaildefenseservice.com (64.97.201.174) by sc2.he.tucows.com (7.3.127) id 48188F54000E71E6; Fri, 2 May 2008 13:59:46 +0000
Message-ID: (added by postmaster@globo.com)
X-SpamScore: 96
X-Spamcatcher-Summary: 96,15,0,9ea1071f6304b62f,0631c5bc6dd70dd7,alert@alerts.bankofamerica.com,-,
X-Spamcatcher-Explanation: (33%) BODY: mail is from Bank of America but doesn't contain any Bank of America URLS;(27%) BODY: likely phishing content;(13%) X-MAILER: mail headers not consistent with User Agent "Outlook";(13%) HTML: HTML code not consistent with User Agent "Outlook";(7%) BODY: text/html email has no html tag;(7%) BODY: content type is strictly "text/html";
Received: from User (unknown [41.223.251.88]) (Authenticated sender: atm05@globo.com) by sc2-out04.emaildefenseservice.com (Postfix) with ESMTP; Fri, 2 May 2008 13:59:19 +0000 (UTC)
From: "Bank of America" Add to Address BookAdd to Address Book Add Mobile Alert
Subject: Online Banking Verification
Date: Fri, 2 May 2008 14:59:39 +0100
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Length: 2867

Dear Valued Bank of America Online Customer:

IMPORTANT: Your online account information must be confirmed and verified to ensure uninterrupted service.

To enhance the level of service you receive with Bank of America Online Services, we regularly review the online banking accounts. We have issued this warning message to inform you that we have detected a slight error in your account information. This might be due to either of the following reasons:.
bullet A recent change in your personal information ( i.e.change of address).
bullet Submiting invalid information during the initial sign up process.
bullet An inability to accurately verify your selected option of payment due to an internal error within our processors.

As a result, we require you to confirm and verify your account information By Clicking Here and completing the confirmation process.

Note
However, failure to confirm and verify your account information will result in temporarily account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you have any question regarding this, please call us at 888-692-5949, 24 hours a day, seven days a week. or simply Sign In to Online Banking and click on "Help".

Thank you for banking at Bank of America. We look forward to serving your financial needs for many years to come.

Re: [Phish] Telephone phishing thread

Thu, 24 Apr 2008 17:56:42 EDT

Doctor Four : Amarillo National Bank vish:

URLs for both the forged ANB and Verisign logos in the
body of the phish (posted as JPG as it is all html)

ANB: hxxp://jeannemcallister.com/logo.gif
Verisign: hxxp://jeannemcallister.com/logo-verisign.gif

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Wed, 23 Apr 2008 17:36:22 EDT

Doctor Four : Another Franklin Bank one, same phone number as before:

X-Apparently-To: x@yahoo.com via 66.163.178.138; Tue, 22 Apr 2008 15:07:58 -0700X-YahooFilteredBulk:74.52.162.130X-Originating-IP:[74.52.162.130]Return-Path:<franklinbank@mesanetworks.net>Authentication-Results:mta209.mail.re4.yahoo.com from=; domainkeys=neutral (no sig)Received:from 74.52.162.130 (EHLO mx11.mesanetworks.net) (74.52.162.130) by mta209.mail.re4.yahoo.com with SMTP; Tue, 22 Apr 2008 15:07:56 -0700Received:(qmail 9582 invoked by uid 509); 22 Apr 2008 11:26:37 -0600Received:from 72.19.158.63 by mx11.mesanetworks.net (envelope-from <franklinbank@mesanetworks.net>, uid 508) with qmail-scanner-1.25-st-qms (clamdscan: 0.87/2133. spamassassin: 3.0.6. perlscan: 1.25-st-qms. Clear:RC:1(72.19.158.63):. Processed in 0.525889 secs); 22 Apr 2008 17:26:37 -0000X-Antivirus-MESANETWORKS-Mail-From:franklinbank@mesanetworks.net via mx11.mesanetworks.netX-Antivirus-MESANETWORKS:1.25-st-qms (Clear:RC:1(72.19.158.63):. Processed in 0.525889 secs Process 9540)Received:from 72-19-158-63.static.mesanetworks.net (HELO User) (72.19.158.63) by mx11.mesanetworks.net with SMTP; 22 Apr 2008 11:26:36 -0600Reply-to:<noreply@mesanetworks.net>From:"Franklin Bank" <franklinbank@mesanetworks.net> Add Mobile AlertSubject:SECURITY ALERT!Date:Tue, 22 Apr 2008 11:26:31 -0600MIME-Version:1.0Content-Type:text/html; charset="Windows-1251"Content-Transfer-Encoding:7bitX-Priority:3X-MSMail-Priority:NormalX-Mailer:Microsoft Outlook Express 6.00.2600.0000X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000X-Antivirus-MESANETWORKS-Message-ID:<120888519710709540@mx11.mesanetworks.net>Content-Length:1584 Dear Franklin Bank Customer, Franklin Bank is aware of new phishing e-mails that are circulating. These e-mails request consumers to click a link due to a compromise of a credit card account. You should not respond to this message. Due to unusual levels of fraud we have had to suspend any future authorizations being conducted with your Visa ATM/Check Card. For your security we have deactivate your card. How to activate/re-activate your card ? Call our Card Department: (866) 797-5643 Our automated system allows you to quickly activate your card. We apologize for any inconvenience this may cause. Corporate Office 9800 Richmond, Suite 680 Houston, TX 77042 Copyright © 2006 Franklin Bank. All Rights Reserved.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Mon, 21 Apr 2008 17:15:16 EDT

Doctor Four : Yet another Franklin Bank one, trying to look legitimate by
warning recipients of phishing scams. They're not fooling me.

The phone number's likely bogus, and the IP address 72.28.171.9 is likely a botnet zombie (it certainly
isn't one of Franklin's IPs). The Corporate Office
address is real, however.

X-Apparently-To: x@yahoo.com via 66.163.178.140; Mon, 21 Apr 2008 12:15:14 -0700X-YahooFilteredBulk:8.10.184.138X-Originating-IP:[8.10.184.138]Return-Path:<franklinbank@ddsadsa.com>Authentication-Results:mta250.mail.re3.yahoo.com from=ddsadsa.com; domainkeys=neutral (no sig)Received:from 8.10.184.138 (EHLO mail.wghco.com) (8.10.184.138) by mta250.mail.re3.yahoo.com with SMTP; Mon, 21 Apr 2008 12:15:14 -0700Received:from User ([72.28.171.9]) by mail.wghco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 21 Apr 2008 11:49:39 -0700From:"Franklin Bank" <franklinbank@ddsadsa.com> Add Mobile AlertSubject:SECURITY ALERT!Date:Mon, 21 Apr 2008 14:48:37 -0400MIME-Version:1.0Content-Type:text/html; charset="Windows-1251"Content-Transfer-Encoding:7bitX-Priority:3X-MSMail-Priority:NormalX-Mailer:Microsoft Outlook Express 6.00.2600.0000X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Return-Path:franklinbank@ddsadsa.comMessage-ID:<HENSCHEN7n0swXX1sPt00000677@mail.wghco.com>X-OriginalArrivalTime:21 Apr 2008 18:49:39.0703 (UTC) FILETIME=[742AE870:01C8A3E0]X-TM-AS-Product-Ver:SMEX-7.5.0.1243-5.0.1023-15864.001X-TM-AS-Result:Yes-21.877000-4.000000-31X-TM-AS-User-Approved-Sender:NoX-TM-AS-User-Blocked-Sender:NoContent-Length:1586 Dear Franklin Bank Customer, Franklin Bank is aware of new phishing e-mails that are circulating. These e-mails request consumers to click a link due to a compromise of a credit card account. You should not respond to this message. Due to unusual levels of fraud we have had to suspend any future authorizations being conducted with your Visa ATM/Check Card. For your security we have deactivate your card. How to activate/re-activate your card ? Call our Card Department: (866) 797-5643 Our automated system allows you to quickly activate your card. We apologize for any inconvenience this may cause. Corporate Office 9800 Richmond, Suite 680 Houston, TX 77042 Copyright © 2006 Franklin Bank. All Rights Reserved.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Lizz_Vish_Archived

