Here's a new PayPal email that threatens to close your account pretty soon (2 days' notice) unless you update certain details. PayPal state they would never ask for this via email, plus they always use your name in the email and don't email "undisclosed-recipients:".
The destination URL is actually http://stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/www.paypal.com/managament/cgi/, making it the second Phishing email to be posted in these pages within 48 hours using the unitline.ru domain.
Here's the email - already forwarded to PayPal for them to investigate.
Dear valued PayPal member,
It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.
However, failure to update your records will result in account suspension. Please update your records on or before April 02, 2008.
Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal.
To update your PayPal records click on the following link:
http://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Thank you,
PayPal Customer Center.
Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements.
Monday 31 March 2008
Google Adwords | Please Update Your Billing Information
Here's one that got through the net first time I recieved it. I believed it, deleted the email (permanently) then went onto the Google site to follow it's instructions. Only then did I realise that the email address it had been sent to wasn't associated with a Google adwords account that I maintain...
At first I thought I was mistaken until I received the email about. Assuming I was wrong and maybe I had used that email address for a Google Adsense account in the past I was about to try to login again, until I noticed that the target URL was http://adwrods.google.select.asolf3.cn/select/index.html
asolf3.cn makes several appearances in Google Phishing search results. But it got past me the first time, and nearly this time, because I was using a shortcut on my desktop to sign on, rather than the link in the email.
Here's the content - it's dangerous! I can't find an address to report this to Google, so I've sent them a contact form and awaiting a response.
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
--------------------------------------------------------------------------------------
Dear GoogleAdwords Customer,
In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information. Your account will be reactivated as soon as you have entered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.)
Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.
----------------------------------------------------------------------------------------
The Google AdWords Team
At first I thought I was mistaken until I received the email about. Assuming I was wrong and maybe I had used that email address for a Google Adsense account in the past I was about to try to login again, until I noticed that the target URL was http://adwrods.google.select.asolf3.cn/select/index.html
asolf3.cn makes several appearances in Google Phishing search results. But it got past me the first time, and nearly this time, because I was using a shortcut on my desktop to sign on, rather than the link in the email.
Here's the content - it's dangerous! I can't find an address to report this to Google, so I've sent them a contact form and awaiting a response.
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
--------------------------------------------------------------------------------------
Dear GoogleAdwords Customer,
In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information. Your account will be reactivated as soon as you have entered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.)
Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.
----------------------------------------------------------------------------------------
The Google AdWords Team
Sunday 30 March 2008
Halifax customer service: online banking notification!
First we had the NOF, now we've got the HOF. The HOF looks just like the NOF phishing email, just with the bank's name changed to 'Halifax'.
This time around the target URL is http://halifax.co.uk.sistemlog6.ms/_mem_bin/onlineform.asp?source=[removed] - sistemlog6.ms being a site that appears in a few Phishing results on Google.
The email is at least addresses on the to: section just to my email address and displayed the name part (before the URL) to try to make it more convincing. but 'Dear Halifax bank customer' is not how a bank would address a customer.
As always, no bank would send an email like this. It is purely an attempt to empty your account of funds and maybe even steal your identity. Don't click the link. If you are worried about accidentally clicking these links, use a phishing safe browser such as Firefox (free download from the button on the right).
Here's the content of the email.
Dear Halifax bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is HOF (Halifax Online Form) to help us to keep your personal and banking data up to date.
You should complete HOF on a regular basis.
Please complete HOF using the link below:
Halifax Online Form
Halifax Automated Mail Service. Please do not respond to this mail.
ref cmr
This time around the target URL is http://halifax.co.uk.sistemlog6.ms/_mem_bin/onlineform.asp?source=[removed] - sistemlog6.ms being a site that appears in a few Phishing results on Google.
The email is at least addresses on the to: section just to my email address and displayed the name part (before the URL) to try to make it more convincing. but 'Dear Halifax bank customer' is not how a bank would address a customer.
As always, no bank would send an email like this. It is purely an attempt to empty your account of funds and maybe even steal your identity. Don't click the link. If you are worried about accidentally clicking these links, use a phishing safe browser such as Firefox (free download from the button on the right).
Here's the content of the email.
Dear Halifax bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is HOF (Halifax Online Form) to help us to keep your personal and banking data up to date.
You should complete HOF on a regular basis.
