This is yet another variation on the Google Adwords theme.
The link this time points to the site http://www.adwords.google.com.sessiocl.cn/select/Login. sessiocl.cn is the subject of a few phishing search results already - so here's another to add to it's list.
------------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
---------------------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-----------------------------------------------------------------------------------------
2008 Google Adwords
Tuesday, 27 May 2008
Important Information about your Current Account
This one is a different format to usual. Not only does it look different (and was received through 2 email addreses...) but it's making out that the verification process for regular maintenance is random and because of potential fraudulent use. What??? It seems to be throw out a few different reasons to fill the email and just hope the victim clicks the link.
The link actually points to http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare , which they also provide as a visible URL in case it can't be clicked on. Very handy of them! No idea what koro.biz is, but it'sstarting to appear in other phishing results.
Here's the content:
Dear Abbey National customer,
WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.
We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.
To start now please click here.
If your e-mail client stops you to click the link above, please copy the following URL to your browser:
http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare
Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.
Thank you for understanding and helping us improve.
------------------------------------------------------------
Unauthorized account access or use is not permitted and may constitute a crime punishable by law.
© Abbey National. 2001 - 2008. UK.
The link actually points to http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare , which they also provide as a visible URL in case it can't be clicked on. Very handy of them! No idea what koro.biz is, but it'sstarting to appear in other phishing results.
Here's the content:
Dear Abbey National customer,
WE ARE CURRENTLY PERFORMING A REGULAR MAINTENANCE OF OUR DATABASE FOR ONLINE CUSTOMERS.
We apologize for the inconvenience this may cause but your account was randomly flagged for verification and you'll be taken through a short authentication process.
To start now please click here.
If your e-mail client stops you to click the link above, please copy the following URL to your browser:
http://myonlineaccounts2.abbeynational.co.uk.koro.biz/CentralLogonWeb/Logon?action=prepare
Please note! If we don't receive the appropriate account verification within 24 hours since you've got this email your online access can be suspended until further notice. The purpose of this verification is to ensure your account has not been fraudulently used and you're not a victim of identity theft.
Thank you for understanding and helping us improve.
------------------------------------------------------------
Unauthorized account access or use is not permitted and may constitute a crime punishable by law.
© Abbey National. 2001 - 2008. UK.
Monday, 26 May 2008
Official Notification For Customer of Abbey OnLine Banking
Even on a UK Bank Holiday there's no let up in the phishing emails. This one is very similarto an Abbey Phishing Email oflast November - the first one in which I saw the 'If you are not a customer' line.
There's a few changes - Support Department instead of Technical Department, following has become visiting etc, but essentially it's the same email. With this one the link actually points to http://ww5.an-business.com.direct52.in/servlet/?pid=[removed] - although I can't find direct52.in in any search results. It's obviously a fake - don't try the link.
Dear Abbey Internet Banking user!
Our Support Department is running a scheduled OnLine Banking software upgrade
By visiting the link below you will open the procedure of the customer details confirmation:
http://www5.abbeynational.co.uk/servlet/?taskid=24yzrpeFDozrcrkdwvrnOkhOvp
These instructions are to be e-mailed and followed by all clients of the Abbey National Bank On-line Banking
Abbey National Bank does apologize for any inconveniences caused, and is very grateful for your help.
If you are not client of Abbey Personal and Commercial please disregard this letter!
*** This is automatically generated email please do not respond ***
(C) 2008 Abbey National Bank Bankline Internet Banking. All Rights Reserved.
There's a few changes - Support Department instead of Technical Department, following has become visiting etc, but essentially it's the same email. With this one the link actually points to http://ww5.an-business.com.direct52.in/servlet/?pid=[removed] - although I can't find direct52.in in any search results. It's obviously a fake - don't try the link.
Dear Abbey Internet Banking user!
Our Support Department is running a scheduled OnLine Banking software upgrade
By visiting the link below you will open the procedure of the customer details confirmation:
http://www5.abbeynational.co.uk/servlet/?taskid=24yzrpeFDozrcrkdwvrnOkhOvp
These instructions are to be e-mailed and followed by all clients of the Abbey National Bank On-line Banking
Abbey National Bank does apologize for any inconveniences caused, and is very grateful for your help.
If you are not client of Abbey Personal and Commercial please disregard this letter!
*** This is automatically generated email please do not respond ***
(C) 2008 Abbey National Bank Bankline Internet Banking. All Rights Reserved.
Thursday, 22 May 2008
Important notification from NatWest bank
Another for the NatWest list. Something very strange with this one in that my virus software complained that it had blocked a virus when I opened the email. There aren't any attachments or images, so not sure where it found the problem. If you have opened this one, you might also like to run a virus check.
