Tuesday 29 April 2008

Google | Please Update Your Billing Information.

The Google Adwords targeted email is doing the rounds again, this time using a different mailing list. This time it's with a supposed threat of an unprocessed payment and suspension of adverts - but I know it's sent to an email address that doesn't use Adwords...

The destination URL is cleverly hidden as http://www.adwords.google.com.p0s9k.cn/select/Login. Don't click the link, it will only cause you trouble.

-----------------------------------------------------------------------------------
Dear Google AdWords Customer,

We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.

Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.

----------------------------------------------------------------------------------
Google-Adwords Team


ref l-tlw

Online Award Claim!!!!!!!!!!!!!

Give me plenty of exclamation marks in the subject of the email and I will believe it!!!!!

It's the old scam - a lottery you have never heard about let alone won has suddenly contacted you out of the blue to say you have won a life changing amount. It's never a believable £10 is it? And with the amount of people winning this amount, it must be a big concern.

Don't fall for it, it could cost you dear...

POSTCODE LOTERIJ NL.
RESULTS FOR FIRST CATEGORY
Ticket Number: 6367HZ

This is to inform you that your email ID has won US$1,500.000.00 in the
first dip of our computer
ballot email lottery with the said winning numbers giving below;
Ticket number: 6367HZ
Prized Number: 2396GM
Lucky number : 1606NH

To claim your winning,you should contact the OFFICIAL and APPROVED paying
bank here in Holland-Netherlands urgently:-

LEVOB BANK NL
Email: levobbnknlclaim@aim.com
Webpage: www.Levob.nl
You are also advice to furnish them with the following information:-

Your Names:-
Telephone / Fax-
Your Nationality{Your country of Origin}-
E-Ticket number-
Prize Number-

Congratulations once again from management and staff of this company,and
thanking you for being a lucky winner of our promotions program.

Sincerely,
Mr.Kaethe Ballard
NATIONALE POSTCODE LOTERIJ PROMOTION
website: www.postcodeloterij.nl
Copyright © 1992-2008 postcodeloterij! Inc. All rights reserved
****************************************************************

Saturday 26 April 2008

NatWest | You Have 1 Important Unread Message

This is the same email as yesterday, even the destination URL has stayed the same.

I didn't record which 5 email addresses received the email yesterday so I've no idea whether this is to anew email address or a repeated one. Maybe I should be expecting another 4 repeats very soon!

Friday 25 April 2008

Email Ticket No, EP400-369

Well, I've won another lottery - I must be very lucky this week. I've never entered this lottery - in fact I've never heard of these guys before. And as the emails was sent to undisclosed-recipients, I'm not the only person to have won €1,000,000.

OK, it's Friday, it's almost time to pack up etc so I'm in a good sarcastic mood. It's fake. Mr Peter Klaes, if he exists, is obviously out to get money from me, not give me lots of cash. There would be an insurance fee to pay, or some sort of handling fee. And once he has his hands on that I'll be out of pocket and never hear from the scam artist again.

Don't touch it - it's a fake. Here's the content.

Email Ticket No, EP400-369
You have won1,000,000,00.Euro in De Euromillions Email
Sweepstake Program Corporation, held on the 18Th of april. 2008.In
Belgium.We write to officially notify you of this award and to advise
You to contact the processing office immediately for the claim
Contact, Mr.Peter Klaes.
TEL: 0032-488-394-244or 01132-488-394-244
Reply to Email:euromllions@switched.com

Reference NoBE103/85428
Serial No HW101/98541
Lucky No3-6-17-27-50
Batch No WX23/52641
Email Ticket No EP400-369
Note:all winning must be claim not later than 23rd of May 2008.
Sincerely,
Mrs,Kathleen Samson
Promotions Coordinator
Email:euromllions@switched.com

Spring Work on Computer. Work ID:14B46BN

It's another money laundering scam opportunity. Do people really fall for these 'opportunities' believing them to be true, or is it students and the likes who just close their eyes to what they are up to and keep their fingers crossed that the authorities never catch up with them? Don't respond to anything like this - they aren't honest and you might end up in a lot of trouble.

Hello!

We offer a part time job on your computer.

Job Description:
We will provide you with the texts for our employees with the important information and you will correct the texts as an english speaking person and send them back to us.