Please complete HOF using the link below:
Halifax Online Form
Halifax Automated Mail Service. Please do not respond to this mail.
ref cmr
Saturday 29 March 2008
Halifax | IMPORTANT SECURITY ALERT
This one has taken the time to put a Halifax banner across the top of the email - along with a picture of the guy from their adverts. There's also some waffle down the bottom about needing Flash 5 to access the site. This has been taken from the bank's own website, but it's over ayear out of date. Must be a phishing template from some time ago...
The email tries to make out that the recipients Halifax Bank Account has been subject to some attempted breach of security, and that these actions are to reinstate access to the account. This sort of email would never be sent. If a bank had reason to suspend access to an internet account system they would do so, then post the new security details via Royal Mail (been there, had it happen). So don't fall for this trick.
In this case the target URL is http://stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ - but I've no idea what unitline.ru is nor whether it is just an innocent website that's been hikacked for this purpose. Looks like that might be the case.
Anyway, leave the link and delete the email.
IMPORTANT SECURITY ALERT
--------------------------------------------------------------------------------
Please note that our system recently noted that your attemption of signing on to your account was failed while some errors occured during the processing update of your online account you are having with our bank..
We sincerely here by to notify you that you should kindly follow below link to update your online account for your security safety ensured by our financial insititution.
https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxouk
Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account.
We apologize for any inconvenience.
If you choose to ignore our request, your account may leads to be temporarily suspended
The email tries to make out that the recipients Halifax Bank Account has been subject to some attempted breach of security, and that these actions are to reinstate access to the account. This sort of email would never be sent. If a bank had reason to suspend access to an internet account system they would do so, then post the new security details via Royal Mail (been there, had it happen). So don't fall for this trick.
In this case the target URL is http://stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/ - but I've no idea what unitline.ru is nor whether it is just an innocent website that's been hikacked for this purpose. Looks like that might be the case.
Anyway, leave the link and delete the email.
IMPORTANT SECURITY ALERT
--------------------------------------------------------------------------------
Please note that our system recently noted that your attemption of signing on to your account was failed while some errors occured during the processing update of your online account you are having with our bank..
We sincerely here by to notify you that you should kindly follow below link to update your online account for your security safety ensured by our financial insititution.
https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxouk
Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account.
We apologize for any inconvenience.
If you choose to ignore our request, your account may leads to be temporarily suspended
Thursday 27 March 2008
Nationwide | Important Notice!
Here's a neat looking email, that was determined to get through as it was simultaneously sent to three possible email addresses within my domain, 1 being real. They even know my name, which could be worked out from the email, but the email was also sent to links@, using my name.
The target URL for the link is actually http://www.nationwide.co.uk.login.account.kmpa0up8vuocae0huto.31c5f18a7f.com/NationWide/secure/login/index.html?id=[id removed]. 31c5f18a7f.com is the subject to many Google search results about phishing sites.
Here's the email:
Dear keith@[url removed],
Nationwide is proud to announce about their new updated secure system. We updated our new SSL servers to give our customers a better, fast and secure online banking service.
Due to the recent update of the servers, you are requested to please update your account info at the following link.
- Update Access Now!
*Important*
Please provide these information correctly and completely, failing to comply may result temporary suspension of your online banking.
Ruben M. Ortiz
Security Advisor
Nationwide
The target URL for the link is actually http://www.nationwide.co.uk.login.account.kmpa0up8vuocae0huto.31c5f18a7f.com/NationWide/secure/login/index.html?id=[id removed]. 31c5f18a7f.com is the subject to many Google search results about phishing sites.
Here's the email:
Dear keith@[url removed],
Nationwide is proud to announce about their new updated secure system. We updated our new SSL servers to give our customers a better, fast and secure online banking service.
Due to the recent update of the servers, you are requested to please update your account info at the following link.
- Update Access Now!
*Important*
Please provide these information correctly and completely, failing to comply may result temporary suspension of your online banking.
Ruben M. Ortiz
Security Advisor
Nationwide
Thursday 20 March 2008
Ebay | eBay New Unpaid Item Message - Respond Now !!
This one came through twice in quick sucession, probably via different email accounts. Sent to 'undisclosed-recipients' and the target URL is http://www.forum-ebay.9hz.com. 9hz.com is a free website forwarding service, so it is hiding the actual destination of the phishing site.
Here's the content:
Dear member,
eBay member Tixcity has left you a message regarding item #220055788880
View the dispute thread to respond.
