Insimbi
join:2001-04-15
Layton, UT
|  Fraudulent Earthlink Email Again
Received this today:
Dear Earthlink valued customer,
We regret to inform you, that we were unable to charge your card. This maybe due to our payment processing failure, billing system overload, invalid card number, exp date, daily limit, insufficient funds, or other reasons. We need you to re-enter valid payment and verification information.
Click here to continue payment verification process - »https://earthlink.net/payment/verification.cgi
Your information will be submitted via a secure server. Earthlink keeps all of your contact and billing information confidential and private.
Anyone else still getting these? |
|
arden625
join:2001-07-10
Haledon, NJ
| I just got that exact e-mail right now. I came here to actually make a post about it but I see you got it first.
Anyways, I didn't click the link. What I'm concerned is maybe a virus? The e-mail got that attachment icon in my OE, but when I opened the e-mail, I didn't see any info about an attached file.
--
[ Section 6 :: Urban Terror :: Clan {TRIAD} ] |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| reply to Insimbi
The link itself does resolve and you get the following: Action canceled Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.
The address comes up as a "legitimate" Earthlink address when you enter it into the verify a website checker. So much for identifying fraudulent websites.
|
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs: | reply to Insimbi
Please post the Full Message with Full Headers (minus your address or any account numbers).
type [ code ] "paste the contents here" then type [ /code ] (take out spaces between [ and ])
Regards,
Doctor Olds |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
 ·EarthLink
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Rants, Raves, and ..
| reply to skj
said by e-mail message source:
Status: U
Return-Path:
Received: from charterwv.net ([68.119.159.63])
by samuel.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1alaS01JG3Nl3pv0
for ; Sat, 15 Nov 2003 19:34:26 -0500 (EST)
Received: from ip-wv-68-119-159-063.charterwv.net (ip-wv-68-119-159-063.charterwv.net [68.119.159.63])
by charterwv.net (8.12.8p1/8.12.8) with ESMTP id slaior19247
for ; Sat, 15 Nov 2003 23:51:37 -0400 (EST)
Date: Sat, 15 Nov 2003 23:51:35 -0400 (EST)
From: Earthlink.net
X-Mailer: The Bat! (v1.61) Personal
Reply-To: Anna-diana_Tonia@1-base.com
X-Priority: 3 (Normal)
Message-ID:
To: XXXXX@mindspring.com
Subject: Problems with your Earthlink account.
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------34062072612200"
X-ELNK-AV: 0
------------34062072612200
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: base64
If I'm reading that right, the e-mail came from ip-wv-68-119-159-063.charterwv.net, which is a Charter address in West Virginia?
--
...all the livelong day... |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| Correct. 
11/15/03 20:45:53 dns 68.119.159.63
nslookup 68.119.159.63
Canonical name: ip-wv-68-119-159-063.charterwv.net
Addresses: 68.119.159.63
They didn't try very hard. 
X-Mailer: The Bat! (v1.61) Personal
Reply-To: Anna-diana_Tonia@1-base.com
Did anyone get the attachment?
Regards,
Doctor Olds |
|
fatness
subtle
Janitor
join:2000-11-17
fishing | OE shows that there is an attachment with the message, but there is none that I can find. |
|
WillieFox
join:2002-03-24
Park Ridge, IL | The hyperlink is the attachment. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs: | reply to fatness
Did the Elink AV scanner clean it? I noticed your header shows this below
>>X-ELNK-AV: 0
Regards,
Doctor Olds |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| It is supposed to let you know when it removes a virus.
From: »www.earthlink.net/myaccount/help···tivating
A note will be inserted at the top of your message indicating that it was cleaned by Virus Blocker. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs: | Thanks, but I wonder about the override feature.  |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
| reply to Doctor Olds
There's no message saying that it was cleaned. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA | reply to Insimbi
It looks like all the emails have that X-ELNK-AV: 0 . I just looked at mine and all of them have that line. |
|
Jtmo
Premium
join:2001-05-20
Novato, CA | reply to Insimbi
I got it, sent it on to Fraud@earthlink.net
--
RIP Steve Rucker |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
|  reply to Insimbi
This is what an "Official credit card needs updating request" looks like. 