Salary:
We don't have a fixed salary for this vacancy. We will pay you $7.00 for every 1Kb of the corrected text. You will get paid at the END of each month. Every month your salary will be different as it depends on your activity.

Example: If you correct about 5Kb of texts per day you will get over $1000.00 at the end of the month.

Requirements:
-Location: USA
-Age: 20+
-Home computer, e-mail address and Microsoft Word
-Responsibility

To apply for job please send us the following information to:

dating.europe@gmail.com
__________
FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, but SHOULD BE available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
AVAILABLE HOUR TO WORK WITH US:
----------

As soon as we revise your aplication we will contact you within 24 hours.

If you have any additional questions, feel free to ask.

Awaiting for your application.

With respect
Dating Euro Union

NatWest | You Have 1 Important Unread Message

Natwest Phishing EmailThis one has different content to Tuesday's email, but likewise it's gone to multiple similar addresses overnight and I've received it through 5 different email addresses. So it's likely to be the same team behind both emails.

Again, it's sent to a load of named and very similar email addresses and welcomes the reader with 'Dear Valued Customer' - both are things no bank would do.

The target URL is http://nwolb.com.606076a398.com/default.aspxrefererident=K4517E554A691503AD5945DAC57988718F5A0E10984A8&cookieid=92012&noscr=true/index.php, although 606076a398.com doesn't yet feature in any google results.

Here's the email's content:

You have a new message waiting in your Inbox Folder.

Click here to read.

Best Regards.
NatWest Online Security Department Team.

* Please do not reply to this email as your reply will not be received.

Tuesday 22 April 2008

YOUR ATM CARD IS READY

Sender: MRS.ROSELINE DANIELS

Here's a horribly written lottery scam - all shouting in upper case. No idea what that is for.

If you have received it and are wondering if it is genuine, remember there are thousands more who have also won this lottery that none of us entered.

It's a scam - designed to steal your identity. Don't reply, you might be too tempted to give too much inbformation away.

Remember - if you haven't entered a lottery, you aren't going to win it.

ATM CARD PAYMENT FOR FUND BENEFICIARIES
OFFICE OF THE DIRECTOR OF OPERATIONS
INTERNATIONAL CREDIT SETTLEMENT
MANCHESTER MUTUAL BANK.

ATTENTION: BENEFICIARY

THIS IS TO OFFICIALLY INFORM YOU THAT WE HAVE VERIFIED YOUR
LOTTERY WINNING /INHERITANCE FILE AND FOUND OUT WHY YOU HAVE NOT
RECEIVED YOUR PAYMENT IS BECAUSE YOU HAVE NOT FULFILLED THE
OBLIGATIONS GIVEN TO YOU IN RESPECT OF YOUR WINNING /
INHERITANCE PAYMENT.

SECONDLY, WE HAVE BEEN INFORMED THAT YOU ARE STILL DEALING WITH
THE NONE OFFICIALS OF THE LOTTERY ORGANIZATION, ALL IN YOUR
ATTEMPT TO SECURE THE RELEASE OF YOUR WINNINGS. WE WISH TO
ADVICE YOU THAT SUCH AN ILLEGAL ACT LIKE THIS HAVE TO STOP IF
YOU WISH TO RECEIVE YOUR PAYMENT, SINCE WE HAVE DECIDED TO BRING
A SOLUTION TO THE PROBLEM. RIGHT NOW WE HAVE ARRANGED YOUR
PAYMENT THROUGH OUR SWIFT CARD PAYMENT CENTER ASIA PACIFIC AND
THAT IS THE LATEST INSTRUCTION BY THE NEW BRITISH PRIME MINISTER
GORDON BROWN.

THIS CARD CENTER WILL SEND YOU AN ATM CARD WHICH YOU WILL USE TO
WITHDRAW YOUR MONEY IN ANY ATM MACHINE WORLDWIDE,BUT THE MAXIMUM
IS TWO THOUSAND DOLLARS PER DAY, SO IF YOU LIKE TO RECEIVE YOUR
FUND THIS WAY PLEASE LET US KNOW BY CONTACTING THE CARD PAYMENT
CENTER AND ALSO SEND THE FOLLOWING INFORMATION:

FULL NAME:
AGE:
MARITAL STATUS:
OCCUPATION:
COUNTRY/CITY:
HOME PHONE:
TEL/FAX NUMBERS:
CURRENT RESIDENTIAL ADDRESS WHERE YOU NEED TO RECEIVE YOUR PACKAGE:


CONTACT PERSON: MR TOM WHITE
606 STOCKPORT RD,LONGSIGHT
MANCHESTER,LANCASHIRE
M12 4JJ UNITED KINGDOM,
EMAIL:tomwhite.atmcardoffice@gmail.com


THE ATM CARD PAYMENT CENTER HAS BEEN MANDATED TO ISSUE OUT
$750.000.00(SEVEN HUNDRED FIFTY THOUSAND DOLLARS) AS THE WINNING
FOR THE WORLD 2007/2008 INHERITANCE/LOTTO DRAWS. ALSO FOR YOUR
INFORMATION YOU HAVE TO STOP ANY FURTHER COMMUNICATION WITH
ANY OTHER PERSON(S) OR OFFICE(S).THIS IS TO AVOID ANY HITCHES IN
FINALIZING YOUR PAYMENT.

EMAIL BACK AS SOON AS YOU RECEIVE THIS IMPORTANT MESSAGE FOR
FURTHER DIRECTION IN THIS REGARDS AND ALSO UPDATE ME ON ANY
DEVELOPMENT FROM THE ABOVE MENTIONED OFFICE.
NOTE: THAT BECAUSE OF IMPOSTORS, WE HEREBY ISSUED YOU OUR CODE
OF CONDUCT, WHICH IS (699) SO YOU HAVE TO INDICATE THIS CODE
WHEN CONTACTING THE CARD CENTER AND THAT CODE IS FOR YOU TO
KNOW YOUR ACCOUNT BALANCE WITH THE BANK.

MRS.ROSELINE DANIELS
ATM CARD PAYMENT DPT

Islamic Bank of Britain | Rewards balance currently unavailable.

Here's a new (to me) target - the Islamic Bank of Britain. Not seen an email targeted at them before.

It's a little confusing to read, but is making out that there's an account problem. It tries to look official with some account waffle at the bottom, but ultimately no bank would send such an email, and they should use your name (not "Dear customer") and it wouldn't be sent to 'undisclosed-recipients'.

And the destination URL would definitely not be http://tlg.thk-jc.or.jp/~test/. I wonder what the '~test' is there for? I can find this result in other searches.

Here's the content:

Dear customer,


Your Islamic Bank of Britain Rewards balance is currently unavailable for one of the following reasons:


* Your credit card* and/or Check Card has recently been enrolled in the Rewards program. It takes up to five business days for the Rewards account to become active.


* You are not the primary owner of the checking and/or credit card account. Islamic Bank of Britain accounts are set up in the primary owner?s name and therefore can only be accessed online by the primary owner.


* There is a problem with your home address or personal information we have on file.


If you dont get authenticated within the next 48 hours, then we will assume this account is fraudulent and will be suspended.




To solve this problem we advise you to log in to your online banking account and check the validity of your personal information and specially your home address. To access your account and rectify this issue now follow the link below:

https://www.islamic-bank.com/islamicbanklive/GuestHome/1/Home/1/Home.jsp


If I want to get future statements online only can I still request a paper copy if I need one? Yes, simply call us on 08457 404 404 (Textphone 08457 125 563) or pop into your local branch and we'll be happy to arrange one for you. Lines are open from 8am to 10pm every day (except Christmas Day, Boxing Day and New Year's Day). Calls may be monitored or recorded for quality purposes.

NatWest | Technical Notice: Recent Change In Your Personal Information

It's the usual 'multiple attempts have caused you to be suspended' phishing email. In my experience, when this sort of thing happens for real they telephone or write to you.

The destination URL is http://www.busterspetalumacafe.com/joomla/mambots/verify/detr.php - very similar to yesterday's A&L email (http://www.busterspetalumacafe.com/joomla/mambots/verify/alli.htm). So doesn't look like the owners have fixed the break in to their website yet.

Here's the content:

We are committed to protecting you when you bank with us. Our banking services are designed with your security in mind.

Our Online Banking Security Team observed multiple logons on your account, from different IP's

For your security, your online banking profile has been restricted.

Please click on VERIFY below to be able to claim ownership of account.

VERIFY

Thank you


ref kj-t

Natwest | Your account access has been temporarily restricted

I've recieved this email 5 times over night, each to different email addresses. The email looks very similar to the 1st March NatWest email, excpet the 'advert' at the bottom has changed.

