Something Smells Phishy To Me…

Too bad, by the time I received this scam email the IRS had already shut it down.

From: Department of the Treasury [mailto:service@irs-usa.com]
Sent: Monday, January 05, 2009 5:25 AM
Subject: Notice from Department of the Treasury

After the last annual calculations of your fiscal activity
we have determined that you are eligible to receive
a tax refund under section 501(c) (3) of the
Internal Revenue Code. Tax refund value is $189.60.
Please submit the tax refund request and allow us 6-9 days
in order to IWP the data received.
If u don’t receive your refund within 9 business
days from the original IRS mailing date shown,
you can start a refund trace online.

If you distribute funds to other organization, your records must show wether
they are exempt under section 497 (c) (15). In cases where the recipient org.
is not exempt under section 497 (c) (15), you must have evidence the funds will
be used for section 497 (c) (15) purposes.

If you distribute fund to individuals, you should keep case histories showing
the recipient’s name and address; the purpose of the award; the maner of
section; and the realtionship of the recipient to any of your officers, directors,
trustees, members, or major contributors.

To access the form for your tax refund, please click here

This notification has been sent by the Internal Revenue Service,
a bureau of the Department of the Treasury.

Sincerely Yours,

John Stewart
Director, Exempt. Organization
Rulings and Agreements Letter
Internal Revenue ServiceNo

I received the following vishing attempt today.  The scam email asks its intended victims to call a number, (800) 927-1839 and tries to fool them into believing that they are calling their bank, U.S. Bank.  It then asks for secret US Bank account information, which of course will be used by the thieves to steal the victim’s identity and money.

Do not fall for these fake phone numbers.  If you have a question about a bank account or your credit card account always call the number printed on the card or call your local bank branch directly.

From: U.S. Bank Alerts [mailto:alerts@cs.usbank-email.com]
Sent: Saturday, December 06, 2008 2:15 PM
To: [redacted]
Subject: U.S. Bank (Message from Customer Service)

From: Alabama Central Credit Union [mailto:secure@alabamacentral.org]
Sent: Wednesday, September 03, 2008 9:56 AM
Subject: Security Update
Importance: High

Due to recent atacks targeting Alabama Central Credit Union we are pleased to introduce a fully upgraded Banking System.  This new feature will protect your Alabama Central Credit Union Visa Card.

How does it works:
Your card details will be encrypted using 128bit Secure Sockets Layer technology.
International transactions will be strictly monitored.
Access to your card over the internet will be more secure and more easy to use.

SERVICE : Secure my Card.
EXPIRATION: September 04, 2008

Take advantage of our new security upgrade now!
Click on the link below to proceed:
alabamacentral.org/upgrade/visa.card/login.html

We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire banking system.

Best Regards,
Alabama Central Credit Union - 3601 4th Avenue So. Birmingham, AL 35222

Masked link pointed to:
mail.medigy.net/epublish/images/ac/ 

which then redirects the browser to:
212.62.250.94:84/accu/index.htm

From: customers-support-id-56nl@tdbanknorth.com
To: [redacted]
Sent: 8/26/2008 4:28:43 P.M. Central Daylight Time
Subj: TDBanknorth Treasury Management Please Submit Your Login!

Dear TD Banknorth Treasury Management client,

Security and confidentiality are at the heart of the TD Banknorth. Your details (and your money) is protected by a number of technologies, including Secure Sockets Layer (SSL) encryption.

We would like to notify you that TD Banknorth Commercial carries out client details confirmation procedure that is compulsory for all TD Banknorth Commercial customers. This procedure is attributed to a routine banking software update.

Please login to TD Banknorth WebExpress using the link below and follow the instructions on the screen.

tdbanknorth.com/wcmfd/wcmpw/CustomerVerify.htm?taskid=21yekhnnwcssdyyDchyOkhb

TD Banknorth Commercial Customer Service

Masked link pointed to:

webexpress1.tdbanknorth.com.asp8.su/wcmfd/wcmpw/CustomerVerify.htm?cookie=21yekhnnwcssdyyDchyOkhb

++++++++++++++++++++++++++++++++++++++++++

From: survey@bankofhanover.com
Reply-to: do-not-reply@bankofhanover.com
Sent: 8/7/2008 3:53:55 A.M. Central Daylight Time
Subj: Bank of Hanover Online Survey ID : XZURGKDHEF

 
Congratulations!
Dear Customer,

You’ve been selected to take part in our quick and easy 9 questions survey In return we will credit $90.00 to your account - Just for your time!