This time we're back with the old favourite - the NOF. Destination of the link is actually http://www.natwest.com.dll1.me.uk/globalsite/isapidl/form.ashx?pc=[removed], which again is not in any search results.
Take care with this email - there's something strange about it! Here's the content.
Dear NatWest bank customer,
NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:
NatWest Online Form
Please do not reply to this system-generated email.
ref l-cmr
This time we're back with the old favourite - the NOF. Destination of the link is actually http://www.natwest.com.dll1.me.uk/globalsite/isapidl/form.ashx?pc=[removed], which again is not in any search results.
Take care with this email - there's something strange about it! Here's the content.
Dear NatWest bank customer,
NatWest bank would like to inform you that we are currently carrying out a scheduled upgrade of Natwest Security software.
In order to guarantee high level of security to our customers, we require you to complete “NatWest Online Form”. Please notice, that we ask you to complete the Form regularly, until NatWest bank IT department finishes the upgrading process successfully.
Please complete the form using the link below:
NatWest Online Form
Please do not reply to this system-generated email.
ref l-cmr
NatWest Electronic Banking Informs You Code: 2341
For whatever reason, NatWest Bank continues to be a popular target for the phishing emails. This one has a different subject title to those that have gone before it, but includes the 'if you are not a customer', like many recent phishing emails. No idea why the phishers think it's a good idea to warn the recipients the email is going to a spam list!
This time the destination url is http://www8.natwest.co.uk.mode65.com/details.aspx/?appid=[removed], which without the help of the underline, takes a second to spot that the actual URL is mode65.com, which doesn't yet appear in any search results.
It is sent to a named email box, but it's obviously fake. Here's the content:
Dear Natwest Bank Digital Banking client!
Our Support Unit is carrying out a planned OnLine Banking software upgrade
By following the link below please commence the procedure of the user login confirmation:
http://ww0.nwolb.co.uk/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp
These directives are to be emailed and followed by all users of the NatWest Bank OnLine Banking
Natwest Bank does apologize for the problems caused to you, and is very grateful for your cooperation.
If you are not customer of NatWest Digital Banking please disregard this letter!
*** This is an automated e-mail, please do not reply ***
(C) '08 NatWest Bank On-line Banking. All Rights Reserved.
ref l1-fht
This time the destination url is http://www8.natwest.co.uk.mode65.com/details.aspx/?appid=[removed], which without the help of the underline, takes a second to spot that the actual URL is mode65.com, which doesn't yet appear in any search results.
It is sent to a named email box, but it's obviously fake. Here's the content:
Dear Natwest Bank Digital Banking client!
Our Support Unit is carrying out a planned OnLine Banking software upgrade
By following the link below please commence the procedure of the user login confirmation:
http://ww0.nwolb.co.uk/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp
These directives are to be emailed and followed by all users of the NatWest Bank OnLine Banking
Natwest Bank does apologize for the problems caused to you, and is very grateful for your cooperation.
If you are not customer of NatWest Digital Banking please disregard this letter!
*** This is an automated e-mail, please do not reply ***
(C) '08 NatWest Bank On-line Banking. All Rights Reserved.
ref l1-fht
Monday, 19 May 2008
Abbey National Bank On-line Banking Please Confirm Your Data!
A few days ago the RBS joined the list of targets of the 'sorry if you are not a customer' phishing email, and now we're back to the original (that I know of). Once more the Abbey are the targets of this email. The text has changed sightly from the original that I reported back in November, but it's only slight word changes - the paragrpahs are basically the same.
This time around the target URL is http://www5.anbusiness.bank11.net/servlet/?portal=[removed]. bank11.net does appear in plenty of phishing search results. Here's the email's text.
Dear Abbey Digital Banking member!
Our Technical Unit is performing a scheduled Bankline Service upgrade
By visiting the link below you will begin the procedure of the customer details confirmation:
http://www9.abbeybusiness.co.uk/servlet/?taskid=17zrohDxcrszkOkhOvp
These instructions are to be e-mailed and followed by all customers of the Abbey Digital Banking
Abbey National does apologize for any problems caused to you, and is very thankful for your collaboration.
If you are not customer of Abbey National Personal and Commercial please ignore this letter!
*** This is robot generated e-mail please do not respond ***
(C) 2008 Abbey National Personal and Commercial. All Rights Reserved.
This time around the target URL is http://www5.anbusiness.bank11.net/servlet/?portal=[removed]. bank11.net does appear in plenty of phishing search results. Here's the email's text.
Dear Abbey Digital Banking member!