Regards,
eBay Inc.
Copyright © 1995-2007 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.
eBay official time - Page last updated: Mar-19-03 11:57:05 PDT
Here's the content:
Dear member,
eBay member Tixcity has left you a message regarding item #220055788880
View the dispute thread to respond.
Regards,
eBay Inc.
Copyright © 1995-2007 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.
eBay official time - Page last updated: Mar-19-03 11:57:05 PDT
Halifax | Unauthorised Use Of Your Halifax Online Account
This is, I think, the first time that the Halifax has apepared as a target on these pages.
This one, sent a couple of days ago (delayed posting due my holiday!!!) tries to panic the recipient into believing they have to immediately check that no-one has been able to get at their cash.
It's sent to 'Dear Customer' and 'undisclosed-recipients' - what sort of warning email would really be sent like that?
The actual destination URL is http://68-185-94-70.dhcp.scrm.ca.charter.com/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/
charter.com seem to be a respectable site, who themselves have been the targets of phishing emails from what their site says. I presume they will quickly close down these extra pages - if not already done so. I'm guessing though that someone has hacked their site and posted these pages without the site owner's knowledge.
Here's the content of the email:
Dear Customer
Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.
Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .
However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
Thanks for your co-operation.
Fraud Prevention Unit
Legal Advisor
Halifax PLC.
This one, sent a couple of days ago (delayed posting due my holiday!!!) tries to panic the recipient into believing they have to immediately check that no-one has been able to get at their cash.
It's sent to 'Dear Customer' and 'undisclosed-recipients' - what sort of warning email would really be sent like that?
The actual destination URL is http://68-185-94-70.dhcp.scrm.ca.charter.com/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/
charter.com seem to be a respectable site, who themselves have been the targets of phishing emails from what their site says. I presume they will quickly close down these extra pages - if not already done so. I'm guessing though that someone has hacked their site and posted these pages without the site owner's knowledge.
Here's the content of the email:
Dear Customer
Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.
Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .
However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
Thanks for your co-operation.
Fraud Prevention Unit
Legal Advisor
Halifax PLC.
Sunday 16 March 2008
Abbey National | Online Banking - You Have 1 Unread Message
It's been a little quiet recently - no posts for a few days. Not the usual weekend rush - maybe the phishers are waiting to take advantage of the coming long weekend. But the Abbey National 'You Have 1 Unread Message'has reared it's head for the first time since January
Looks to be exactly the same as then - look at the image on the link above if you want to view a graphical copy. This time the destination url is http://www.abbeynationalsecurity.com/myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon_action/secure.php - a very convincing URL and found in many other phishing search results.
Don't touch the links - just ignore the email. Here's the content:
Dear Valued Customer,
You have a new message waiting in your Inbox Folder.
Click here to read.
Best Regards.
The Abbey National plc Security Department Team.
* Please do not reply to this email as your reply will not be received.
Looks to be exactly the same as then - look at the image on the link above if you want to view a graphical copy. This time the destination url is http://www.abbeynationalsecurity.com/myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon_action/secure.php - a very convincing URL and found in many other phishing search results.
Don't touch the links - just ignore the email. Here's the content:
Dear Valued Customer,
You have a new message waiting in your Inbox Folder.
Click here to read.
Best Regards.
The Abbey National plc Security Department Team.
* Please do not reply to this email as your reply will not be received.
Wednesday 12 March 2008
Nationwide | Account Ownership® Verification
Here's one aimed at the Nationwide - I don't see many aimed at them arriving here. This time it doesn't have a "Sing On" - unlike the last one!
The target URL is http://www.security-mesure.co.uk/. This URL doesn't appear in Google and it appears to have been only registered yesterday. The owner's address is in Paris through a registrar and host in Australia. Quite a mixed bag for a .co.uk URL.
There is a very clever spelling mistake in the URL as well - presumably intentional that there is no 'a' in measure. At a quick glance it makes it look genuine.
Here's the email. A copy has already been sent to the Nationwide for them to get the site removed, but don't click the link.
Dear Customer,
Nationwide Internet Banking, is here by announcing the New Security Upgrade.
We've upgraded our new SSL servers to serve our customers for
a better and secure banking service, against any fraudulent activities. Due to
this recent upgrade, you are requested to update your account information by
following the reference below.