Please spare two minutes of your time and take part in our online survey so we can improve our services.
Don’t miss this chance to change something.

To access the form please copy/paste the link below in your browser (or click the link):

avamehr.com:81/bankofhanover/survey/survey.php

Founded in 1835, Bank of Hanover is dedicated to building strong relationships with families, individuals and businesses within the communities we serve, everyday.

We pride ourselves in offering superior customer service with a personalized touch.
© Copyright 2008 Bank of Hanover is an affiliate of Sterling Financial Corporation which merged with The PNC Financial Services Group, Inc.
(NYSE:PNC) on April 4, 2008. All rights reserved.

Links to third-party sites are provided for your convenience.

Such sites may not follow the same privacy or security standards as ours. We do not endorse, approve, or control those sites.
Note:
* If you received this message in your SPAM/BULK folder, that is because  of the restrictions implemented by your ISP
* For security reasons, we will record your ip address, the date and time.
* Deliberate wrong imputs are criminally pursued and indicted.

Survey ID :

FJGIJTGHKGPTKPTGOGHXBLPBQQJYRVFMRTLOLE
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included link:

avamehr.com:81/bankofhanover/survey/survey.php

points to a website which is obviously not a Bank of Hanover website.  This entire email was a very amateur attempt.

3.  Bank accounts are the most desireable accounts to phishermen.  Extra precaution should always be taken when receiving suspicious emails ragarding bank accounts.

4.  Spelling and/or grammatical errors.  Layout problems.

++++++++++++++++++++++++++++++++++++++++++

From: security.alert@colonial.com
Sent: 8/8/2008 7:52:04 P.M. Central Daylight Time
Subj: Important Security Alert!!!

Dear Customer,

During Our Security Maintenance and SSL Secure Servers Upgrade, Our technical services team noticed a slight error on your personal information. This might be due to either of the following reasons :

1) A recent change in your personal information.

2) Your Account has been accessed from a Foreign IP.

3) Submitting invalid information during initial sign in process.

Due to this, you are requested to Update and Verify your information by following the link below.

To get started, please click the link below:

colonialbank.com/
*Important*

We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Colonial Bank Customers Support Service.
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included link, colonialbank.com, points to a URL which is obviously not a Colonial Bank website:

sign-art.co.kr/board/data/new3/col.html

It should be noted that this was one of the best “knock-off” websites that I have seen to date.  All links point to Colonial Bank’s actual website with the exception of the Username and Password Login form.  Once login information is entered the visitor is taken to an “identitiy confirmation” page where the scammers also attempt to get answers to common security questions.  This South Korea based fake website is one of the longer-lived ones I’ve come across, too, having been online now for several days.

3.  Bank accounts are the most desireable accounts to phishermen.  Extra precaution should always be taken when receiving suspicious emails ragarding bank accounts.

4.  Spelling and/or grammatical errors.

++++++++++++++++++++++++++++++++++++++++++

Dear Comerica Bank Customers,

We are glad to inform you, that our bank is switching to new transactions security standards.
The new updated technologies will ensure the security of your payments through our bank.
Both software and hardware will be updated.

We Kindly ask you to confirm and update your details

Click here to confirm your UPDATE

We offer you a new convenient and safe high-quality level of service to handle you ATM card.
©Comerica Bank Customer Support
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  Recipient does not have an account with Comerica Bank.

2.  The included HTML-Coded link points to a website which is obviously not a Bank of America website:

adifferentbookstore.com/components/webbanking.html

3.  Bank accounts are the most desireable accounts to phishermen.  Extra precaution should always be taken when receiving suspicious emails ragarding bank accounts.