Wed, 16 Apr 2008 19:38:51 EDT

SnowyOne : X-Apparently-To: myemail@pacbell.net via 209.191.85.225; Tue, 15 Apr 2008 10:39:54 -0700
X-Originating-IP:[212.85.249.132]
Return-Path:
Authentication-Results:mta121.sbc.mail.mud.yahoo.com from=franklin.com; domainkeys=neutral (no sig)
Received:from 207.115.36.53 (EHLO nlpi024.prodigy.net) (207.115.36.53) by mta121.sbc.mail.mud.yahoo.com with SMTP; Tue, 15 Apr 2008 10:39:52 -0700
X-Header-Overseas:Mail.from.Overseas.source.212.85.249.132
X-Originating-IP:[212.85.249.132]
Received:from node-2.minx.net.uk (node-2.minx.net.uk [212.85.249.132]) by nlpi024.prodigy.net (8.13.8 inb regex/8.13.8) with ESMTP id m3FHdoDY014536 for ; Tue, 15 Apr 2008 12:39:50 -0500
Received:from [195.82.101.89] (helo=mail.QuantumFittedFurniture.co.uk) by node-2.minx.net.uk with esmtp (Exim 4.60) (envelope-from ) id 1JlpIR-0005rN-Og for myemail@pacbell.net; Tue, 15 Apr 2008 18:50:20 +0100
Received:from User ([192.168.0.250] RDNS failed) by mail.QuantumFittedFurniture.co.uk with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Apr 2008 18:29:09 +0100
Reply-to:
From:"Franklin Bank" Add to Address BookAdd to Address Book Add Mobile Alert
Subject:Card Deactivation
Date:Tue, 15 Apr 2008 13:39:36 -0400
MIME-Version:1.0
Content-Type:text/plain; charset="Windows-1251"
Content-Transfer-Encoding:7bit
X-Priority:3
X-MSMail-Priority:Normal
X-Mailer:Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID:
X-OriginalArrivalTime:15 Apr 2008 17:29:10.0078 (UTC) FILETIME=[37021DE0:01C89F1E]
X-MINX-Orig-IP:195.82.101.89
X-Spam-Score:2.9 (++)
X-Spam-Level:++
Content-Length:563

Card Deactivation
Message from: Customer Service
Date: 04/15/2008

We detected irregular activity on your ATM/Check Card on 04/15/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center:

Activation Center: (866) 797-5640 (24 Hour Line)

Re: [Phish] Telephone phishing thread

Tue, 15 Apr 2008 21:12:05 EDT

Doctor Four : Another Franklin Bank one:

X-Apparently-To: x@yahoo.com via 66.163.178.135; Tue, 15 Apr 2008 09:09:54 -0700X-YahooFilteredBulk:64.34.200.180X-Originating-IP:[64.34.200.180]Return-Path:<bankfranklin@franklin.com>Authentication-Results:mta112.mail.re3.yahoo.com from=franklin.com; domainkeys=neutral (no sig)Received:from 64.34.200.180 (EHLO web420.linux-hosting.com) (64.34.200.180) by mta112.mail.re3.yahoo.com with SMTP; Tue, 15 Apr 2008 09:09:53 -0700Received:from User (72-28-171-009-dhcp.aik.sc.atlanticbb.net [72.28.171.9]) (authenticated bits=0) by web420.linux-hosting.com (8.13.1/8.13.1) with ESMTP id m3FFmMlk010716; Tue, 15 Apr 2008 21:18:22 +0530Message-Id:<200804151548.m3FFmMlk010716@web420.linux-hosting.com>Reply-to:<noreply@franklinsecurity.com>From:"Franklin Bank" <bankfranklin@franklin.com> Add Mobile AlertSubject:Card DeactivationDate:Tue, 15 Apr 2008 12:01:07 -0400MIME-Version:1.0Content-Type:text/plain; charset="Windows-1251"Content-Transfer-Encoding:7bitX-Priority:3X-MSMail-Priority:NormalX-Mailer:Microsoft Outlook Express 6.00.2600.0000X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000Content-Length:563 Card DeactivationMessage from: Customer ServiceDate: 04/15/2008 We detected irregular activity on your ATM/Check Card on 04/15/2008.For your protection we have had to suspend any future authorizations being conducted with your card. For your security we have deactivate your card. How to activate/re-activate your card ? You may stop by your branch or call our Activation Center: Activation Center: (866) 797-5640 (24 Hour Line) Our automated system allows you to quickly activate your card.We apologize for any inconvenience this may cause..

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Fri, 11 Apr 2008 23:16:45 EDT

DC DSL : I got a Franklin. I called the number. There's a semi-realistic TRS on it that asks for the card number, PIN, expiration date.

I put in completely bogus info (like 1234567812345678 for the card number). After a brief pause, it came back with "card, PIN or expiration are not valid, please reenter." So, I made up different info. It took it, said the card is now active and valid worldwide and ended.

I called back a few more times. Sometimes I gave it identical data, others not. It took it all just the same.

It seems that it tries to make it seem legit to get someone to reenter the info to make sure they've got a live one. However, they farkled it and it doesn't catch mismatches.

This would be great rainy-day fun wasting their time and flooding them with bogus data if it wasn't a toll-free number that captures the number you're calling from regardless of caller id blocking. (Anyone near a pay phone wanna give it a go and see if they're stupid enough to not have blocked pay station callers?)

=====

Return-Path:
Received: from mail.im3.com [216.201.16.126] by mail.ultimahosts.com with SMTP;
Fri, 11 Apr 2008 16:25:02 -0400
Received: from User (unverified [72.28.171.9]) by cartman.im3.com
(Vircom SMTPRS 4.4.568.66) with ESMTP id ;
Fri, 11 Apr 2008 15:53:41 -0400
X-Modus-BlackList: bankfranklin@franklinsecurity.com=OK
X-Modus-Audit: FALSE;0;0;0
Reply-To:
From: "Franklin Bank"
Subject: Card Deactivation
Date: Fri, 11 Apr 2008 15:53:36 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Rcpt-To:
X-SmarterMail-Spam: SPF_None

Card Deactivation
Message from: Customer Service
Date: 04/10/2008
We detected irregular activity on your ATM/Check Card on 04/10/2008.
For your protection we have had to suspend any future authorizations being
conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 578-0984 (24 Hour Line)

Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2006 Franklin Bank. All Rights Reserved.
--
There is no giant fur-bearing trout.

