Something Smells Phishy To Me…

From: bryan_williams@hotmail.co.uk
Reply-to: d.allen_gscs@sify.com
Sent: 8/13/2008 4:03:15 P.M. Central Daylight Time
Subj: RE: GOOD DAY
My Dear friend.

How are you today? I am using this opportunity to inform you that this multi-million-dollar business has been concluded with the assistance of another partner from Paraguay who financed the transaction to a logical conclusion.

Due to your effort, sincerity, courage and trust worthiness you showed during the course of the transaction. I have decided to compensate you with 10% of the total funds worth of $1,020,000.00 to be delivered to you anywhere in the world with the GLOBAL SECURITY & CARGO SERVICES.

Now contact my Duty officer in GLOBAL SECURITY & CARGO SERVICES in UK for the collection of the funds with the information stated below:

GLOBAL SECURITY & CARGO SERVICES
215 VAUXHALL BRIDGE ROAD
LONDON, SW1V 1EJ
UNITED KINGDOM
Tel: +44 70457 26404
Duty Officer: Dr. David Allen
Email: d.allen_gscs@sify.com
         
You should therefore send to him you are full Name, telephone and fax numbers / your correct mailing address where you want him to send the funds to you.  As of now I am very busy with my investment projects in Paraguay. Thanks and God bless you and your family.

Hoping to hear from you.

Yours sincerely,
Bryan

From: chick@aapt.net.au
Reply-to: davidsmith.esqunit@live.com
Sent: 8/13/2008 11:28:37 P.M. Central Daylight Time
Subj: (no subject)

Attention: Your Inheritance Funds

On behalf of the Trustees and Executor of the estate of Late Engr.Jürgen Krügger.  I once again try to notify you as my earlier letter was returned undelivered.

I hereby attempt to reach you again by this same email address on the WILL. I wish to notify you  that late Engr.Jürgen Krügger made you a beneficiary to his WILL.

He left the sum of Thirty Million, One Hundred Thousand Dollars (USD$30,100.000.00) to you in the Codicil and last testament to his WILL.

This may sound strange and unbelievable to you, but it is real and true. Being a widely traveled man, he must have been in contact with you in the past or simply you were nominated to him by one of his numerous friends abroad who wished you good.

Engr.Jürgen Krügger until his death was a member of the Helicopter Society and the Institute of Electronic &  Electrical Engineers.He was a very dedicated Christian who loved to give out. His great philanthropy earned him numerous awards during his life time. Late Engr. Jürgen Krügger died on the 13th day of December, 2004 at the age of 80 years and his WILL is now ready for execution.

According to him this money is to support your humanitarian activities and to help the poor and the needy in our society.  Please if I reach you as I am hopeful, endeavor to get back to me as soon as possible to enable me conclude my job.

I hope to hear from you in no distant time.

I await your prompt response.
E-mail: davidsmith.esqunit@live.com

Yours in Service,

BARRISTER DAVID SMITH ESQ.
PRINCIPAL PARTNERS: Barrister Aidan Walsh.Esq Markus Wolfgang, Mr.
John Marvey Esq, Mr. Jerry Smith Esq

++++++++++++++++++++++++++++++++++++++++++

From: survey@bankofhanover.com
Reply-to: do-not-reply@bankofhanover.com
Sent: 8/7/2008 3:53:55 A.M. Central Daylight Time
Subj: Bank of Hanover Online Survey ID : XZURGKDHEF

 
Congratulations!
Dear Customer,

You’ve been selected to take part in our quick and easy 9 questions survey In return we will credit $90.00 to your account - Just for your time!

Please spare two minutes of your time and take part in our online survey so we can improve our services.
Don’t miss this chance to change something.

To access the form please copy/paste the link below in your browser (or click the link):

avamehr.com:81/bankofhanover/survey/survey.php

Founded in 1835, Bank of Hanover is dedicated to building strong relationships with families, individuals and businesses within the communities we serve, everyday.

We pride ourselves in offering superior customer service with a personalized touch.
© Copyright 2008 Bank of Hanover is an affiliate of Sterling Financial Corporation which merged with The PNC Financial Services Group, Inc.
(NYSE:PNC) on April 4, 2008. All rights reserved.

Links to third-party sites are provided for your convenience.

Such sites may not follow the same privacy or security standards as ours. We do not endorse, approve, or control those sites.
Note:
* If you received this message in your SPAM/BULK folder, that is because  of the restrictions implemented by your ISP
* For security reasons, we will record your ip address, the date and time.
* Deliberate wrong imputs are criminally pursued and indicted.