Reference*
http://www.security-mesure.co.uk/
Regards
Customers Service
Nationwide Building Society
ref q:jn
The target URL is http://www.security-mesure.co.uk/. This URL doesn't appear in Google and it appears to have been only registered yesterday. The owner's address is in Paris through a registrar and host in Australia. Quite a mixed bag for a .co.uk URL.
There is a very clever spelling mistake in the URL as well - presumably intentional that there is no 'a' in measure. At a quick glance it makes it look genuine.
Here's the email. A copy has already been sent to the Nationwide for them to get the site removed, but don't click the link.
Dear Customer,
Nationwide Internet Banking, is here by announcing the New Security Upgrade.
We've upgraded our new SSL servers to serve our customers for
a better and secure banking service, against any fraudulent activities. Due to
this recent upgrade, you are requested to update your account information by
following the reference below.
Reference*
http://www.security-mesure.co.uk/
Regards
Customers Service
Nationwide Building Society
ref q:jn
Tuesday 11 March 2008
Ebay | You've received a question about eBay item: Lelli Kelly shoes, hardly worn, fab condition - size 22 (270215856798)
Here's another Phishing email targeting Ebay using the fake member messages emails.This one uses different destination URLs, I haven't checked (don't click a suspected phishing link, it could harm your computer, to prevent this, make sure you use a phishing prtected browser such as Firefox - link up top right) but I suspect each link will take you to realistic pages to try to catch the slightly weary.
The URL is basically http://www.gosunshine.com/swing/index.htm. gosunshine.com does seem perfectly normal in the search results, so it's possible the site has been hacked.
I've sent the email to Ebay, here's the content:
Hello, I want to make sure that PayPal is ok to pay for my item. I am waiting for your answer as soon as possible.
Thank you.
Jim.
- emjim09 Respond to this question
If you use My Messages to respond, your email address will not be shared.
Item and user details
Item Title: Lelli Kelly shoes, hardly worn, fab condition - size 22
Item Number: 270215856798
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=270215856798
End Date: 10-Mar-08 00:27:15 GMT
From User: emjim09 ( 164 )
100% Positive
since 31-Aug-04 in United Kingdom
ref q:jn
Monday 10 March 2008
Emma Stokes | New work for you
There was a warning on the radio today from the local trading standards about email offers such as this. Aparently they are starting a big push to make sure that locals aren't falling for the scams.
Anyway, here's another 'easy money' / 'make me rich quick' scam. $3,000 per month for just a couple of hours' work - not very likely. And why through a free email account to an email address that only ever receives spam...
Don't trust it - you will get hurt. Here's the content:
Hello,
International company is hunting on energy people looking for a fast career development with high salary.
Work in International company will give you a chance to improve your qualification as administrative and
sales support specialist.
We are looking for gregarious specialists who can show good post-sale professional qualities. Selected
candidates will be responsible for technical items marketing, payment collections and work with clients.
To be selected one will have to demonstrate the following qualities:
- Knowledge of basic accounting, with data entry skills as well as sales approving is a major plus
Microsoft Office command is absolutely required
- Minimum one year in support department/administrative capacities
- Be able to perform secretarial duties
- Students accepted
- No criminal records (your background will be verified)
We offer:
- Flexible program: two hours/week at your choice, mainly checking your e-mail
- Work at home: checking e-mail
- Part time - no need to leave your current job - if you already work.
Salary is $1,800-3,000USD monthly.
Sound interesting???? Don't delay - apply now!
e-mail: emma.stokes@live.com
Anyway, here's another 'easy money' / 'make me rich quick' scam. $3,000 per month for just a couple of hours' work - not very likely. And why through a free email account to an email address that only ever receives spam...
Don't trust it - you will get hurt. Here's the content:
Hello,
International company is hunting on energy people looking for a fast career development with high salary.
Work in International company will give you a chance to improve your qualification as administrative and
sales support specialist.
We are looking for gregarious specialists who can show good post-sale professional qualities. Selected
candidates will be responsible for technical items marketing, payment collections and work with clients.
To be selected one will have to demonstrate the following qualities:
- Knowledge of basic accounting, with data entry skills as well as sales approving is a major plus
Microsoft Office command is absolutely required
- Minimum one year in support department/administrative capacities
- Be able to perform secretarial duties
- Students accepted
- No criminal records (your background will be verified)
We offer:
- Flexible program: two hours/week at your choice, mainly checking your e-mail
- Work at home: checking e-mail
- Part time - no need to leave your current job - if you already work.