Re: [Phish] Telephone phishing thread

Sun, 06 Apr 2008 17:49:16 EDT

Doctor Four : This one apparently from CUNA regarding the Wal-Mart data
breach seems to be quite suspicious. It had me fooled for
a minute, until I looked more closely at the headers. Nice try.

As before, the only thing changed is the name in the X-
Apparently-To: header:

X-Apparently-To: x@yahoo.com via 66.163.178.135; Sun, 06 Apr 2008 10:14:58 -0700X-YahooFilteredBulk:217.40.42.57X-Originating-IP:[217.40.42.57]Return-Path:<customerservice@cona.com>Authentication-Results:mta134.mail.re3.yahoo.com from=; domainkeys=neutral (no sig)Received:from 217.40.42.57 (EHLO erissrv1.eris.org.uk) (217.40.42.57) by mta134.mail.re3.yahoo.com with SMTP; Sun, 06 Apr 2008 10:14:57 -0700Received:from cona.com ([74.7.27.50]) by erissrv1.eris.org.uk with Microsoft SMTPSVC(5.0.2195.6713); Sun, 6 Apr 2008 17:36:49 +0100From:CUNA@ Add Mobile AlertTo:nataleemorse@yahoo.comSubject:Wal-Mart Stores, Inc. Data Breach AnnouncmentDate:06 Apr 2008 11:36:39 -0500Message-ID:<20080406113639.BCE6A283E7E711F5@from.header.has.no.domain>MIME-Version:1.0Content-Type:text/html; charset="iso-8859-1"Content-Transfer-Encoding:quoted-printableReturn-Path:customerservice@cona.comX-OriginalArrivalTime:06 Apr 2008 16:36:49.0531 (UTC) FILETIME=[6960ECB0:01C89804]Content-Length:2742 WAL-MART STORES, INC. DATA BREACH ANNOUNCMENT April/06/2008 CUNA is aware of the recent data breach at Wal-Mart Stores, Inc. and is takingproactive steps to address the situation. The Customer Security Team at CUNAis currently gathering information regarding the data breach and will react swiftlyin the best interests of its customers, including the re-issue of compromisedcards if necessary. It is important to note that CUNA has effective fraud monitoring systems inplace and is constantly reviewing our accounts for fraudulent and/or suspiciousactivity. The security of your account is very important to us. Moving forward, we recommend that all CUNA customers review their accountactivity on an ongoing basis and report to us any suspicious activity. In addition,it is recommended that customers activate "Enhanced Card Security" to block Please call Customer Care at 1-800-794-9672, to activate (Enhanced Card Security)for your debit or credit card. Due to the extensive news coverage of this event, there have been reports of otherscams. If you receive a phone call or email from someone claiming to be fromVisa, or MasterCard DO NOT provide them with any personal or account informationPlease visit http://www.nophishing.org/ for further information regarding fraud. Finally, you may continue to use your debit card. Customers who have been affectedby the data breach will be notified, and be given further instructions via postal mail. Ifyou have immediate questions regarding your account, please contact Customer Careat 1-800-794-9672, option 1.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

[Phish] Credit Union 1 vish (ATM card)

Wed, 02 Apr 2008 15:09:16 EDT

nwrickert : Card Deactivation
Message from: Customer Service
Date: 04/02/2008
We detected irregular activity on your ATM/Check Card on 04/02/2008.
For your protection we have had to suspend any future authorizations
being conducted with your card.
For your security we have deactivate your card.
How to activate/re-activate your card ?
You may stop by your branch or call our Activation Center.

Activation Center: (866) 722-3235 (24 Hour Line)
Our automated system allows you to quickly activate your card.
We apologize for any inconvenience this may cause.
Copyright © 2008 Credit Union 1. All Rights Reserved.

Return-Path: <creditunion1@membersecurity.com>Received: from delagarzafence.com (2003-sbs.delagarzafence.com [68.91.246.105]) by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m32INure009129 for <munged@cs.niu.edu>; Wed, 2 Apr 2008 13:24:01 -0500 (CDT)Received: from User ([65.66.160.78]) by delagarzafence.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 Apr 2008 11:52:13 -0500Reply-To: <noreply@membersecurity.com>From: "Credit Union 1"<creditunion1@membersecurity.com>Subject: Card DeactivationDate: Wed, 2 Apr 2008 11:53:00 -0500MIME-Version: 1.0Content-Type: text/html; charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Message-ID: <2003-SBS5W3xNbMrRn00000073e@delagarzafence.com>X-OriginalArrivalTime: 02 Apr 2008 16:52:13.0280 (UTC) FILETIME=[E652D600:01C894E1]      Card Deactivation   Message from: Customer Service   Date: 04/02/2008  We detected irregular activity on your ATM/Check Card on 04/02/2008.   For your protection we have had to suspend any future authorizations   being conducted withyour card.  For your security we have deactivate your card.  How to activate/re-activate your card ?  You may stop by your branch or call our Activation Center.   Activation Center: (866) 722-3235 (24 Hour Line)  Our automated system allows you to quickly activate your card.   We apologize for any inconvenience this may cause.  Copyright © 2008 Credit Union 1. All Rights Reserved.

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13

Re: [Phish] Telephone phishing thread

Fri, 28 Mar 2008 20:09:29 EDT

removed : VISA - local number to me in Houston. Scary.

quote:
> VISA Security Department temporary disabled your account.

Verified by VISA will never ask you any information via e-mail. Call this number (832)772-7857 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: 832-772-7857- Toll Free

© 2001-2008 Visa. All Rights Reserved.

This message was sent to Email Id :

WPTLLOFITJBTPCIRFUNZMICCCONJSFMEEMUDLO

Headers:

X-Greylist: delayed 870 seconds by postgrey-1.23 at coral.dslreports.com; Fri, 28 Mar 2008 12:49:54 EDTReceived: from costanzosbakery.com (mail.costanzosbakery.com [72.45.146.150])by mail.dslr.net (Postfix) with ESMTP id 4CF4D4374Ffor <removed@dslr.net>; Fri, 28 Mar 2008 12:49:54 -0400 (EDT)Received: from User ([209.132.209.130]) by costanzosbakery.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Mar 2008 12:11:22 -0400Reply-To: <do-not-reply@visa.com>From: "VISA"<security@visa.com>Subject: VISA Security Department temporary disabled your account. Date: Fri, 28 Mar 2008 09:11:21 -0700MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Message-ID: <SERVER2003HrdZ6Vzvd00006939@costanzosbakery.com>X-OriginalArrivalTime: 28 Mar 2008 16:11:22.0725 (UTC) FILETIME=[5D9D1150:01C890EE]To: undisclosed-recipients:;

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Thu, 27 Mar 2008 23:14:50 EDT

Doctor Four : Pentagon Federal Credit Union Phish

As before, the only thing changed was the name in the
X-Apparently-To header.