Survey ID :

FJGIJTGHKGPTKPTGOGHXBLPBQQJYRVFMRTLOLE
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included link:

avamehr.com:81/bankofhanover/survey/survey.php

points to a website which is obviously not a Bank of Hanover website.  This entire email was a very amateur attempt.

3.  Bank accounts are the most desireable accounts to phishermen.  Extra precaution should always be taken when receiving suspicious emails ragarding bank accounts.

4.  Spelling and/or grammatical errors.  Layout problems.

++++++++++++++++++++++++++++++++++++++++++

From: security.alert@colonial.com
Sent: 8/8/2008 7:52:04 P.M. Central Daylight Time
Subj: Important Security Alert!!!

Dear Customer,

During Our Security Maintenance and SSL Secure Servers Upgrade, Our technical services team noticed a slight error on your personal information. This might be due to either of the following reasons :

1) A recent change in your personal information.

2) Your Account has been accessed from a Foreign IP.

3) Submitting invalid information during initial sign in process.

Due to this, you are requested to Update and Verify your information by following the link below.

To get started, please click the link below:

colonialbank.com/
*Important*

We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Colonial Bank Customers Support Service.
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included link, colonialbank.com, points to a URL which is obviously not a Colonial Bank website:

sign-art.co.kr/board/data/new3/col.html

It should be noted that this was one of the best “knock-off” websites that I have seen to date.  All links point to Colonial Bank’s actual website with the exception of the Username and Password Login form.  Once login information is entered the visitor is taken to an “identitiy confirmation” page where the scammers also attempt to get answers to common security questions.  This South Korea based fake website is one of the longer-lived ones I’ve come across, too, having been online now for several days.

3.  Bank accounts are the most desireable accounts to phishermen.  Extra precaution should always be taken when receiving suspicious emails ragarding bank accounts.

4.  Spelling and/or grammatical errors.

++++++++++++++++++++++++++++++++++++++++++

Dear Comerica Bank Customers,

We are glad to inform you, that our bank is switching to new transactions security standards.
The new updated technologies will ensure the security of your payments through our bank.
Both software and hardware will be updated.

We Kindly ask you to confirm and update your details

Click here to confirm your UPDATE

We offer you a new convenient and safe high-quality level of service to handle you ATM card.
©Comerica Bank Customer Support
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  Recipient does not have an account with Comerica Bank.

2.  The included HTML-Coded link points to a website which is obviously not a Bank of America website:

adifferentbookstore.com/components/webbanking.html

3.  Bank accounts are the most desireable accounts to phishermen.  Extra precaution should always be taken when receiving suspicious emails ragarding bank accounts.

4.  Spelling and/or grammatical errors.

++++++++++++++++++++++++++++++++++++++++++

From: adwords-noreply@google.com
Sent: 8/9/2008 12:20:01 P.M. Central Daylight Time
Subj: Google AdWords Notification Alert

 
Renew Your Account Now !
Dear Member,

This is your official notification from Google Inc. that the service(s) listed below will be deactivated and deleted if not renewed immediately.

As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted.

Renew Now your Google AdWords services.

SERVICE: Google AdWords
EXPIRATION: August, 11 2008

Thank you for using Google Inc service. We appreciate your business and the opportunity to serve you.

Google AdWords Service.
 

*Note : Please do not reply to this Customer Service e-mail. 
 

©2008 Google
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included HMTL coded link points to a website which is not a Google website and could be misleading:

adwordstechcenter.com/select/Login.htm

3.  Threats of account termination are very common in phishing attempts while a legitimate company would not risk losing a customer over something that could be taken care of with a phone call.

4.  Fraudulantly obtaining access to Google Adwords accounts could provide thieves with account holder identity and financial information as well as provide the scammers with the ability to hijack pay per click advertising campaigns.

++++++++++++++++++++++++++++++++++++++++++

From: confirm@bankofamerica.com
Sent: 7/22/2008 11:53:43 AM Central Daylight Time
Subj: Confirm Your Personal Information !

We recently have determined that different computers have logged onto your account Banking, and multiple password failures were present before the logins. We now need you to re-confirm your account information to us. If this is not completed by July 23, 2008, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your Account Bank Of America records click on the following link:

>>> https://www.bankofamerica.com/index.jsp <<<

Thank you for your patience in this matter. Bank Of America Online Customer Service. Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered. 1999-2008 Bank Of America. All rights reserved.