Salary is $1,800-3,000USD monthly.
Sound interesting???? Don't delay - apply now!
e-mail: emma.stokes@live.com
Saturday 8 March 2008
Natwest | Instructions For Client!
It's the old friend the NOF again! Been rather quiet on the Phishing front the past few days, so good to have one to post! Maybe I should monitor which email addresses are being hit by this one and see if it's always the same ones or different ones!
This time around the link actually points to http://natwest.com.8marnad.info/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. 8marnad.info only appear in one other Google result, and that's a citibank phishing report from 5 hours ago.
This one has been addresses to 'links' - the start of the email address used, so it's been sent to individual addresses, not bulk through the 'undisclosed recipients' method.
Here's the email, a copy is on it's way to the NatWest:
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
http://natwest.com/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed].
NatWest Automated Mail Service. Please do not respond to this mail.
ref: cmr
This time around the link actually points to http://natwest.com.8marnad.info/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. 8marnad.info only appear in one other Google result, and that's a citibank phishing report from 5 hours ago.
This one has been addresses to 'links' - the start of the email address used, so it's been sent to individual addresses, not bulk through the 'undisclosed recipients' method.
Here's the email, a copy is on it's way to the NatWest:
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
http://natwest.com/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed].
NatWest Automated Mail Service. Please do not respond to this mail.
ref: cmr
Wednesday 5 March 2008
Ebay | message from member
Here's what is intentionally an upsetting and offensive email, probably designed to upset the recipient and leave them off guard, so that they press the link in the email.It's realistic looking, but sent from 'member' and to 'undisclosed-recipients' - instead of the recipient by name. It avoids any introduction, so there's no 'dear member', or more realistically 'dear [username]'.
The target URL is http://lluxxuss.de/img/news/cancel.php - the same site as one from last week, so maybe the security has been breached again.
Here's the content, the email is on it's way to EBay!
Question from jackjack14
Item: (7713864284)
jackjack14 is a potential buyer.
Hi there, when did you send me a message and what is it about? BTW, I don't like your tone. Please dont do that to me. I can report you as well, remember?
Original message:
Why dont you answer to my emails!!! If you dont Respond Now I will contact ebay safeharbor and report you ! Lett me know, I am not a fool ! Thank you ! !
Item Details
Item number: 7713864284
End date: 05-Mar-08 13:17:42 BST
View item description:
https://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewIem&item=7713864284&sspagename=ADME:B:AAQ:UK:1
Thank you for using eBay
www.ebay.co.uk/
Tuesday 4 March 2008
Reporting Phishing
Usually when I forward a phishing email to the address concerned, I just use any of my available email addresses. It's very unusual for me to use my main email address - if at all - as that is then picked up over several machines.
But today, when I sent the Ebay Suspension Notice to them, the email was returned with a warning that they only accept emails to that address from Ebay account holders.
Never had this before. Now it could be that I forwarded the email as an attachment instead of just hitting forward, as I know my hosts do delete some phishing reports - helpful. But it looks like Ebay might be having to protect their Phishing reporting email.
At least they confirm receipt and send a confirmation that they have checked & processed the email (the second email is already through for the Ebay Suspension Notice) - many others do nothing, leaving me wondering if the email ever arrived.
But today, when I sent the Ebay Suspension Notice to them, the email was returned with a warning that they only accept emails to that address from Ebay account holders.
Never had this before. Now it could be that I forwarded the email as an attachment instead of just hitting forward, as I know my hosts do delete some phishing reports - helpful. But it looks like Ebay might be having to protect their Phishing reporting email.
At least they confirm receipt and send a confirmation that they have checked & processed the email (the second email is already through for the Ebay Suspension Notice) - many others do nothing, leaving me wondering if the email ever arrived.
Ebay | Suspension Notice
If there was an award for the most unimaginative phishing email, this one would surely win it!A total lack of convincing graphics; sent to 'undisclosed-recipients'; no reference to the recipient by name and driving my phishing protection software mad - and me I'm getting that many warnings! (if you haven't got any get the Firefox browser - free download from Google top right of the screen).
The destination url is http://lluxxuss.de/img/news/cancel.php - not even trying to hide it by burying Ebay somewhere in the line! The url lluxxuss.de does appear to be an innocent site though. As I've previously mentioned (and there's been more since...) a lot of Phishing targeting Ebay seems to be coming from Germany and using the cancel.php page.