X-Apparently-To: x@yahoo.com via 66.163.178.140; Thu, 27 Mar 2008 19:46:30 -0700X-YahooFilteredBulk:65.105.120.87X-Originating-IP:[65.105.120.87]Return-Path:<service@penfed.org>Authentication-Results:mta506.mail.mud.yahoo.com from=penfed.org; domainkeys=neutral (no sig)Received:from 65.105.120.87 (EHLO webmail.iconnectu.net) (65.105.120.87) by mta506.mail.mud.yahoo.com with SMTP; Thu, 27 Mar 2008 19:46:30 -0700Received:from User [207.166.116.186] by webmail.iconnectu.net with ESMTP (SMTPD32-6.06) id AC88B3DC004A; Thu, 27 Mar 2008 21:48:40 -0500Reply-to:<service@penfed.org>From:"service@penfed.org" <service@penfed.org> Add Mobile AlertSubject:Pentagon Federal Credit Union Account SuspendedDate:Fri, 28 Mar 2008 10:40:50 -0400MIME-Version:1.0Content-Type:text/plain; charset="_iso-2022-jp$ESC"Content-Transfer-Encoding:7bitX-Priority:1X-MSMail-Priority:HighX-Mailer:Microsoft Outlook Express 6.00.2800.1081X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2800.1081Message-Id:<200803272149182.SM02700@User>Content-Length:284 Dear Pentagon Federal Credit Union Customer, ACCOUNT SUSPENDED Your account has been suspended for invalid billing information provided. To activate your account please call the security department at 856-431-1109 Thank You Pentagon Federal Credit Union Security Department

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Fri, 21 Mar 2008 21:00:03 EDT

Doctor Four : A Franklin Bank phone phish sent to my mom's Yahoo email:
(I submitted a regular one of these just now to Phishtracker -
it too has a phone number in it as well, probably bogus.)
As with the last one I posted, the only thing changed was
in the X-Apparently-To: field.

X-Apparently-To: x@yahoo.com via 66.163.178.140; Fri, 21 Mar 2008 12:47:59 -0700X-YahooFilteredBulk:65.97.182.163X-Originating-IP:[65.97.182.163]Return-Path:<not-reply@bankfranklin.com>Authentication-Results:mta110.mail.re2.yahoo.com from=bankfranklin.com; domainkeys=neutral (no sig)Received:from 65.97.182.163 (EHLO mail.1010xl.com) (65.97.182.163) by mta110.mail.re2.yahoo.com with SMTP; Fri, 21 Mar 2008 12:47:59 -0700Received:from User ([208.69.59.178]) by mail.1010xl.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 21 Mar 2008 14:33:03 -0400Reply-to:<not-reply@bankfranklin.com>From:"Franklin Bank" <not-reply@bankfranklin.com> Subject:Account Suspended.Date:Fri, 21 Mar 2008 13:34:15 -0500MIME-Version:1.0Content-Type:text/plain; charset="Windows-1251"Content-Transfer-Encoding:7bitX-Priority:1X-MSMail-Priority:HighX-Mailer:Microsoft Outlook Express 6.00.2600.0000X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Return-Path:not-reply@bankfranklin.comMessage-ID:<SBRSBS2oHzGkzMcvsq900002c75@mail.1010xl.com>X-OriginalArrivalTime:21 Mar 2008 18:33:04.0328 (UTC) FILETIME=[00127C80:01C88B82]X-TM-AS-Product-Ver:SMEX-7.5.0.1166-5.0.1023-15788.002X-TM-AS-Result:No--8.198000-5.000000-31X-TM-AS-User-Approved-Sender:NoX-TM-AS-User-Blocked-Sender:NoContent-Length:361 Message from Franklin Bank Customer ServiceAccount Suspended.Date: 3/21/2008 All Franklin Bank accounts were recently updated with a new security enhancement. Your account has been temporary suspended. To activate your account please call the security department at 972-704-2837 Thank you for banking with Franklin Bank.Copyright © 2008 Franklin Bank.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Colonial bank (334) 830-4240

Fri, 14 Mar 2008 11:17:09 EDT

removed : March 14:

quote:
Dear customer,

VISA Debit Card, Security Departament suspended your acccount.
Reason: Energy Breakdown

After the energy breakdown from 13/03/2008 it appears that some of our hardware is not working properly. The data of five thousands customers stored on computer backup tapes was lost.

Some restrictions applied untill you update your account.

To reactivate your account please call at : 209-683-4515 Please note our number : +1 209-683-4515

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from VISA Debit Card database.

Headers:

Return-path: <debit@visa.com>Envelope-to: gumu@removed.usDelivery-date: Fri, 14 Mar 2008 08:05:16 -0400Received: from mail.privatehealthnews.com ([63.84.188.168]:1802)by laredo.root--servers.net with esmtp (Exim 4.68)(envelope-from <debit@visa.com>)id 1Ja8eu-0005A1-PSfor gumu@removed.us; Fri, 14 Mar 2008 08:05:16 -0400Received: from User [63.246.1.148] by mail.privatehealthnews.com with ESMTP (SMTPD-9.20) id A9F40238; Fri, 14 Mar 2008 08:05:08 -0400From: "VISA Debit Card"<debit@visa.com>Subject: Urgent NotificationDate: Fri, 14 Mar 2008 12:00:35 -0000MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Message-Id: <200803140805858.SM02840@User>X-Spam-Subject: ***SPAM*** Urgent NotificationX-Spam-Status: Yes, score=11.5X-Spam-Score: 115X-Spam-Bar: +++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear customer, VISA Debit Card, Security Departament suspendedyour acccount. Reason: Energy Breakdown After the energy breakdown from 13/03/2008it appears that some of our hardware is not working properly. The data offive thousands customers stored on computer backup tapes was lost. [...] Content analysis details: (11.5 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%[score: 1.0000]2.8 TVD_PH_SUBJ_URGENT TVD_PH_SUBJ_URGENT1.3 MISSING_HEADERS Missing To: header0.8 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

Re: Colonial bank (334) 830-4240

Thu, 13 Mar 2008 17:46:25 EDT

removed : Got the same one as you did about the 334-830-4240 number. Headers:

Return-path: <colonial@colonialbank.com>Envelope-to: gumu@removed.usDelivery-date: Thu, 13 Mar 2008 14:45:01 -0400Received: from ptb-relay02.plus.net ([212.159.14.213]:39583)by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)(Exim 4.68)(envelope-from <colonial@colonialbank.com>)id 1JZsQC-0000MG-Lyfor gumu@removed.us; Thu, 13 Mar 2008 14:45:00 -0400Received: from [213.162.106.173] (helo=nicholasashley.com) by ptb-relay02.plus.net with esmtp (Exim) id 1JZsQ7-0005RM-TYfor gumu@removed.us; Thu, 13 Mar 2008 18:44:52 +0000Received: from User ([86.157.156.37]) by nicholasashley.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 13 Mar 2008 18:44:50 +0000Reply-To: <colonial@colonialbank.com>From: "Colonial Bank"<colonial@colonialbank.com>Subject: NOTICE ID: DIITNVWFWEDate: Thu, 13 Mar 2008 18:46:49 -0000MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Message-ID: <SERVER-1odYE4KveYKW000065e5@nicholasashley.com>X-OriginalArrivalTime: 13 Mar 2008 18:44:50.0810 (UTC) FILETIME=[51DD15A0:01C8853A]X-TM-AS-Product-Ver: SMEX-7.2.0.1122-5.0.1023-15786.000X-TM-AS-Result: No--2.268900-5.000000-31X-Plusnet-Relay: 708a69074e485b1aed8d28228d722ef2X-Spam-Subject: ***SPAM*** NOTICE ID: DIITNVWFWEX-Spam-Status: Yes, score=11.2X-Spam-Score: 112X-Spam-Bar: +++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: > Colonial Bank Online department temporary disabled youraccount. You no longer have access to the account registered with this emailaddress After three unsuccessful login attempts your account was temporarydisabled until further investigations. [...] Content analysis details: (11.2 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%[score: 0.9907]1.5 DNS_FROM_RFC_BOGUSMX RBL: Envelope sender in bogusmx.rfc-ignorant.org2.1 SUBJ_ALL_CAPS Subject is all capitals1.3 MISSING_HEADERS Missing To: header3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook-0.2 AWL AWL: From: address is in the auto white-listX-Spam-Flag: YES