4.  Spelling and/or grammatical errors.

++++++++++++++++++++++++++++++++++++++++++

From: adwords-noreply@google.com
Sent: 8/9/2008 12:20:01 P.M. Central Daylight Time
Subj: Google AdWords Notification Alert

 
Renew Your Account Now !
Dear Member,

This is your official notification from Google Inc. that the service(s) listed below will be deactivated and deleted if not renewed immediately.

As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted.

Renew Now your Google AdWords services.

SERVICE: Google AdWords
EXPIRATION: August, 11 2008

Thank you for using Google Inc service. We appreciate your business and the opportunity to serve you.

Google AdWords Service.
 

*Note : Please do not reply to this Customer Service e-mail. 
 

©2008 Google
++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included HMTL coded link points to a website which is not a Google website and could be misleading:

adwordstechcenter.com/select/Login.htm

3.  Threats of account termination are very common in phishing attempts while a legitimate company would not risk losing a customer over something that could be taken care of with a phone call.

4.  Fraudulantly obtaining access to Google Adwords accounts could provide thieves with account holder identity and financial information as well as provide the scammers with the ability to hijack pay per click advertising campaigns.

++++++++++++++++++++++++++++++++++++++++++

From: confirm@bankofamerica.com
Sent: 7/22/2008 11:53:43 AM Central Daylight Time
Subj: Confirm Your Personal Information !

We recently have determined that different computers have logged onto your account Banking, and multiple password failures were present before the logins. We now need you to re-confirm your account information to us. If this is not completed by July 23, 2008, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your Account Bank Of America records click on the following link:

>>> https://www.bankofamerica.com/index.jsp <<<

Thank you for your patience in this matter. Bank Of America Online Customer Service. Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered. 1999-2008 Bank Of America. All rights reserved.

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient’s email address and are often personalized with the account holder’s name in the email.

2.  The included link, bankofamerica.com/index.jsp, points to a website which is obviously not a Bank of America website:

sg-php.com/Scripts/400.htm.

3.  Bank of America is the largest bank in the United States and is one of the most phished websites on the Internet.  Extra precaution should always be taken when receiving suspicious emails ragarding Bank of America accounts.

4.  Spelling and/or grammatical errors.

5.  Threats of account termination are very common in phishing attempts while a legitimate company would not risk losing a customer over something that could be taken care of with a phone call.

This one is a really interesting scam as the phishing attempt does not use a fake website in an attempt to elicit bank account information, but rather a toll free telephone number and an automated system in an effort to collect Salin Bank credit card numbers, expiration date and PIN code data.  This is certainly an escalation of effort and a savvy use of technology from the fraudsters who are probably using a VOIP / Linux application.  Since it used a telephone as part of the scam this could further be identified as a “vishing” attempt.

The email appears to have been routed through Amundsen Food Equipment mail servers in an effort to obfuscate the email sender’s originating IP address.

++++++++++++++++++++++++++++++++++++++++++

From: Salin Bank [mailto:memberservice@salin.com]
Sent: Saturday, August 02, 2008 10:15 PM
Subject: This is not a promotional e-mail.

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient and are often personalized with the account holder’s name in the email.

2.  The recipient of the email does not have an account with Salin Bank.

3.  The 800 number provided in the email could not be identified as a legitimate Salin Bank telephone number and is not listed on the Salin Bank website.

4.  When calling the provided telephone number, (800) 805-7110, the message and voice prompts do not identify the bank by name before asking for credit card account information.  It should be noted that the message heard when calling the number provided on the Salin Bank website is professionally recorded while the message and prompts heard when calling the fake telephone number sound like they were recorded using crude text to speech software; a lack of expected quality is generally a huge red flag when investigating fake corporate identity claims and counterfeit products.

5.  Advanced investigation techiniques:  The email’s originating IP is 98.174.167.159, which is assigned to Amundsen Food Equipment’s mail server, mail.afeok.com.  There is no reasonable or legitimate explanation why Salin Bank would route email through another company’s email server.  Fraudsters will often exploit weaknesses in mail servers in order to hide their identities.