This one has obviously been sent in batches of 15 emails - as all of the 15 email addresses are shown in the to: field. If you needed convincing it's phishing - this would be it. Why would they send the email to 15 people with similar email addresses at the same time - thus revealing their customers' details. Banks don't ask for information from you this way - don't divulge it!

The actual target URL is http://nwolb.com.c8ca237dcb.com/default.aspxrefererident=GA60917E554A67117F945DHC5726787123A5A0E052K8&cookieid=791230&noscr=true/index.php. c8ca237dcb.com already appears in a few phishing results in Google.

Here's the content, don't touch the email!

Automated Security Notice

• As part of our security measures, We believe that, in everything else,
you deserve the best in banking too. Therefore protective measures is
been applied to satisfy our striving costumer needs. Our technical
service department is currently upgrading our SSL servers to enhance
adequate banking security, to give our costumers a better, fast and
secure online banking service. We noticed several unsuccessful login
attempts and therefore have decided to temporarily restrict your online
access. To regain access to your online banking Please click on
• Online Banking Logon to continue the verification process.
• (Failure to verify your Online Access service changes will lead to account
disconnection)

Thank you.
Online Banking Security Team
NatWest Internet Banking.
(c)2007 All Rights Reserved

Monday 21 April 2008

Alliance and Leicester | Security Notice: Unable to Verify Your Account Dated 21 April 2008

Alliance & Leicester Phishing EmailsThis one is aimed at the Alliance And Leicester customers. Not had any for these since November.

Strangely, it was sent to the same email address twice in 6 minutes. What I did notice though was that although it was received at about 10:30, the times actually say 05:22 and 05:28. Obviously sent from a time zone currently 5 hours behind BST.

It is sent individually to the name email address, which not only helps it get through more spam blockers but also makes it more realistic. But the email is badly written - "Our Technical Security Observe Multiple Error Logins" - not exactly English!

No bank would ever email you asking you to click a link to verify ownership. If they already knew your email address, why would you then need to again prove it? And they certainly wouldn't use a link http://www.busterspetalumacafe.com/joomla/mambots/verify/alli.htm. When I searched for the URL in Google, one of the first results back was "HackeD By UyuSsman ( Turkish Hacker )" - so we know what's happening there!

Here's the email content:

Unable to Verify Your Account 21 April 2008
We have been unable to verify your account with us.

Our Technical Security Observe Multiple Error Logins from your Customer ID, Please do verify your account by clicking on the ACCOUNT VERIFICATION below to prove account ownership .

Ebay | You've received a question about eBay item: @NEW designer DKNY latest watch with diamond spring 08@ (110243158561)

I've received this one twice overnight, to two different email addresses. Similar in look and style to the other recent Ebay question about emails received recently.

This time around the target URL is actually http://tattoo-picture-designs.com/0?ViewItem&item=110243158561&ssPageName=ADME:X:AAQ:GB:1123 - it doesn't even try to ide the URL by using subdomains and the website tattoo-picture-designs.com seems respectable, so I assume they have been hacked and don't realise they are hosting these pages.

It pretends to be from member labeltree and has been sent to individual mailboxes, so the recipient's email is shown in the to: field.

The email is on it's way to Ebay, here's the content:

Hi,
Everything is packed and ready to go, I am waiting for payment. Let me konw as soon as the payment is made.

Have a nice day!
Lyns Jamie.

- labeltree

Item and user details
Item Title: @NEW designer DKNY latest watch with diamond spring 08@
Item Number: 110243158561
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=110243158561
End Date: 21-Apr-08 00:54:45 BST
From User: labeltree (881)
99.8% Positive
since 05-Aug-03 in United Kingdom


ref i-cmr / q-j

Saturday 19 April 2008

Halifax | Message from Halifax Online

Well here's a (fake) claim that Halifax have received security complaints and are taking actions. Of course, the whole point is to breach your security, not protect you.

The URL the link points to is http://toroon12-1168099092.sdsl.bell.ca/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/

Presumably this means the security on bell.ca has been breached! No doubt that will get quickly plugged!

Here's the content of the email.

Dear Customer

Halifax PLC. has been receiving complaints from our customers for unauthorised use of the Halifax Online accounts. As a result we are making an extra security check on all of our Customers account. In order to protect your information please click on the link below:


http://halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin


Thank you for your understanding and correspondence, we also apologize for any inconveniences caused.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Halifax PLC.


ref i-cmr

Friday 18 April 2008

Email | GET BACK TO US ASAP.