Colonial bank (334) 830-4240

Thu, 13 Mar 2008 15:02:58 EDT

nwrickert : Another Colonial bank vish - different phone number

quote:
> Colonial Bank Online department temporary disabled your account.

You no longer have access to the account registered with this email address

After three unsuccessful login attempts your account was temporary disabled until further investigations.

Colonial Bank will never ask you any information via e-mail. Call this number (334) 830-4240 - Toll Free

You must reactivate your account immediately, or you won't be able to use your cards again.

> Sorry for any inconvenience this may cause and thank you for your patience.

> To reactivate your account call us: (334) 830-4240 - Toll Free

2004-2008 Colonial Bank

KFVIQCXMNBHRXJSRFIYSQJKLNMGFNRBSFENPMZ

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12

Re: [Phish] Telephone phishing thread

Wed, 12 Mar 2008 23:02:25 EDT

Doctor Four : Phone Phish delivered to my Mom's Yahoo email:

X-Apparently-To: x@yahoo.com via 66.163.178.133; Wed, 12 Mar 2008 13:34:09 -0700X-YahooFilteredBulk:64.40.243.82X-Originating-IP:[64.40.243.82]Return-Path:<netspend@netspendsecurity.com>Authentication-Results:mta358.mail.mud.yahoo.com from=netspendsecurity.com; domainkeys=neutral (no sig)Received:from 64.40.243.82 (EHLO mail.travinfo1.net) (64.40.243.82) by mta358.mail.mud.yahoo.com with SMTP; Wed, 12 Mar 2008 13:34:08 -0700Received:from User ([65.101.57.222]) by mail.travinfo1.net (Merak 7.6.4) with ASMTP id VOV40501; Wed, 12 Mar 2008 14:49:50 -0500Reply-to:<noreply@netspend.com>From:"NetSpend" <netspend@netspendsecurity.com> Add Mobile AlertSubject:SECURITY ALERT!Date:Wed, 12 Mar 2008 12:49:49 -0700MIME-Version:1.0Content-Type:text/html; charset="Windows-1251"Content-Transfer-Encoding:7bitX-Priority:3X-MSMail-Priority:NormalX-Mailer:Microsoft Outlook Express 6.00.2600.0000X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2600.0000Content-Length:2383 Card Deactivation Message from: Customer Service Date: 03/12/2008 We detected irregular activity on your NetSpend® Card on 03/11/2008. For your protection we have had to suspend any future authorizations being conducted with your NetSpend® Card. For your security we have deactivate your card. How to activate/re-activate your card ? You may stop by your branch or call our Activation Center. Activation Center: (888) 721-9034 (24 Hour Line) Our automated system allows you to quickly activate your card. We apologize for any inconvenience this may cause. NetSpend Corporation Card Department PO Box 2136Austin, TX 78768-2136

Only thing changed was my mom's email name. I replaced it
with the 'x'.

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: [Phish] Telephone phishing thread

Wed, 12 Mar 2008 10:01:53 EDT

nwrickert : March 12: Colonial bank

quote:
Dear Customer,

Colonial Bank temporarily suspended your account.

Reason: Fraud Attempts

To reactivate your account call the toll-free number: 1-334-246-4229

Never access Colonial Bank Web site by clicking on a link provided in an e-mail.
Colonial Bank will never solicit you to provide or update personal or financial
information. And, will never send an e-mail containing links to Web sites.

Copyright 2008 Colonial Bank . All Rights Reserved.

KYDXBXIQSQHWJJWPKRDPWGQCLXDWJFVBUYGUTF

Return-Path: <online@colonialbank.com>Received: from neptune.webfusion.co.uk (neptune.webfusion.co.uk [212.67.202.9]) by mp.cs.niu.edu (8.14.2/8.14.2) with ESMTP id m2CDKBmL001529 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <munged@cs.niu.edu>; Wed, 12 Mar 2008 08:20:17 -0500 (CDT)Message-Id: <200803121320.m2CDKBmL001529@mp.cs.niu.edu>Received: from adsl-67-37-18-250.dsl.bcvloh.ameritech.net ([67.37.18.250] helo=User) by neptune.webfusion.co.uk with esmtpa (Exim 4.54) id 1JZQsM-0007eZ-Ce; Wed, 12 Mar 2008 13:20:10 +0000Reply-To: <do-not-reply@colonialbank.com>From: "Colonial Bank"<online@colonialbank.com>Subject: Colonial Bank temporarily suspended your account.Date: Wed, 12 Mar 2008 09:20:12 -0400MIME-Version: 1.0Content-Type: text/plain; charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12

Re: [Phish] Telephone phishing thread

Tue, 11 Mar 2008 13:11:00 EDT

removed : March 11:

quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 803-825-4293

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 803-825-4293

Copyright © VISA Debit Card, All Rights Reserved

Headers:

Return-path: <debit@visa.com>Envelope-to: gumu@removed.usDelivery-date: Tue, 11 Mar 2008 10:39:18 -0400Received: from mail.altayyargroup.com ([212.100.194.83]:38490)by laredo.root--servers.net with esmtp (Exim 4.68)(envelope-from <debit@visa.com>)id 1JZ5dJ-0001w6-Sffor gumu@removed.us; Tue, 11 Mar 2008 10:39:18 -0400Received: from User ([10.65.28.1]) by mail.altayyargroup.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 11 Mar 2008 17:41:43 +0300Reply-To: <debit@visa.com>From: "VISA Debit Card"<debit@visa.com>CC: gump13@hotmail.com,gumpond@netscape.com,gumshoe@uscyber.com,gumu@removed.us,gunadanu@hotmail.comSubject: Urgent Notification!Date: Tue, 11 Mar 2008 15.51.35 +0100MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Message-ID: <MAILfMS9stbDEa7fzCL00004a24@mail.altayyargroup.com>X-OriginalArrivalTime: 11 Mar 2008 14:41:44.0380 (UTC) FILETIME=[06D8FFC0:01C88386]X-Spam-Subject: ***SPAM*** Urgent Notification!X-Spam-Status: Yes, score=13.4X-Spam-Score: 134X-Spam-Bar: +++++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear Customer, VISA Debit Card , Security Departament temporarilysuspended your account. Reason: Fraud Atempts We require you to completean account update so we can unlock your account. [...] Content analysis details: (13.4 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------1.2 INVALID_DATE Invalid Date: header (not RFC 2822)2.8 TVD_PH_SUBJ_URGENT TVD_PH_SUBJ_URGENT1.0 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date2.9 SUSPICIOUS_RECIPS Similar addresses in recipient list1.3 MISSING_HEADERS Missing To: header1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%[score: 0.6898]0.0 FM_IS_IT_OUR_ACCOUNT Is it our account?3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:34:14 EDT

removed : January 21:

quote:
Dear Listerhill Credit Union Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Listerhill Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 554-8147 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Headers:

Return-path: <callus@listerhill.com>Envelope-to: removed@laredo.root--servers.netDelivery-date: Mon, 21 Jan 2008 11:10:17 -0500Received: from removed by laredo.root--servers.net with local-bsmtp (Exim 4.68)(envelope-from <callus@listerhill.com>)id 1JGzDx-0004sI-91for removed@laredo.root--servers.net; Mon, 21 Jan 2008 11:10:17 -0500X-Spam-Flag: YESX-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) onlaredo.root--servers.netX-Spam-Level: *************X-Spam-Status: Yes, score=13.7 required=4.5 tests=AWL,BAYES_95,FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HTML_IMAGE_ONLY_16,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,INVALID_TZ_EST,MIME_HTML_ONLY,MISSING_HEADERS,MISSING_MID,RCVD_NUMERIC_HELO,RDNS_NONE autolearn=spamversion=3.2.3X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS* 2.7 INVALID_TZ_EST Invalid date in header (wrong EST timezone)* 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO* 1.3 MISSING_HEADERS Missing To: header* 0.0 HTML_MESSAGE BODY: HTML included in message* 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%* [score: 0.9517]* 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts* 1.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words* 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag* 0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format* 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only* 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook* -1.7 AWL AWL: From: address is in the auto white-listReceived: from [75.144.105.41] (port=3039 helo=mail)by laredo.root--servers.net with smtp (Exim 4.68)(envelope-from <callus@listerhill.com>)id 1JGzDx-0004sC-4Rfor gumu@removed.us; Mon, 21 Jan 2008 11:10:13 -0500X-DN-AuthenticatedSender: WJNMJ6Y49E9A33NMKKNEHR39FEECX49W-7N7XuX6kOrPPID+RQx8MCC0DUOpXVR+x6PY47D02NwesRKSVkkrKacEUZe6cnhv/---Received: from 24.65.64.219 ([24.65.64.219]) by mail (DeskNow) with SMTP ID 180; Mon, 21 Jan 2008 10:15:03 -0600 (EST)From: "Listerhill Credit Union"<callus@listerhill.com>Subject: *****SPAM***** Irregular Check Card ActivityDate: Mon, 21 Jan 2008 09:10:11 -0700MIME-Version: 1.0Content-Type: text/html;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000X-Spam-Prev-Subject: Irregular Check Card ActivityMessage-Id: <E1JGzDx-0004sI-91@laredo.root--servers.net>

That's just about it for 2008 so far. I won't bore you guys with copies of vish emails from 2007, unless you think they'll be useful...

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:33:17 EDT

removed : January 23:

quote:
Dear PUDCU Cardholder,

We detected irregular activity on your debit/credit card on 01/21/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Snohomish County PUD Credit Union is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 319-9621 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

© 2008 Snohomish County PUD Credit Union

Headers:

Return-path: <account@pudcu.com>Envelope-to: gumu@removed.usDelivery-date: Wed, 23 Jan 2008 11:17:32 -0500Received: from [76.12.61.28] (port=4637 helo=ds134642-1)by laredo.root--servers.net with esmtp (Exim 4.68)(envelope-from <account@pudcu.com>)id 1JHiI4-0006LC-EVfor gumu@removed.us; Wed, 23 Jan 2008 11:17:32 -0500Received: from s0106003065fb8258.fm.shawcable.net [24.65.64.219] by ds134642-1 with SMTP; Wed, 23 Jan 2008 23:16:04 -0500From: "PUDCU"<account@pudcu.com>Subject: Irregular ActivityDate: Wed, 23 Jan 2008 09:15:27 -0700MIME-Version: 1.0Content-Type: text/html;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000X-Spam-Subject: ***SPAM*** Irregular ActivityX-Spam-Status: Yes, score=15.7X-Spam-Score: 157X-Spam-Bar: +++++++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear PUDCU Cardholder, We detected irregular activity on yourdebit/credit card on 01/21/2008. For your security, your online banking profilehas been locked due to inactivity or because of too many failed login attempts.[...] Content analysis details: (15.7 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%[score: 1.0000]0.0 MISSING_MID Missing Message-Id: header0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net[Blocked - see <http://www.spamcop.net/bl.shtml?24.65.64.219>]0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)1.3 MISSING_HEADERS Missing To: header2.5 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words0.0 HTML_MESSAGE BODY: HTML included in message1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:31:57 EDT

removed : January 23:

quote:
Dear Cardholder,

We detected irregular activity on your debit card on 01/22/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

To reactivate your account, you must contact us at (800) 564-9401 and fallow the instructions .

Copyright © National Credit Union Administration .

Headers:

Return-path: <support@ncua.gov>Envelope-to: gumu@removed.usDelivery-date: Wed, 23 Jan 2008 23:57:11 -0500Received: from adsl-75-41-76-14.dsl.chcgil.sbcglobal.net ([75.41.76.14]:6758 helo=emailserver.nmct.net)by laredo.root--servers.net with esmtp (Exim 4.68)(envelope-from <support@ncua.gov>)id 1JHu9D-0005z9-7Jfor gumu@removed.us; Wed, 23 Jan 2008 23:57:11 -0500Received: from User ([24.65.64.219]) by emailserver.nmct.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 23 Jan 2008 22:50:56 -0600From: "National Credit Union Administration"<support@ncua.gov>Subject: Irregular Check Card ActivityDate: Wed, 23 Jan 2008 21:51:18 -0700MIME-Version: 1.0Content-Type: text/html;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Message-ID: <EMAILSERVER66lRCR5Y00000609@emailserver.nmct.net>X-OriginalArrivalTime: 24 Jan 2008 04:50:56.0625 (UTC) FILETIME=[B4EC9610:01C85E44]X-Spam-Subject: ***SPAM*** Irregular Check Card ActivityX-Spam-Status: Yes, score=14.9X-Spam-Score: 149X-Spam-Bar: ++++++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear Cardholder, We detected irregular activity on your debitcard on 01/22/2008. For your security, your online banking profile has beenlocked due to inactivity or because of too many failed login attempts. [...]Content analysis details: (14.9 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%[score: 1.0000]3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net[Blocked - see <http://www.spamcop.net/bl.shtml?24.65.64.219>]0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)1.3 MISSING_HEADERS Missing To: header0.0 HTML_MESSAGE BODY: HTML included in message1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format0.1 RDNS_DYNAMIC Delivered to trusted network by host withdynamic-looking rDNS0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:29:31 EDT

removed : February 4:

quote:
Dear Empire Bank Cardholder,

We detected irregular activity on your debit/credit card on 02/03/2008.
For your security, your online banking profile has been locked due to inactivity or because
of too many failed login attempts.

Empire Bank is serious about safeguarding your personal information online.