The email has been forwarded to Ebay, here's the content@
Suspension Notice
Your eBay userid has been unactivated
You have been unactivated from eBay because of recent fraudulent activities on your accounts.
To reactivate your userid. Click Here.
Thank You.
Monday 3 March 2008
NatWest | NatWest Bank: details confirmation
The NOF is back - it's been all of 4 days since we last saw this 'old friend'.
This time the target URL is http://online.natwest.co.uk.defelopour4.es/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed] - a simple attempt to convince the unweary that it's the real site by the use of subdomains under defelopour4.es. defelopour4.es appears in many phishing reports on Google, so it's not it's first time...
Here's the content of the email, it's been passed to the NatWest already.
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
NatWest Online Form
NatWest Automated Mail Service. Please do not respond to this mail.
This time the target URL is http://online.natwest.co.uk.defelopour4.es/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed] - a simple attempt to convince the unweary that it's the real site by the use of subdomains under defelopour4.es. defelopour4.es appears in many phishing reports on Google, so it's not it's first time...
Here's the content of the email, it's been passed to the NatWest already.
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
NatWest Online Form
NatWest Automated Mail Service. Please do not respond to this mail.
Major Reeves | Better job for you
This is another one that's identical to the Trevor Varner email, just using a different email address as the sender and this time it's got a subject.
This one arrived at a different email address to the earlier email.
This one arrived at a different email address to the earlier email.
Trevor Varner | EMPLOYMENT OPPORTUNITIES
Here's one that I'll flag as potentially phishing / fraud, although it can't be proven.But how many respectable companies send unsolicitored job offers via spam lists? No doubt it will be money laundering, parcel forwarding or other equally illegal activities.
My advice is to just delete the email. If it was genuine, the reply email address would be at the company concerned, not a gmail address.
Here's the content, probably best viewed in the image version
Sales manager
The most popular position. No investments needed, free-time work.
Work at home
Turn your free-time into additional income
Free trainings
Travel compensations
Positions available: 17
Region: United Kngdom
Earnings: 2200-3500 GBP
Test period: ONE MONTH
Occupation: part-time (2-4 hours per day)
Job description:
manage online sales
answer project related e-mails/calls
Project executive
Best for part-time work. You only have to 'invest' your time and work to gather results.
Make decisions
Manage your free-time
Free trainings
Social-oriented job
Positions available: 22
Region: United Kngdom
Earnings: 1300-2800 GBP
Test period: ONE MONTH
Occupation: part-time (2-4 hours per day)
Job description:
answer project related e-mails/calls
manage project related tasks
Application form
To start the application process please fill in the form below and send it back to our email: MurphyConsServices@gmail.com
First Name:
Last Name:
City:
Tel:
E-mail:
Additional information about yourself :
HSBC | You are requested to update your account information
Quite a simple email this, working on the premise that the bank is supposed to have upgraded software so now needs a reminder of your details...
It's totally text, so no need for an image really. It is sent to 'undisclosed recipients' and uses a generic welcome - not a specific welcome (by name) that a bank really would use.
The target URL is http://www.ssachat.com/profiles/system/cache/images/hsbc/submit.php?cmd=login, which although not the sort of site I would visit myself (!!), it doesn't look connected to Phishing, so it's likely to be an unwitting victim itself.
A copy has been sent to phishing@hsbc.com. Here's the content:
Dear Sir/Madam,
HSBC Bank Plc is hereby announcing the New Security Upgrade. We've upgraded our new SSL servers to serve our customers for a better and secure banking service,against any fraudulent activities.
Due to this recent upgrade, you are requested to update your account information by clicking the link below.
https://Securityalert.HSBC.co.uk/1/2/
HSBC Bank Plc
Security Advisor
HSBC Bank PLC.
It's totally text, so no need for an image really. It is sent to 'undisclosed recipients' and uses a generic welcome - not a specific welcome (by name) that a bank really would use.
The target URL is http://www.ssachat.com/profiles/system/cache/images/hsbc/submit.php?cmd=login, which although not the sort of site I would visit myself (!!), it doesn't look connected to Phishing, so it's likely to be an unwitting victim itself.