Our Technical Unit is performing a scheduled Bankline Service upgrade
By visiting the link below you will begin the procedure of the customer details confirmation:
http://www9.abbeybusiness.co.uk/servlet/?taskid=17zrohDxcrszkOkhOvp
These instructions are to be e-mailed and followed by all customers of the Abbey Digital Banking
Abbey National does apologize for any problems caused to you, and is very thankful for your collaboration.
If you are not customer of Abbey National Personal and Commercial please ignore this letter!
*** This is robot generated e-mail please do not respond ***
(C) 2008 Abbey National Personal and Commercial. All Rights Reserved.
eBay New Unpaid Item Message from Martin1967 response required
The problem with these Phishing emails is that they are realistic and it's hard to sometimes stop and think that they aren't for real. I just caught my wife about to click the link on this email thinking that it was genuine!
So, once more, the indicators that it's a fake:
1 - It's sent to 'undisclosed recipients' - not to my ebay registered email address.
2 - The greating is 'Dear member' - it should greet me by name (ebay always will greet by name).
3 - Neither of us has bought anything through Ebay recently...
4 - If you put the mouse over a link, the destination URL is http://214352399:8080/signin.ebay.co.uk_ebay-online.html. Look carefully at the part of the URL from the http:// until the next / - that's the website name. In this case that's 214352399:8080, which isn't a valid URL (that I know of!), let alone Ebay. Even if it did say http://www.ebay.com/ then that's no guarantee it's genuine - it could just be masked.
If you receive such an email and want to check that you really don't have a dispute to deal with, don't click the link on the email! Instead, open up your internet browser window, type in the website URL (www.ebay.com) and sign on and check your messages from there.
Here's the content of the email:
eBay New Unpaid Item Message from Martin1967 response required
Dear member,
eBay member Martin Adolf has left you a message regarding item #220066799480
View the dispute thread to respond.
Regards,
eBay Inc.
Copyright © 1995-2008 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.
eBay official time - Page last updated: May-19-04 11:57:05 PDT
So, once more, the indicators that it's a fake:
1 - It's sent to 'undisclosed recipients' - not to my ebay registered email address.
2 - The greating is 'Dear member' - it should greet me by name (ebay always will greet by name).
3 - Neither of us has bought anything through Ebay recently...
4 - If you put the mouse over a link, the destination URL is http://214352399:8080/signin.ebay.co.uk_ebay-online.html. Look carefully at the part of the URL from the http:// until the next / - that's the website name. In this case that's 214352399:8080, which isn't a valid URL (that I know of!), let alone Ebay. Even if it did say http://www.ebay.com/ then that's no guarantee it's genuine - it could just be masked.
If you receive such an email and want to check that you really don't have a dispute to deal with, don't click the link on the email! Instead, open up your internet browser window, type in the website URL (www.ebay.com) and sign on and check your messages from there.
Here's the content of the email:
eBay New Unpaid Item Message from Martin1967 response required
Dear member,
eBay member Martin Adolf has left you a message regarding item #220066799480
View the dispute thread to respond.
Regards,
eBay Inc.
Copyright © 1995-2008 eBay Inc. All Rights Reserved.Designated trademarks and brands are the property of their respective owners.Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.
eBay official time - Page last updated: May-19-04 11:57:05 PDT
Saturday, 17 May 2008
Attention: Royal Bank of Scotland Digital Banking Service User Id: 3687
We've not had any Royal Bank of Scotland phishing emails recently, the last one was last October. This one takes the form of a recent NatWest phishing Email, and before that the Abbey, in which it apologises if you are not a customer - an admission that it's sent to a spam list.
Like the NatWest email, they both have a 'reference' in the subject and I received both emails through the same email acount. In this case, the target URL is http://ww5.rbs.co.uk.dll64.com/confirm.aspx/?pid=[removed]. The only result of note was that McAffee had it noted as a site that was promoted through spam!
Here's the email content:
Dear Royal Bank of Scotland Electronic Banking customer!
Our Technical Unit is running a scheduled Internet Banking software upgrade
By visiting the link below you will open the form of the customer details approval:
http://www0.rbsdigital.com/confirm.aspx?host=24yzrpeFDozrcrkdwvrnOkhOvp
These directives are to be mailed and followed by all users of the Royal Bank of Scotland Direct Banking Service
Royal Bank of Scotland does apologize for the troubles caused, and is very grateful for your collaboration.
If you are not user of Royal Bank of Scotland Electronic Banking please delete this notice!
*** This is robot generated email please do not respond ***
(C) '08 Royal Bank of Scotland Electronic Banking. All Rights Reserved.
ref l1-fht
Like the NatWest email, they both have a 'reference' in the subject and I received both emails through the same email acount. In this case, the target URL is http://ww5.rbs.co.uk.dll64.com/confirm.aspx/?pid=[removed]. The only result of note was that McAffee had it noted as a site that was promoted through spam!