Unlocking your profile will take approximately one minute to complete .

To reactivate your debit/credit card :

Immediately call 1-(800) 929-3209 Monday-Friday during office hours.

or after hours and on weekends to reactivate your debit/credit card.

Member FDIC · Equal Housing Lender· © 2007 Empire Bank

Headers:

Return-path: <gribble.dale+caf_=gumu=removed.us@gmail.com>Envelope-to: gumu@removed.usDelivery-date: Mon, 04 Feb 2008 10:49:54 -0500Received: from ug-out-1314.google.com ([66.249.92.168]:31498)by laredo.root--servers.net with esmtp (Exim 4.68)(envelope-from <gribble.dale+caf_=gumu=removed.us@gmail.com>)id 1JM3Zu-0001UP-Owfor gumu@removed.us; Mon, 04 Feb 2008 10:49:54 -0500Received: by ug-out-1314.google.com with SMTP id q2so17805uge.50 for <gumu@removed.us>; Mon, 04 Feb 2008 07:49:49 -0800 (PST)Received: by 10.78.162.4 with SMTP id k4mr12433546hue.66.1202140188297; Mon, 04 Feb 2008 07:49:48 -0800 (PST)X-Forwarded-To: gumu@removed.usX-Forwarded-For: gribble.dale@gmail.com gumu@removed.usDelivered-To: gribble.dale@gmail.comReceived: by 10.78.156.16 with SMTP id d16cs104683hue; Mon, 4 Feb 2008 07:49:46 -0800 (PST)Received: by 10.78.137.7 with SMTP id k7mr12431855hud.68.1202140185490; Mon, 04 Feb 2008 07:49:45 -0800 (PST)Received: from centralfloridafair.com (cfsvr1.centralfloridafair.com [64.90.0.1]) by mx.google.com with ESMTP id p25si1948067hub.29.2008.02.04.07.49.44; Mon, 04 Feb 2008 07:49:45 -0800 (PST)Received-SPF: softfail (google.com: domain of transitioning info@empirebank.com does not designate 64.90.0.1 as permitted sender) client-ip=64.90.0.1;Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning info@empirebank.com does not designate 64.90.0.1 as permitted sender) smtp.mail=info@empirebank.comReceived: from User ([64.62.123.42]) by centralfloridafair.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 4 Feb 2008 10:43:42 -0500From: "Empire Bank"<info@empirebank.com>Subject: Irregular Check Card ActivityDate: Mon, 4 Feb 2008 07:48:39 -0800MIME-Version: 1.0Content-Type: text/html;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Bcc:Message-ID: <CFSVR14Ogddu5qE8DzH0000178c@centralfloridafair.com>X-OriginalArrivalTime: 04 Feb 2008 15:43:42.0656 (UTC) FILETIME=[B83DE400:01C86744]X-Spam-Subject: ***SPAM*** Irregular Check Card ActivityX-Spam-Status: Yes, score=11.9X-Spam-Score: 119X-Spam-Bar: +++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear Empire Bank Cardholder, We detected irregular activityon your debit/credit card on 02/03/2008. For your security, your online bankingprofile has been locked due to inactivity or because of too many failed loginattempts. [...] Content analysis details: (11.9 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%[score: 1.0000]-0.0 SPF_PASS SPF: sender matches SPF record1.3 MISSING_HEADERS Missing To: header2.5 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words0.0 HTML_MESSAGE BODY: HTML included in message1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:27:02 EDT

removed : February 13:

quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 805-203-4523

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 805-203-4523

Copyright © VISA Debit Card, All Rights Reserved

Headers:

Return-path: <debit@visa.com>Envelope-to: gumu@removed.usDelivery-date: Wed, 13 Feb 2008 11:42:35 -0500Received: from host50-server.com ([66.49.136.205]:42309 helo=host50.host50-server.com)by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)(Exim 4.68)(envelope-from <debit@visa.com>)id 1JPKgp-0007YL-VNfor gumu@removed.us; Wed, 13 Feb 2008 11:42:35 -0500Received: from User (host-209-174-182-70.champaignschools.org [209.174.182.70] (may be forged))(authenticated bits=0)by host50.host50-server.com (8.12.10/8.12.10) with ESMTP id m1DGl9M4002562;Wed, 13 Feb 2008 11:47:09 -0500Message-Id: <200802131647.m1DGl9M4002562@host50.host50-server.com>Reply-To: <debit@visa.com>From: "VISA Debit Cards"<debit@visa.com>Subject: Urgent NotificationDate: Wed, 13 Feb 2008 10:45:05 -0600MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"X-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Content-Transfer-Encoding: quoted-printableX-MIME-Autoconverted: from 8bit to quoted-printable by host50.host50-server.com id m1DGl9M4002562X-Spam-Subject: ***SPAM*** Urgent NotificationX-Spam-Status: Yes, score=11.0X-Spam-Score: 110X-Spam-Bar: +++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear Customer, VISA Debit Card , Security Departament temporarilysuspended your account. Reason: Fraud Atempts We require you to completean account update so we can unlock your account. [...] Content analysis details: (11.0 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------2.8 TVD_PH_SUBJ_URGENT TVD_PH_SUBJ_URGENT1.3 MISSING_HEADERS Missing To: header3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%[score: 0.9858]0.8 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:25:25 EDT

removed : February 19:

quote:
Dear Customer,

VISA Debit Card , Security Departament temporarily suspended your account.
Reason: Fraud Atempts

We require you to complete an account update so we can unlock your account.

To start the update process please call at total free number : 847-481-8194

The information provided will be treated in confidence and stored in our secure database.
If you fail to provide information about your account you'll discover that your account has been automatically deleted from our database.

Please note the total free number : +1 847-481-8194

Copyright © VISA Debit Card, All Rights Reserved

Headers:

Return-path: <debit@visa.com>Envelope-to: gumu@removed.usDelivery-date: Tue, 19 Feb 2008 12:32:34 -0500Received: from host101.host101-server.com ([66.49.199.16]:56250)by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)(Exim 4.68)(envelope-from <debit@visa.com>)id 1JRWKV-0001Me-9yfor gumu@removed.us; Tue, 19 Feb 2008 12:32:34 -0500Received: from User (playa-capital74.ucn.net [63.110.44.74] (may be forged))(authenticated bits=0)by host101.host101-server.com (8.12.10/8.12.10) with ESMTP id m1JHWAmb003323;Tue, 19 Feb 2008 12:32:12 -0500Message-Id: <200802191732.m1JHWAmb003323@host101.host101-server.com>From: "VISA Debit Card"<debit@visa.com>Subject: Urgent NotificationDate: Tue, 19 Feb 2008 09:36:34 -0800MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"X-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Content-Transfer-Encoding: quoted-printableX-MIME-Autoconverted: from 8bit to quoted-printable by host101.host101-server.com id m1JHWAmb003323X-Spam-Subject: ***SPAM*** Urgent NotificationX-Spam-Status: Yes, score=10.0X-Spam-Score: 100X-Spam-Bar: ++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear Customer, VISA Debit Card , Security Departament temporarilysuspended your account. Reason: Fraud Atempts We require you to completean account update so we can unlock your account. [...] Content analysis details: (10.0 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------2.8 TVD_PH_SUBJ_URGENT TVD_PH_SUBJ_URGENT1.3 MISSING_HEADERS Missing To: header2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%[score: 0.9225]0.8 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:24:32 EDT

removed : February 20:

quote:
Dear customer,

Due to recent online fraud, all cardholders are required to contact our Town North Bank, Security Departament at our total free number : 972-546-0398

Contacting this number will enable us to monitor your account closely, and suspend it as soon as we notice any fraudulent activity.