Status: U
Return-Path: <creditcard@earthlink.net>
Received: from blount.mail.mindspring.net ([207.69.200.226])
by bissell.mail.mindspring.net (Earthlink Mail Service) with ESMTP id xxxxxxxxx
for <xxxxxxxxx@mindspring.com>; Mon, 10 Feb 2003 23:27:01 -0500 (EST)
Received: from ggz-2.atl2.fw.earthlink.net ([198.185.0.140] helo=mail.mindspring.com)
by blount.mail.mindspring.net with esmtp (Exim 3.33 #1)
id xxxxxxxxx
for xxxxxxxxx@mindspring.com; Mon, 10 Feb 2003 23:25:11 -0500
Received: (from root@localhost)
by mail.mindspring.com (8.11.6+Sun/8.10.2) id h1B4FgL14594;
Mon, 10 Feb 2003 23:15:42 -0500 (EST)
Date: Mon, 10 Feb 2003 23:15:42 -0500 (EST)
From: creditcard@earthlink.net
Message-Id: <20030211xxxxxxxxx.xxxxxxxxx@mail.mindspring.com>
To: xxxxxxxxx@mindspring.com
Subject: EarthLink Subscriber Alert: Credit Card Expiration
X-Hercules-ID: xxxxxxxxx@mindspring.com
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: xxxxxxxxxxxxxxxxxx
Dear EarthLink Subscriber,
Our records indicate that the MasterCard associated with
your EarthLink account #xxxxxxxxx is about to expire.
To avoid any interruption to your EarthLink service,
please update your credit card information as soon as the
replacement card arrives in the mail, or immediately if
this information is outdated.
It's quick and easy to update your billing information online.
Simply visit your "My Account" web page, available 24/7:
http://myaccount.earthlink.net
If your credit card number is NOT changing, you can simply
reply to this email with your new expiration date. (Please
Note: Do not send your credit card number by email. Email
is not secure enough for sensitive financial information.)
Thank you for your prompt attention to this matter. We value
you as a subscriber and look forward to continuing to serve
you.
Sincerely,
The EarthLink Customer Service Team
Notice there are no Attachments or Blank Fields to fill out. Plus they tell you to Login at http://myaccount.earthlink.net
That is the only legit way. 
Regards,
Doctor Olds |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to skj
said by skj  :
It looks like all the emails have that X-ELNK-AV: 0 . I just looked at mine and all of them have that line.
I just check my last few emails from today and none of mine have that.
I also do not have the AV protection enabled. Might that be the difference?
Regards,
Doctor Olds |
|
fatness
subtle
Janitor
join:2000-11-17
fishing | Although I made no choice to enable it, the AV protection was enabled for my account. I just diabled it.
--
...all the livelong day... |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| reply to Doctor Olds
said by Doctor Olds :
said by skj :
It looks like all the emails have that X-ELNK-AV: 0 . I just looked at mine and all of them have that line.
I just check my last few emails from today and none of mine have that.
I also do not have the AV protection enabled. Might that be the difference?
Regards,
Doctor Olds
That is probably it, since mine is enabled.
Edit: I just disabled the AV protection and that line is no longer in the emails.
|
|
opensecret5
join:2001-02-16
Kansas City, MO
| reply to skj
Clever Scam
I got the same fraudulent email in my Earthlink box. But I'm at home where I'm using Roadrunner.
For me the link that shows in the message as »https://earthlink.net/payment/verification.cgi
resolves to a very different address:
»211.230.148.73/image/location/step1_e.htm.
Once I got that site and clicked on a button to continue, I was given the opportunity to tell them my name, address, email address, password, credit card info, social security number, ATM pin #, and Mother's maiden name.
I wanted to be helpful, so I filled it all in -- but, just to be on the safe side, I provided info for a guy I made up named Oscar Felix (in loving memory of the movie The Odd Couple).
It may be that if you go thru Earthlink, that address is blocked, which could prevent a lot of people from making a gift to to some not-so-nice people in some obscure corner of the globe who will steal as much as they can. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| Looks like this one is coming out of Australia
11/16/03 08:01:59 IP block 211.230.148.73
Trying 211.230.148.73 at ARIN
Trying 211.230.148 at ARIN
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or »www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to »www.apnic.net/info/faq/abuse
Comment:
RegDate: 1996-07-01
Updated: 2002-09-11
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net
# ARIN WHOIS database, last updated 2003-11-15 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database. |
|