Here's the email content:
Dear Royal Bank of Scotland Electronic Banking customer!
Our Technical Unit is running a scheduled Internet Banking software upgrade
By visiting the link below you will open the form of the customer details approval:
http://www0.rbsdigital.com/confirm.aspx?host=24yzrpeFDozrcrkdwvrnOkhOvp
These directives are to be mailed and followed by all users of the Royal Bank of Scotland Direct Banking Service
Royal Bank of Scotland does apologize for the troubles caused, and is very grateful for your collaboration.
If you are not user of Royal Bank of Scotland Electronic Banking please delete this notice!
*** This is robot generated email please do not respond ***
(C) '08 Royal Bank of Scotland Electronic Banking. All Rights Reserved.
ref l1-fht
Google | Please submit your payment information.
More Google Adwords phishing emails arriving. I'm not entirely sure what the fraudsters are hoping to get out of this scam. Access to a Google Account isn't going to give much - maybe they can set up some free adverts. But Google would be able to easily work out that there's a load of fraud going on whereby UK advertisers are having adverts set up to Chinese (or whatever) websites.
I suspect then (without trying the form) that either the page downloads some form of spyware onto the unlucky victim's machine so that the fraudsters can detect banking logons, or that they ask more questions than would be expected - and gather enough information to clone identities.
The URL in this case is http://www.adwords.google.com.0lks.cn/select/Login - but I can't find anything out about that site. Here's the content, again!
-----------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
--------------------------------------------------------------------------------------
ref l-tlw
I suspect then (without trying the form) that either the page downloads some form of spyware onto the unlucky victim's machine so that the fraudsters can detect banking logons, or that they ask more questions than would be expected - and gather enough information to clone identities.
The URL in this case is http://www.adwords.google.com.0lks.cn/select/Login - but I can't find anything out about that site. Here's the content, again!
-----------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
--------------------------------------------------------------------------------------
ref l-tlw
Thursday, 15 May 2008
Natwest | CUSTOMER SERVICE MESSAGE
Another NatWest phishing email - my third of the day!
This time the destination URL is http://www.ezwebautomation.com/Charts/online/natwestbussinessbankingonline/Login.html. ezwebautomation.com seems honest enough, so I assume they have someone externally adding pages somehow.
Here's the content of the email:
News Alert: Enhanced Online Security
Banking with Natwest Online is about to become even more secure!
As a valued Natwest online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional way of protecting your Natwest online access.
Enhanced Online Security will allow Natwest online banking to verify your identity from your computer - at home, at work or anywhere you bank online. When you access your account information, we'll know it's you. And you'll know that you've signed on to Natwest online banking. This two-way process ensures that both parties are confident of each other's identity.
Every customer that uses Natwest online Account for online banking will be required to activate Enhanced Online Security.
Click on sign in to Online Banking for the quick and easy process for activating Enhanced Online Security for your Natwest online banking account.
Sign in to Online Banking
Thanks for taking the time to learn about our upcoming plan for Enhanced Online Security - it's one more way that Natwest Building Society online banking can makes your online banking experience better. Remember always fill in your Memorable word correctly
© 2008 All Rights Reserved
This time the destination URL is http://www.ezwebautomation.com/Charts/online/natwestbussinessbankingonline/Login.html. ezwebautomation.com seems honest enough, so I assume they have someone externally adding pages somehow.
Here's the content of the email:
News Alert: Enhanced Online Security
Banking with Natwest Online is about to become even more secure!
As a valued Natwest online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional way of protecting your Natwest online access.
Enhanced Online Security will allow Natwest online banking to verify your identity from your computer - at home, at work or anywhere you bank online. When you access your account information, we'll know it's you. And you'll know that you've signed on to Natwest online banking. This two-way process ensures that both parties are confident of each other's identity.
Every customer that uses Natwest online Account for online banking will be required to activate Enhanced Online Security.
Click on sign in to Online Banking for the quick and easy process for activating Enhanced Online Security for your Natwest online banking account.
Sign in to Online Banking
Thanks for taking the time to learn about our upcoming plan for Enhanced Online Security - it's one more way that Natwest Building Society online banking can makes your online banking experience better. Remember always fill in your Memorable word correctly
© 2008 All Rights Reserved
Natwest | please confirm your data!
I was reading in the ThisIsMoney forum that some people think that the NatWest is the most targeted UK bank for phishing emails and blaming the bank for not doing enough to detect such fraud. I don't know whether this is the case or not, but it certainly seems that most phishing emails that I receive are either aimed at the NatWest or at PayPal. Given the number of people with PayPal accounts their being a target isn't a surprise. But I don't bank with the NatWest so I'll leave it for others to comment. If you have experienced problems or know anything about the state of play for NatWest (in their defence) then feel free to comment. Only blatent self-publicising comments are rejected!