And at the same time as the fake lottery, there's also the job offer for money laundering....

Don't ever reply to these. If you get involved then at best you are assisting criminals with money laundering. At worst you could have your identity stolen, have your bank accounts emptied or end up in prison. It's not worth the risk. No honest company would recruit by sending spam.

Here's the email:

Dear Sir/Madam,
First, as a way of introduction, I am Mr. Xiao Jun (hails from Taiwan) Managing Director of Solenoids Industrial Co Ltd.Taichung Taiwan. We are Taiwanese based investors, We are into Calcite, Barytes, Manganese Dioxide , Dolomite, Mica , China Clay, MangneseDioxide,Ferrous(Iron ) Oxide,Paints, Rubber, Plastics,Construction chemicals and we export from Asia and export into Europe,America and Australia.
We are also into export and import of the above mentioned products /equipments.
our company "Solenoids Industrial Co Ltd."is a newly established firm that proposed to come up with a lot of business innovation in the
nearest future. We are interested in employing your services, to work with us as ourpayment agent who can help us eastablish a medium of recieving payment on our behalf for Goods and raw materials we supplied to our customers in Europe, South and North America,Australia e.t.c If you are interested in transacting business with us.
we will be very glad.Subject to your satisfaction you will be given the opportunity to negotiate your mode of payment which we will pay for your services as our representative in Europe, America, Australia e.t.c.
Please if you are interested forward to us the following details to our private email address:
agent_consultant_xiaojun@yahoo.com.hk
FULL NAME:
CONTACT ADDRESS:
OCCUPATION:
NATIONALITY:
AGE:
PHONE NUMBER:
FAX:
EMAIL ADDRESS:
PRESENT COUNTRY:
Thank you as we await your further response.
Sincerely
Xiao Jun
Director;
Solenoids Industrial Co Ltd.
55 An Suing East 9th Street,
Taichung, Taiwan
Email Address: agent_consultant_xiaojun@yahoo.com.hk
Tel:/fax 886-9162278842


ref q-j

Email | HELLO!!!

It's time to get another fake lottery scam. Again, with a Spanish reply-to email address. I wonder why they all come from there?

It's not realy - it's sent to 'undisclosed-recipients' bacause they are sending so many and can't be bothered to send them individually. If you respond, you might end up giving away enough details to have your bank emptied or your identity stolen.

If you are worried that you might have been the victim of such an identity theft, look at the free report from Credit Expert to put your mind at rest.

Here's the email:

HELLO!!!

MICROSOFT E-MAIL PROMOTION OFFICE.
CALLE LA LUNA 45,
COIGO POSTAL 21145
MADRID-ESPAÑA.


I the co-ordinator of the microsoft new year promotion in madrid
spain,has therefore come to you with this great surprise.
Your e mail address came a winner of this great promotion as a 4th
category winner,with the sum of 170,000.00 euro.
Your e mail address attached to a ticket
number:01,05,22,45,88,reference number:ES/NP/CC/08 and batch
number:15558.
The above informations must not be undisclosed to any other person,to
avoid double claim.

Your fudiciary agent.Mr.Alonso Julian shall process your claim as soon

as you contact him.You are advise to take to every instructions given
to you by the agent to avoid disqualification of claim.
Contact your agent Mr.Alonso Julian with the following informations:
//////////////////////////////////////////////////////////////////////

Your full name:
Country:
Address:
Tel/Fax:
The won e mail address:
Alternative e mail address:
Ticket number:
Reference number:
Batch number:
//////////////////////////////////////////////////////////////////////

Contact:

CLAIM DEPARTMENT
Mr.Alonso Julian
Tel/Fax: +34-656-276-595
E mail: microsoftclaimdepartment@ozu.es
//////////////////////////////////////////////////////////////////////


Any one below the age of 18 is authomatically disqualified.

Great wishes from the co.ordinator.
(MRS)Fernandez Miguel Laura

Tuesday 15 April 2008

Google | Reactivate Your AdWords Google Account

Same idea as the other Google phishing emails and sent to the same email address, but a slightly different message this time.

With this email the target URL is http://www.adwords.google.com.v6zd2.cn/select/Login - v6zd2.cn doesn't (yet) have any results in Google (it very soon will do!).