CONTACTING THIS NUMBER IS MANDATORY, OR YOUR CARD WILL BE CONSIDERED A SECURITY RISK AND IT WILL BE BLOCKED FROM ONLINE USAGE !

Please DO NOT reply to any emails asking for sensitive information, as many of our customers have been frauded for considerable ammounts of money.
If you receive any type of email please report it immediately !

Please note the total free number : +1 972-546-0398

Town North Bank Security Departamanet ,
PO Box 814810
Dallas, Texas 75381-4810

Headers:

Return-path: <security@townnorthbank.com>Envelope-to: gumu@removed.usDelivery-date: Wed, 20 Feb 2008 07:44:37 -0500Received: from host74.host74-server.com ([66.49.248.230]:46981)by laredo.root--servers.net with esmtps (TLSv1:AES256-SHA:256)(Exim 4.68)(envelope-from <security@townnorthbank.com>)id 1JRoJN-0002Qe-Ewfor gumu@removed.us; Wed, 20 Feb 2008 07:44:37 -0500Received: from User (ev1s-209-62-3-50.ev1servers.net [209.62.3.50] (may be forged))(authenticated bits=0)by host74.host74-server.com (8.12.11/8.12.11) with ESMTP id m1KCiNY4010269;Wed, 20 Feb 2008 07:44:24 -0500Message-Id: <200802201244.m1KCiNY4010269@host74.host74-server.com>From: "Town North Bank"<security@townnorthbank.com>Subject: Urgent NotificationDate: Wed, 20 Feb 2008 06:44:22 -0600MIME-Version: 1.0Content-Type: text/plain;charset="Windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 1X-MSMail-Priority: HighX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000X-Spam-Subject: ***SPAM*** Urgent NotificationX-Spam-Status: Yes, score=11.0X-Spam-Score: 110X-Spam-Bar: +++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Dear customer, Due to recent online fraud, all cardholdersare required to contact our Town North Bank, Security Departament at ourtotal free number : 972-546-0398 Contacting this number will enable us tomonitor your account closely, and suspend it as soon as we notice any fraudulentactivity. [...] Content analysis details: (11.0 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------2.8 TVD_PH_SUBJ_URGENT TVD_PH_SUBJ_URGENT1.3 MISSING_HEADERS Missing To: header3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%[score: 0.9726]0.8 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Sat, 01 Mar 2008 03:23:20 EDT

removed : Hope these are useful to someone...

February 21:

quote:
Visa ATM/Check Card Deactivation
Message from: Customer Service
Date: 02/21/2008

We detected irregular activity on your Gesa ATM/Check Card on 02/20/2008.

For your protection we have had to suspend any future authorizations
being conducted with your Gesa Visa ATM/Check Card.

For your security we have deactivate your card.

How to activate/re-activate your card ?

You may stop by your branch or call our Activation Center.

Activation Center: (509) 210-4256 (24 Hour Line)

Headers:

Return-path: <gesa@accountsecurity.com>Envelope-to: gumu@removed.usDelivery-date: Thu, 21 Feb 2008 14:33:59 -0500Received: from mail.netafrique.com ([63.219.177.34]:3983 helo=MC100814)by laredo.root--servers.net with esmtp (Exim 4.68)(envelope-from <gesa@accountsecurity.com>)id 1JSHB5-0000Hc-0Jfor gumu@removed.us; Thu, 21 Feb 2008 14:33:58 -0500Received: from 66-52-78-214.jklmail.com [66.52.78.214] by MC100814 with SMTP; Thu, 21 Feb 2008 14:34:28 -0500Reply-To: <noreply@gesa.com>From: "Gesa Credit Union"<gesa@accountsecurity.com>Subject: SECURITY ALERT!Date: Thu, 21 Feb 2008 11:30:32 -0800MIME-Version: 1.0Content-Type: text/html;charset="koi8-u"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000X-Spam-Subject: ***SPAM*** SECURITY ALERT!X-Spam-Status: Yes, score=10.6X-Spam-Score: 106X-Spam-Bar: ++++++++++X-Spam-Report: Spam detection software, running on the system "laredo.root--servers.net", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or labelsimilar future email. If you have any questions, seethe administrator of that system for details.Content preview: Visa ATM/Check Card Deactivation Message from: Customer ServiceDate: 02/21/2008 We detected irregular activity on your Gesa ATM/Check Cardon 02/20/2008. For your protection we have had to suspend any future authorizationsbeing conducted with your Gesa Visa ATM/Check Card. [...] Content analysis details: (10.6 points, 4.5 required)pts rule name description---- ---------------------- --------------------------------------------------0.0 MISSING_MID Missing Message-Id: header2.1 SUBJ_ALL_CAPS Subject is all capitals1.3 MISSING_HEADERS Missing To: header1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%[score: 0.7967]0.0 HTML_MESSAGE BODY: HTML included in message1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts1.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS OutlookX-Spam-Flag: YES

--
irc.removed.us - #dslr | DSLR Phishtracker | Email: removed@dslr.net

Re: [Phish] Telephone phishing thread

Mon, 25 Feb 2008 20:16:23 EDT

nwrickert : I would guess it might be a VOIP number, in which case it could be anywhere.

Re: [Phish] Telephone phishing thread

Mon, 25 Feb 2008 20:14:46 EDT

Kibbles : Would you get in trouble if you fax'd a FBI cover sheet?
Looks like the call goes to NY...or is that forwarded somewhere else?

Re: [Phish] Telephone phishing thread

Mon, 25 Feb 2008 18:13:56 EDT

SnowyOne :

said by nwrickert :

I am hoping this can be made a sticky thread for reporting telephone phishing (includes vishing - voice phish as well as fax phish).

Agreed.

Fax phish - 914-293-2651 (paypal)

Mon, 25 Feb 2008 16:46:22 EDT

nwrickert : Excerpts from phish:

Your account access will be limited if in less than 48 hours we do not receive the fax with the information asked.
# (Your case ID for this reason is PP-136-124-102.)

and

Please send us all of the following information so we can verify your identity with our records. (we require a fax in less than 48 hours)

1) Photocopy of a government-issued photo identification (identity card or passport)
2) Photocopy of your credit card (front and back side are required)

Please be informed that the photocopies must be specific and readable otherwise they will not be taken in consideration.

Please send us only one fax message that will contain all the photocopies required.

Please send us the information requested to the fax number or address below.

Faxing from US: 914-293-2651
Faxing from outside US: +1 914-293-2651

Excerpt from mail headers:

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12

[Phish] Telephone phishing thread

Mon, 25 Feb 2008 16:42:07 EDT

nwrickert : I am hoping this can be made a sticky thread for reporting telephone phishing (includes vishing - voice phish as well as fax phish).

Note that ordinary phishes should be reported to »/phishtrack rather than here.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12