This one is the onld NOF again. This time around the destination URL is http://natwest.co.uk.mirdop3.co.uk/NOF/startupdate.aspx?refererident=[removed]. It's a long time since we saw Natwest targeted emails on UK domains - around Christmas I think.
Here's the content:
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
NatWest Online Form
NatWest Automated Mail Service. Please do not respond to this mail.
ref l-cmr
This one is the onld NOF again. This time around the destination URL is http://natwest.co.uk.mirdop3.co.uk/NOF/startupdate.aspx?refererident=[removed]. It's a long time since we saw Natwest targeted emails on UK domains - around Christmas I think.
Here's the content:
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
NatWest Online Form
NatWest Automated Mail Service. Please do not respond to this mail.
ref l-cmr
NatWest Bank Personal and Business Urgent E-mail From Billing Department - id: 510
Here's another one aimed at the NatWest - why are they so popular wish phishers? Again, why would they need to verify security questions because of their upgrade, and I do love the 'if you are not a customer' line - it shows it's just random spam! It was in February that we last saw this format of email going around - they've been quite for a while.
This time around the target URL is http://www5.natwest.co.uk.block9.in/details.aspx/?siteid=[removed], which I'm having trouble finding anything about. So not sure what the situation is with the site.
Here's the email content:
Dear Natwest Personal and Business Banking client!
Our Maintenance Division is carrying out a planned Private and Business Banking Service upgrade
By visiting the link below you will start the form of the user details authorization:
http://www7.nwolb.com/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp
These instructions are to be emailed and followed by all members of the Natwest Bank Electronic Banking
NatWest Bank does apologize for any inconveniences caused, and is very grateful for your cooperation.
If you are not client of Natwest OnLine Banking please disregard this notice!
*** This is automatically generated message, please do not respond ***
(C) '08 NatWest Private and Business. All Rights Reserved.
ref l1 - fht
This time around the target URL is http://www5.natwest.co.uk.block9.in/details.aspx/?siteid=[removed], which I'm having trouble finding anything about. So not sure what the situation is with the site.
Here's the email content:
Dear Natwest Personal and Business Banking client!
Our Maintenance Division is carrying out a planned Private and Business Banking Service upgrade
By visiting the link below you will start the form of the user details authorization:
http://www7.nwolb.com/details.aspx?type=24yzrpeFDozrcrkdwvrnOkhOvp
These instructions are to be emailed and followed by all members of the Natwest Bank Electronic Banking
NatWest Bank does apologize for any inconveniences caused, and is very grateful for your cooperation.
If you are not client of Natwest OnLine Banking please disregard this notice!
*** This is automatically generated message, please do not respond ***
(C) '08 NatWest Private and Business. All Rights Reserved.
ref l1 - fht
Monday, 12 May 2008
Natwest | Last chance to validate your e-mail address
This email presumably is a follow on from the email received overnight. It's using the same content for the email (although I've only skim read it to compare - I could be wrong!) and the link is still pointing to http://www.nwolb.platinumnumber.com.
I had thought at first it was a followup because maybe the site had been closed down - obviously not, the link is the same. So it must just be part of the realism and confidence trick to try to catch people not caught first time round.
Either way, it's a con. Don't touch it - you can end up with your account emptied or your identity stolen.
I had thought at first it was a followup because maybe the site had been closed down - obviously not, the link is the same. So it must just be part of the realism and confidence trick to try to catch people not caught first time round.
Either way, it's a con. Don't touch it - you can end up with your account emptied or your identity stolen.
Adwords | Your AdWords Google Account is stoped.
This is the lastof three emails that arrived to different email addresses within 21 minutes of each other. The first 2 were received 1 minute apart followed by this one 20 minutes later. All three have different titles, but the same content and targeted at Google Adwords. I'm posting them separately to make them clearer.
This last one (for now!) has a destination URL of http://www.adwords.google.com.lsk-ots.cn/select/Login. The lsk-ots.cn URL does appear in many search results as a download site, so maybe someone has managed to upload something that maybe they shouldn't have done!
All of the 3 emails contain the (same) following text:
----------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------
ref l1 - fht
This last one (for now!) has a destination URL of http://www.adwords.google.com.lsk-ots.cn/select/Login. The lsk-ots.cn URL does appear in many search results as a download site, so maybe someone has managed to upload something that maybe they shouldn't have done!
All of the 3 emails contain the (same) following text:
----------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------
ref l1 - fht
Adwords | Your Account with Google AdWords
This is the second of three emails that arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I'll posting them separately to make them clearer.