It's a slightly different tack so they are trying to target people they obviously think have Google accounts and are trying to panic them into signing on. What the point is, I'm not sure. OK, they can get name & address, but what then? Date of birth, credit card details etc are hidden. Maybe they then use your account to run up a load of advertising?

Here's the email content:

---------------------------------------------------------------------------------
Dear Google Adwords Customer, Your ads have stopped running because we were unable to process your billing information.
To activate your account and start running your ads, enter your billing information.

In order to activate your account and start running your ads, enter your billing information.
Pease sign into your account at http://adwords.google.com/select/login, and update
your billing information.

Once your account is reactivated and your billing information has been processed,
any your ads and campaigns can begin running immediately on Google.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.

----------------------------------------------------------------------------------

Google Adwords Team


ref s-rwt

Sunday 13 April 2008

Google Adwords | Please Update Your Billing Informatio

Same as the recent google email sent a few weeks ago. This time the destination URL is http://www.adwords.google.com.hki045.cn/select/Login. hki045.cn appears in a few results already for google adwords phishing.

Sent to the same email as last time as well - this one's got the ability to send to one email address at a time, which helps make it look convincing. But it's not real - don't believe it.

---------------------------------------------------------------------------------
Dear Google Adwords Customer, Your ads have stopped running because we were unable to process your billing information.
To activate your account and start running your ads, enter your billing information.

In order to activate your account and start running your ads, enter your billing information.
Pease sign into your account at http://adwords.google.com/select/login, and update
your billing information.

Once your account is reactivated and your billing information has been processed,
any your ads and campaigns can begin running immediately on Google.

----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.

----------------------------------------------------------------------------------

Google Adwords Team

Friday 11 April 2008

Skype | Please Update Your Billing Information

Here's a target that I've never seen before - Skype. It's a plain text email and the displayed URL looks realistic enough, but the actual target URL is http://secure.skype.com.j71501.cn/member/Login/. This is a URL that doesn't appear in any search results yet, as it appears to have been registered in Hong Kong yesterday.

Looking in Google it's not the first time Skype have been victims of these attempts, but I'm having problems finding where to report it, so trying just security@skype.com.

Here's the email content:

Dear Skype Customer!

In order to update your billing information, please sign in
to your Skype account at https://secure.skype.com/store/member/login.html?message=login_required,
and update your billing information.

Thank you for choosing Skype.

Sincerely,

The Skype Team.

------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
------------------------


ref s-rwt

Ebay| You've received a question about eBay item: Timberland Mens Boots size 11.5

This one's the same as the email from couple of days ago.

From 'eBay Member: vlc223' it is sent to a different email address than the one I picked up the earlier one from and this time the destination URL is http://paulcrites.com/item?ViewItem&item=230237678367&ssPageName=ADME:X:AAQ:GB:1123 - paulcrites.com being hacked into and innocently holding the phishing pages by the looks of it.

A copy is on it's way to Ebay. Here's the content:

Hi,
Everything is packed and ready to go, Let me know if you paid already. I am waiting for your answer as soon as possible.

Have a nice day!
Sandra.

- vlc223

Item and user details
Item Title: Timberland Mens Boots size 11.5
Item Number: 230237678367
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=230237678367
End Date: 07-Apr-08 08:37:42 BST
From User: vlc223 (161)
99.4% Positive
since 29-Nov-03 in United Kingdom


ref i-cmr

Thursday 10 April 2008

Credit Card Danger

This one isn't phishing, but it's security so I'd thought in a quiet moment I'd recount the tale.

Last Friday my family and I went out for a meal. We hadn't intended to be going anywhere that we'd need any money (just taking my daughter for a swimming lesson) so I didn't have my wallet. So at the end of the meal my wife paid and put the cost onto my credit card.

Now I'm always telling her to hide her pin number when she types it in - yet once more it was in full view of the waiter. After she handed the machine back, he then quickly walked off saying 'I'll just print you a receipt'. My suspicions were aroused as he was holding a Chip & Pin terminal with a built in printer.

I tried to call him back, but he 'didn't hear' and was quickly back at the till with me watching the card from the table. Most of the time the machine was in full view, but at one point he removed the card and held it out of sight briefly.

Now this could have been an innocent move, but my daughter is well trained and said she'd watched him watch my wife typing in her PIN and that he smiled when she'd finished.