A copy has been sent to phishing@hsbc.com. Here's the content:
Dear Sir/Madam,
HSBC Bank Plc is hereby announcing the New Security Upgrade. We've upgraded our new SSL servers to serve our customers for a better and secure banking service,against any fraudulent activities.
Due to this recent upgrade, you are requested to update your account information by clicking the link below.
https://Securityalert.HSBC.co.uk/1/2/
HSBC Bank Plc
Security Advisor
HSBC Bank PLC.
Sunday 2 March 2008
Ebay | Listing confirmed. Sell another item now!
It's the Ebay listing confirmed again!This time the target URL is http://lvps80-86-92-154.webperoni.de/include/template/templates_c/ws/eBayISAPI_dllSignIn_co_partnerId_2/, again an apparently innocent site, this time possibly web hosting? Why so many are coming from Germany beats me - someone there has obviously bought a spam list and is determined to get their way!
Same text as previously and the email has been sent to Ebay:
Your item has been successfully listed on eBay. It may take some time for the item to appear on eBay search results. Here are the listing details:
CARVER MARINER 28 FLYBRIIDGE
Starting price: $4,000.00
View item | Go to My eBay | Revise item
Details for item number: 190133141838
Listing URL: http://cm.ebay.co.uk/cm/ck/1065-29296-2357-0?uid=375549804&site=0&ver=LCA080805&item=190133141838&lk=URL
Start date: Feb 29, 2008 04:33:52 PDT
End date: Mar 06, 2008 04:33:52 PDT
Quantity: 1
Duration: 7 days
Listing fees: $179.75 (Insertion fee: $40.00; Featured gallery: $99.95; Pro Pack: $29.95; Photo: $2.85; Listing icon: $2.00; Listing Designer: $5.00)
Listing format: Auction
Saturday 1 March 2008
Natwest | Your account access has been restricted
The natwest are becoming regularly featured as victims in these pages, and this particular variant was last reported in November. Amusingly, the phisher involved as left the same copyright date on!This time the target URL is http://wvps212-241-211-79.vps.webfusion.co.uk/nwolb.com/default.aspxrefererident=[removed]8&cookieid=[removed]&noscr=true/secure.php, who are probably not yet aware of what they are being used for. As with the recent Natwest emails, it uses the double referrer id / cookie id in the tracking.
It's also sent to 1 email at a time and is quite prolofic - I've already received it through 4 different email addresses. It's already been sent to the NatWest for them to deal with.
Here's the content:
• Automated Security Notice
• As part of our security measures, We believe that, in everything else, you deserve the best in banking too. Therefore protective measures is been applied to satisfy our striving costumer needs. Our technical service department is currently upgrading our SSL servers to enhance adequate banking security, to give our costumers a better, fast and secure online banking service. We noticed several unsuccessful login attempts and therefore have decided to temporarily restrict your online access. To regain access to your online banking Please click on • Online Banking Logon to continue the verification process. • (Failure to verify your Online Access service changes will lead to account disconnection)
Thank you.
Online Banking Security Team
NatWest Internet Banking.
(c)2007 All Rights Reserved
Ebay | Listing confirmed. Sell another item now!
Yesterday's Ebay listing confirmed phishing email is doing the rounds again, but with a different targe URL. Amusingly, this variation arrived quite quickly after the reply to my report of the phishing email arrived from Ebay...This time the target URL is http://lluxxuss.de/img/news/cancel.php, again an apparently innocent site, but like Thursday's Ebay Phishing email, using the cancel.php link. So could all be connected.
Same text as yesterday, and the email has been sent to Ebay:
Your item has been successfully listed on eBay. It may take some time for the item to appear on eBay search results. Here are the listing details:
CARVER MARINER 28 FLYBRIIDGE
Starting price: $4,000.00
View item | Go to My eBay | Revise item
Details for item number: 190133141838
Listing URL: http://cm.ebay.co.uk/cm/ck/1065-29296-2357-0?uid=375549804&site=0&ver=LCA080805&item=190133141838&lk=URL
Start date: Feb 29, 2008 04:33:52 PDT
End date: Mar 06, 2008 04:33:52 PDT
Quantity: 1
Duration: 7 days
Listing fees: $179.75 (Insertion fee: $40.00; Featured gallery: $99.95; Pro Pack: $29.95; Photo: $2.85; Listing icon: $2.00; Listing Designer: $5.00)
Listing format: Auction
Subscribe to:
Posts (Atom)