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included link, bankofamerica.com/index.jsp, points to a website which is obviously not a Bank of America website:

sg-php.com/Scripts/400.htm.

3.  Bank of America is the largest bank in the United States and is one of the most phished websites on the Internet.  Extra precaution should always be taken when receiving suspicious emails ragarding Bank of America accounts.

4.  Spelling and/or grammatical errors.

5.  Threats of account termination are very common in phishing attempts while a legitimate company would not risk losing a customer over something that could be taken care of with a phone call.

This one is a really interesting scam as the phishing attempt does not use a fake website in an attempt to elicit bank account information, but rather a toll free telephone number and an automated system in an effort to collect Salin Bank credit card numbers, expiration date and PIN code data.  This is certainly an escalation of effort and a savvy use of technology from the fraudsters who are probably using a VOIP / Linux application.  Since it used a telephone as part of the scam this could further be identified as a “vishing” attempt.

The email appears to have been routed through Amundsen Food Equipment mail servers in an effort to obfuscate the email sender’s originating IP address.

++++++++++++++++++++++++++++++++++++++++++

From: Salin Bank [mailto:memberservice@salin.com]
Sent: Saturday, August 02, 2008 10:15 PM
Subject: This is not a promotional e-mail.

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient and are often personalized with the account holder’s name in the email.

2.  The recipient of the email does not have an account with Salin Bank.

3.  The 800 number provided in the email could not be identified as a legitimate Salin Bank telephone number and is not listed on the Salin Bank website.

4.  When calling the provided telephone number, (800) 805-7110, the message and voice prompts do not identify the bank by name before asking for credit card account information.  It should be noted that the message heard when calling the number provided on the Salin Bank website is professionally recorded while the message and prompts heard when calling the fake telephone number sound like they were recorded using crude text to speech software; a lack of expected quality is generally a huge red flag when investigating fake corporate identity claims and counterfeit products.

5.  Advanced investigation techiniques:  The email’s originating IP is 98.174.167.159, which is assigned to Amundsen Food Equipment’s mail server, mail.afeok.com.  There is no reasonable or legitimate explanation why Salin Bank would route email through another company’s email server.  Fraudsters will often exploit weaknesses in mail servers in order to hide their identities.

++++++++++++++++++++++++++++++++++++++++++

From: PayPal [mailto:service@paypail.com]
Sent: Wednesday, July 23, 2008 1:48 PM
Subject: Email ID PP19PO991

Warning : Credit Card Expiration Approaching

Your credit card will expire soon.

- You may no longer be able to use PayPal

To avoid any interruption to your service, please update your credit card  by following the link below :

paypal.com/cgi-bin/webscr?cmd=_login-submit

Thank you for using PayPal!

The PayPal Team

—————————————————————-
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

PayPal Email ID PP19PO991

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.

2.  The included link, paypal.com/cgi-bin/webscr?cmd=_login-submit, points to a website which is obviously not a Pay Pal website: 

ad96e17e3.dsl.de.colt.net/oystercal/includes/.home/cgi-bin/.

3.  Pay Pal is the most phished website on the Internet.  Extra precaution should always be taken when receiving suspicious emails ragarding Pay Pal accounts.

++++++++++++++++++++++++++++++++++++++++++

From: AT&T [mailto:serviceonline@att.net]
Sent: Friday, August 01, 2008 12:46 AM
Subject: AT&T - 1 Message 

Important Information Regarding Your AT&T - WEB E-Mail

Dear AT&T Client ,This is your official notification that the service(s) listed below will be deactivated and deleted if not renewed immediately. Previous Notifications have been sent to the Billing Contact assigned to this account.

As the Primary Contact, you must renew the service(s) listed below.

SERVICE: AT&T - WEB E-Mail
Expiration: NOV 8st 2008

What you need to do:

It’s easy to renew your Online AT&T informations by click on the link bellow :

webauth.att.net

- Go to Account Login
- Update/Verify Your Information

Thanks
AT&T 2008

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.

2.  The included link, webauth.att.net, points to a website which is obviously not an AT&T website: 

hamco.co.kr/milboard/data/login.html.

3.  Spelling and grammatical errors

4.  It is rare to see a phishing attempt in order to gain access to email accounts but the damage could be severe if the scammer could get a hold of email accounts which could then be used to change login information and initiate password resets for high risk websites (banks, eBay, Pay Pal, etc. etc.).