This was all so suspicious, but with no proof of any wrong doing what can you do? Well I drove her straight to the nearest cash machine and she changed her PIN immediately.

I'm hoping that's the end of the tale - no mysterious transactions yet, but I've asked her to look when she next uses the card to see if any attempts have been made with an incorrect PIN.

Wednesday 9 April 2008

PayPal | Notification of Limited Account Access

Here's an email that apologises for being an inconvenience - if anyone falls for it, it will be a very big inconvenience.

It claims to be from PayPal following 'unusual activity' on the account. But it's not.

The target URL is http://static-68-179-55-98.ptr.terago.ca/paypal.com/managament/cgi/, terago.ca being the host of another recent PayPal phishing email. In fact, that one sent last week went to exactly the same destination URL. Presumably PayPal have not been able to get those pages shut down, or the site has been hacked again. Looking through the search results for the site, it does look to be an innocent victim.

Other indications that it's phishing are that it's sent to 'undisclosed-recipients'. If this had really happened, it would have affected 1 email at a time and PayPal would deal with it by contacting one member at a time. They would also not start off without an introduction using your name and the sent time on the email is 6th April, 00:00, even though it was received 07:45 on the 9th April. Someone has been playing with headers and forgotten to change them.

Lastly, PayPal would never ask you to click a link and then reveal your security details. If such action was required then they would be unlikely to email you (as your email could have been compromised - you do have different PayPal and email passwords, don't you???) and they would ask you to enter the PayPal address into your browser.

Here's the content, email is on it's way to PayPal for them to sort.

Notification of Limited Account Access

As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:

Unusual account activity has made it necessary to limit sensitive account features until additional verification information can be collected.

We have been notified that a card associated with your account has been reported as lost or stolen, or that there were additional problems with your card.

Case ID Number: PP-071-362-996

Click here to verify your account

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely,
PayPal Account Review Department.

--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.


ref i - cmr

Tuesday 8 April 2008

Ebay | You've received a question about eBay item: Timberland Mens Boots size 11.5 (230237678367)

Pretty much the same as other Ebay question about phishing emails.

This time around the email links to the website http://www.thejoyofcrafting.com/lndex.htm?ViewItem&item=230237678367&ssPageName=ADME:X:AAQ:GB:1123. Presumably an innocent victim, but I have found other reports of the website being used for similar purposes, with Google's cach being dated around 2 weeks ago - so it looks like they are a serial victim.

Here's the email content.

Hi,
Everything is packed and ready to go, Let me know if you paid already. I am waiting for your answer as soon as possible.

Have a nice day!
Sandra.

- vlc223 Respond to this question

If you use My Messages to respond, your email address will not be shared.


Item and user details
Item Title: Timberland Mens Boots size 11.5
Item Number: 230237678367
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=230237678367
End Date: 07-Apr-08 08:37:42 BST
From User: vlc223 (161)
99.4% Positive
since 29-Nov-03 in United Kingdom


ref q - j

Saturday 5 April 2008

PayPal | Warning Notification

PayPal Phishing Email, AprilAnother Phishing email targeted at PayPal.

Pointers for the unwary that it's phishing:
1 - emailed to 'undisclosed recipients'
2 - starts 'Dear Customer', rather than using my name
3 - PayPal would never send an email asking me to enter personal details
4 - the link is actually pointing to http://static-68-179-55-98.ptr.terago.ca/paypal.com/managament/cgi/ - terago.ca are actually a broadband provider, so I assume someone is misusing some account space on their site.

It's not real, don't click the links. I've sent a copy to PayPal. Here's the text.

Dear Customer,

It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension. Please update your records before April 8, 2008.

Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.

Click here to update your PayPal account information

Friday 4 April 2008

Reporting Adwords Phishing Emailos

Google finally got back to me this afternoon after I asked them where to report a Google Adsense phishing email. Part of their answer read:

In order for us to determine the source of the attack, please forward
the entire email, including the full message header information, to
spoof@google.com or phishing@google.com. We investigate all reports sent
to this address


So send any Google phishing emails you wish to report to either of these addresses.

Natwest Bank Private and Corporate New Security Features Activation

Very similar to other Natwest phishing emails this one, just it tries to cover both private and corporate recipients.

This time the target URL is http://www4.nwolb.com.agent84.in/default.aspx?agent=17zrohDxcrszkOkhOvp - agent84.in appears in a few phishing results already.