This one has a destination URL of http://www.adwords.google.com.sisekl.cn/select/Login. The sisekl.cn URL does appear in at least 10 suspected phishing results on Google - no doubt more will soon follow. So don't follow the link!
All of the 3 emails contain the (same) following text:
----------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------
ref l1 - fht
This one has a destination URL of http://www.adwords.google.com.sisekl.cn/select/Login. The sisekl.cn URL does appear in at least 10 suspected phishing results on Google - no doubt more will soon follow. So don't follow the link!
All of the 3 emails contain the (same) following text:
----------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------
ref l1 - fht
Adwords | Your ads have been suspended.
Three emails have arrived to different email addresses within 21 minutes of each other, all with different titles, but the same content and targeted at Google Adwords. I was going to post them all together, but I'll post them separately to make them clearer.
The first one has a destination URL of http://www.adwords.google.com.fdkoil.cn/select/Login. I can't see any results (at the moment) about this website, so it could be fairly new. But don't follow the link!
All of the 3 emails contain the (same) following text:
----------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------
ref s - rwt
The first one has a destination URL of http://www.adwords.google.com.fdkoil.cn/select/Login. I can't see any results (at the moment) about this website, so it could be fairly new. But don't follow the link!
All of the 3 emails contain the (same) following text:
----------------------------------------------------------------------------------------
Dear Google AdWords Customer,
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
----------------------------------------------------------------------------------
This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message.
-------------------------------------------------------------------------------------
ref s - rwt
Natwest | Validate your e-mail address
Here's a new one on me. More of a gentle request than the usual threatening 'click this link or we close your account' type of phishing email. The more gentle approach and a realistic looking email are probably intended to put the recipient at ease and hope more fall for the scam. But with a sender's email of 9804e2424@natwest.co.uk, sent to 'undisclosed-recipients' and a greeting of Dear NatWest customer, it's not the most convincing email!
This time around the destination URL is http://www.nwolb.platinumnumber.com. This URL does appear in a fair number of phishing results. Don't press the link - it's a fraud.
Here's the content:
Dear NatWest customer,
We want to remind you that you have not yet completed the process of renewal of your National Westminster Bank Online Branch. For security reasons, we need to validate your e-mail address.
Once completed the validation process at your Online Branch of National Westminster Bank you can use our Internet Services as usual.
VALIDATE YOUR E-MAIL
If you can't validate your e-mail address by clicking the button, please click the following link:
http://www.nwolb.platinumnumber.com/index.aspx?validate.account/op.validate/code.c16561ce/ref.rem/EMAIL/validation.c16561ce/subref.r001/WT.mc_id=r001_20071228
Thank you for using our services.
Best regards,
National Westminster Bank Online Branch team.
Unauthorized account access or use is not permitted and may constitute a crime punishable by law. National Westminster Bank does business as NatWest.
© National Westminster Bank, PC. 2001 - 2008. UK.
This time around the destination URL is http://www.nwolb.platinumnumber.com. This URL does appear in a fair number of phishing results. Don't press the link - it's a fraud.
Here's the content:
Dear NatWest customer,
We want to remind you that you have not yet completed the process of renewal of your National Westminster Bank Online Branch. For security reasons, we need to validate your e-mail address.
Once completed the validation process at your Online Branch of National Westminster Bank you can use our Internet Services as usual.
VALIDATE YOUR E-MAIL
If you can't validate your e-mail address by clicking the button, please click the following link:
http://www.nwolb.platinumnumber.com/index.aspx?validate.account/op.validate/code.c16561ce/ref.rem/EMAIL/validation.c16561ce/subref.r001/WT.mc_id=r001_20071228
Thank you for using our services.
Best regards,
National Westminster Bank Online Branch team.
Unauthorized account access or use is not permitted and may constitute a crime punishable by law. National Westminster Bank does business as NatWest.
© National Westminster Bank, PC. 2001 - 2008. UK.
Friday, 9 May 2008
SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD
Here's another lottery winning email, in bad English, telling me I've won a fantastic amount of money in a lottery I've neither heard of nor entered.
It's sent to 'undisclosed-recipients' - a warning flag if you don't believe me that it's a scam. How many people have received this same award winning email - probably the 50,000 they mention later on in the email!
They also insist, as many such emails do, that you keep it quiet until the award has been awarded. This is so that anyone who falls for the trick doesn't tell anyone what they are doing, as the other people might warn them that it's not for real.
As they say at the end of 'The Real Hustle', if it sounds to good to be true then it probably is. There's no reason why anyone would win $2.5m on a lottery they haven't heard of. Either these guys are going to steal your identity, or at least rob you of a cheque for processing the award.
Here's the content. If you want to see other lotteries that I've 'won' in recently, then view them here. They all seem to take the same sort of lines.
LOTTERY AWARD
PROMOTIONALPROGRAMME
SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD.
LOTTERY HEADQUARTERS: 31, BRITON COURT,
KEMPSTON PARK, JHB.
BATCH: (13/26/DC36.)
FROM: SA NATIONAL LOTTERY
TICKET NUMBER: 74454774
SERIAL NUMBER: 144-66584
BATCH NUMBER: BT-4478474121P
DRAWS NUMBERS:
AWARD NOTIFICATION:
We are pleased to inform you of the release, of the long awaited results
of the South African 2010 World cup Bid award INTERNANTIONAL LOTTERY
PROMOTION held in Zurich, Switzerland on the 30 April 2008.You were
entered as dependent clients with: Reference SERIAL NUMBER: 144-66584 and
Batch number BT-4478474121P.
Your email address attached to the ticket number: 74454774 that drew the
lucky winning number, which consequently won the sweepstake in the first
category,in four parts. You have been approved for a payment of
$2,500.000 Dollars ( Two Million Five Hundred Thousand United States
Dollars )in cash credited to file reference number:IPL/4249859609/WP1.This
is from a total cash prize of 20 million Dollars shared among the ten
international winners in first categories.
All participants were selected through a computer ballot system drawn from
50,000 (Fifty thousand) names of email users around the world, as part of
our international promotion program. Due to mixed up of some names and
addresses, we ask that you keep this award personal, till your claims has
been processed and your funds remitted to you. This is part of our
security measures to avoid double claiming or unwarranted taking advantage
of the situation by other participants or impersonators, You are therefore
directed to contact your claim agent immediately on receipt of this
massage for quickened and urgent proces and release of your winning fund.
Agent contact and infomation are as:
NAME: DR. DAVID MOOR
(CLAIM AGENT)
Email:(ndlovu.raph@com)
TEL:+27-73- 32 54 911 .
He is your agent, and responsible for the processing and transfer of your
winnings to you. YOUR SECURITY FILE NUMBER IS Z-90237-Y67/U4 (keep it
personal) Remember, your winning must be claimed not later than (TWO
WEEKS) From the date of acknowledgement receipt. Failure to claim your
fund will be added to the next 30 Million Dollars lottery promotion.
Furthermore, should there be any change in your address, do inform your
claims agent as soon as possible. Once again, Congratulations.
Best Regards,
MARIA STEVE.
It's sent to 'undisclosed-recipients' - a warning flag if you don't believe me that it's a scam. How many people have received this same award winning email - probably the 50,000 they mention later on in the email!
They also insist, as many such emails do, that you keep it quiet until the award has been awarded. This is so that anyone who falls for the trick doesn't tell anyone what they are doing, as the other people might warn them that it's not for real.
As they say at the end of 'The Real Hustle', if it sounds to good to be true then it probably is. There's no reason why anyone would win $2.5m on a lottery they haven't heard of. Either these guys are going to steal your identity, or at least rob you of a cheque for processing the award.
Here's the content. If you want to see other lotteries that I've 'won' in recently, then view them here. They all seem to take the same sort of lines.
LOTTERY AWARD
PROMOTIONALPROGRAMME
SOUTH AFRICAN 2010 WORLD CUP LOTTERY AWARD.
LOTTERY HEADQUARTERS: 31, BRITON COURT,
KEMPSTON PARK, JHB.
BATCH: (13/26/DC36.)
FROM: SA NATIONAL LOTTERY
TICKET NUMBER: 74454774
SERIAL NUMBER: 144-66584
BATCH NUMBER: BT-4478474121P
DRAWS NUMBERS:
AWARD NOTIFICATION:
We are pleased to inform you of the release, of the long awaited results
of the South African 2010 World cup Bid award INTERNANTIONAL LOTTERY
PROMOTION held in Zurich, Switzerland on the 30 April 2008.You were
entered as dependent clients with: Reference SERIAL NUMBER: 144-66584 and
Batch number BT-4478474121P.
Your email address attached to the ticket number: 74454774 that drew the
lucky winning number, which consequently won the sweepstake in the first
category,in four parts. You have been approved for a payment of
$2,500.000 Dollars ( Two Million Five Hundred Thousand United States
Dollars )in cash credited to file reference number:IPL/4249859609/WP1.This
is from a total cash prize of 20 million Dollars shared among the ten
international winners in first categories.
All participants were selected through a computer ballot system drawn from
50,000 (Fifty thousand) names of email users around the world, as part of
our international promotion program. Due to mixed up of some names and
addresses, we ask that you keep this award personal, till your claims has
been processed and your funds remitted to you. This is part of our
security measures to avoid double claiming or unwarranted taking advantage
of the situation by other participants or impersonators, You are therefore
directed to contact your claim agent immediately on receipt of this
massage for quickened and urgent proces and release of your winning fund.