I've forwarded a copy to the Natwest, but on previous experience there aren't acknowledgements. Here's the content.

Dear NatWest Bank On-line Banking member!

Our Technical Department is running a scheduled Internet Banking software upgrade

By following the link below please begin the procedure of the user details authorization:

http://www4.natwest.com/default.aspx?session=17zrohDxcrszkOkhOvp

These directives are to be emailed and followed by all customers of the Natwest Private and Corporate

NatWest Bank does apologize for any problems caused, and is very grateful for your help.

If you are not customer of NatWest Bank Digital Banking please delete this letter!

*** This is robot generated message please do not reply ***

(C) '08 NatWest Bank Bankline Internet Banking. All Rights Reserved.

Thursday 3 April 2008

Ebay | You've received a question about eBay item: 2x Weekend Tickets V Festival - Weston Park + Camping (280212913563)

This one has the same convincing appearance as other similar ebay phishing emails, so I won't put up a picture.

This time the target URL is http://www.mpedubai.com/index.htm?ViewItem&item=280212913563&ssPageName=ADME:X:AAQ:GB:1123. mpedubai.com gets a few mentions on Google in phishing search results.

It's not for real - don't worry about it. I've forwarded the email to Ebay already.

Here's the content:

Hi,
Let me know if PayPal is ok to pay for my item. I am waiting for your answer as soon as possible.

Thank you.
Scott.

- dychie478 Respond to this question

If you use My Messages to respond, your email address will not be shared.


Item and user details
Item Title: 2x Weekend Tickets V Festival - Weston Park + Camping
Item Number: 280212913563
Item URL: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=280212913563
End Date: 31-Mar-08 08:55:31 BST
From User: dychie478 (173)
99.5% Positive
since 13-Jan-05 in United Kingdom

Tuesday 1 April 2008

Halifax | Online Banking - You Have 1 Unread Message

Halifax Phishing EmailThe Halifax seems to be a new sudden victim of a few Phishing emails.

This one has gone to some effort to look the part, but gives the game away as the email has been sent to 10 different "keith" email addresses - only 1 of which is mine! Of course, as I frequently say, no respectable financial institution would greet you in an email with 'Dear Valued Customer' - it would be by your full name.

It takes the form of various Abbey Phishing Emails of a few months ago in that it doesn't tell you anything, it just claims there's a message that needs your attention.

The destination URL is http://halifax-onlines.com/halifax-online.co.uk/_mem_bin/formslogin.asp_source=halifaxcoukHOME/account.php. halifax-onlines.com is obviously a very clever domain name - it looks very realistic, but it does already appear in several Phishing results on Google.

Here's the email content:

You have a new message waiting in your Inbox Folder.

Click here to read.

Best Regards.
Halifax Banking plc Security Department Team.

* Please do not reply to this email as your reply will not be received

ATTN:DONT FORGET TO ATTEND TO THIS EMAIL

Here's a strange email. It's the usual internet lottery that I've supposedly won without entering that do the rounds every so often. But it's so poorly written as to make it very difficult to read.

Hopefully that will put a lot of people off replying. Why do these scams so often claim to be from Spain?

Here's the content:

ATTN:DONT FORGET TO ATTEND TO THIS EMAIL

MICROSOFT E-MAIL PROMOTION CENTRE
CALLE LA LUNA,45.PRIMERA PLANTA.
CODIGO POSTAL 28845.
MADRID ESPAÑA.

Complete the following and send it to your fudiciary agent Mr.Julian
Alonso immediately for the claim of 170,000.00.Euros.
Which you have won on the microsoft 2008 e mail promotion conducted in
madrid spain,for internet users.

Contact Mr.Julian Alonso to process your claim.
Tel : 0034-656-276-595
E mail : publicfinancedpt@ozu.es

YOUR WINNING DATAILS:

Your ticket #: ES/NP/CC/08
Your Batch #: 1558
Your Reference #: 01,05,22,45,88

COMPLETE THE FOLLOW AND SEND TO YOUR AGENT ON THE E MAIL ADDRESS:

Your country:_
Your full name:_
Your address:_
Alternative e mail address:_
Your tel:_

Your's Sincerely,

Mrs.Miguel Laurita Perez
Co-ordinator.

Ahora también puedes acceder a tu correo Terra desde el móvil.
Infórmate pinchando aquí.