Agent contact and infomation are as:
NAME: DR. DAVID MOOR
(CLAIM AGENT)
Email:(ndlovu.raph@com)
TEL:+27-73- 32 54 911 .
He is your agent, and responsible for the processing and transfer of your
winnings to you. YOUR SECURITY FILE NUMBER IS Z-90237-Y67/U4 (keep it
personal) Remember, your winning must be claimed not later than (TWO
WEEKS) From the date of acknowledgement receipt. Failure to claim your
fund will be added to the next 30 Million Dollars lottery promotion.
Furthermore, should there be any change in your address, do inform your
claims agent as soon as possible. Once again, Congratulations.
Best Regards,
MARIA STEVE.
NatWest Bank security upgrade!
The Natwest seem to be a popular target for phishing emails, at leat the ones that I receive. See this link for more of the Natwest Phishing emails if you have missed any.
This one os the standard 'NOF' fraud, along with a load of hidden junk at the bottom of the email (white text on a white background, but you can see it if you highlight it!). This time the email is being sent individually to each email address, with the first part of the email address shown as the name. The destination URL is http://natwest.co.uk.lfiieu8.zj.cn/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. I'm guessing that zj.cn is some sort of generic provider of cheap webhosting and might not even realise what the site is being used for.
Here's the content of the email.
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
NatWest Online Form
NatWest Automated Mail Service. Please do not respond to this mail.
ref i - cmr
This one os the standard 'NOF' fraud, along with a load of hidden junk at the bottom of the email (white text on a white background, but you can see it if you highlight it!). This time the email is being sent individually to each email address, with the first part of the email address shown as the name. The destination URL is http://natwest.co.uk.lfiieu8.zj.cn/NOF/startupdate.aspx?refererident=[removed]&cookieid=[removed]. I'm guessing that zj.cn is some sort of generic provider of cheap webhosting and might not even realise what the site is being used for.
Here's the content of the email.
Dear NatWest Bank customer,
We have implemented security measures consistent with our internal information security practices to help us keep your information secure. These measures include technical and procedural steps to protect your data from misuse, access or disclosure, loss, alteration or destruction.
One of these security measures is NOF (NatWest Online Form) to help us to keep your personal and banking data up to date.
You should complete NOF on a regular basis.
Please complete NOF using the link below:
NatWest Online Form
NatWest Automated Mail Service. Please do not respond to this mail.
ref i - cmr
Wednesday, 7 May 2008
PayPal | Remove limitations
It's been a quiet few days - nothing to post here for a while. Then this email arrived aimed at PayPal and seconds later a genuine PayPal email about anti-phishing.
The email looks genuine enough and as it was received with a genuine security email, did make me wonder, for a half second. Then I saw the "click on the following link" and knew straight away it was fake (Ebay would not include such a link). Then a quick glance at the To: field (undisclosed-recipients) and there's no doubt that it's phishing - Ebay would only email me if there was an account problem and would mention my name in the email.
Lastly, the email claims that something happened on February 15th - that's ages ago. Why would PayPal take almost 11 weeks to respond?
The link claims to go to https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center, but in actual fact the destination is http://windows100.neodigit.com/online.paypal.com/www.paypal.com/us/webscr.html?cmd=_login-run. I can't find anything about the site, but it looks dangerous. Don't touch the link.
Here's the email content:
PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?
Your account access has been limited for the following reason(s):
Feb 15, 2008: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.
(Your case ID for this reason is PP-257-057-154.)
To remove the limitation click on the following link:
https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center
Regards,
PayPal Security Departament
The email looks genuine enough and as it was received with a genuine security email, did make me wonder, for a half second. Then I saw the "click on the following link" and knew straight away it was fake (Ebay would not include such a link). Then a quick glance at the To: field (undisclosed-recipients) and there's no doubt that it's phishing - Ebay would only email me if there was an account problem and would mention my name in the email.
Lastly, the email claims that something happened on February 15th - that's ages ago. Why would PayPal take almost 11 weeks to respond?
The link claims to go to https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center, but in actual fact the destination is http://windows100.neodigit.com/online.paypal.com/www.paypal.com/us/webscr.html?cmd=_login-run. I can't find anything about the site, but it looks dangerous. Don't touch the link.
Here's the email content:
Why is my account access limited?
Your account access has been limited for the following reason(s):
Feb 15, 2008: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.
(Your case ID for this reason is PP-257-057-154.)
To remove the limitation click on the following link:
https://www.paypal.com/cgi-bin/webscr?cmd=_resolution-center
Regards,
PayPal Security Departament
Subscribe to:
Posts (Atom)