Something Smells Phishy To Me…

I received the following vishing attempt today.  The scam email asks its intended victims to call a number, (800) 927-1839 and tries to fool them into believing that they are calling their bank, U.S. Bank.  It then asks for secret US Bank account information, which of course will be used by the thieves to steal the victim’s identity and money.

Do not fall for these fake phone numbers.  If you have a question about a bank account or your credit card account always call the number printed on the card or call your local bank branch directly.

From: U.S. Bank Alerts [mailto:alerts@cs.usbank-email.com]
Sent: Saturday, December 06, 2008 2:15 PM
To: [redacted]
Subject: U.S. Bank (Message from Customer Service)

.

My wife received today this fake email in a attempt to scam Capital One credit card information.  Since the email tried to get her to call a fake phone number for Capital One, (800) 523-8103, this is technically a vishing attempt.  If you call the provided number you will hear that it is a poor quality recording trying to elicit account information.  Remember, ALWAYS call the number on the back of your credit card and NEVER the number provided in the email.

From: “Capital One” [service@capitaone.com> <216.57.96.8 (HELO mailout04.westnotificationsgroup.com)]
Sent: 11/27/2008 11:50 PM MST
Subject: Capital One Alert: Irregular Credit Card Activity

I followed up on my last post regarding the vishing attempt using 801.807.0323 and was pleasantly amused that the Federal Trade Commission had taken over the telephone number and provided an automatic message announcing that the number was involved in a phishing scam and providing additional educational information in reference to identity theft.

Good for them.  Good for consumers.

You can listen to the FTC message here:

ftc-message-about-telephone-scams

Now, I wonder when they will go after the telephone number account holder where the calls were being forwarded?  (515) 414-6098.  I’ve been calling repeatedly in an effort to interview the scammers, but surprisingly they will not answer the phone.

Investigator’s Notes:

This another vishing attempt using a phony phone number to try and scam people- albeit not a very good one.  The first thing that caught my eye was that the phone number; the scammers are trying to get their intended victims to call a Utah number, when in fact, GTE Federal Credit Union is headquartered in Tampa, FL.  When I called the provided number, 801-807-0323, it forwarded to another phone number, 515-414-6098 (an Ogden, Iowa number), and I received a standard generic voicemail prompt to leave a message.

From: GTE Federal Credit Union, [mailto:notice@gtefcu.org]
Sent: Tuesday, September 23, 2008 11:36 AM
Subject: Security Notice!

From: customerservice@financial.com
Sent: Friday, August 29, 2008 5:01 PM
To: [redacted]
Subject: MasterCard Fraud Prevention Alert

This is not a promotional e-mail. Please call us immediately at 1-800-291-1649 regarding recent restriction placed on your account. We’re available 24/7 to take your call. Please disregard this e-mail if you’ve already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
Fraud Prevention Security Department
Ph. (800) 291-1649

This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original message.

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

Listen to the recording of what happened when I called the 800 number! 

    mc-vishing-attempt

This one is a really interesting scam as the phishing attempt does not use a fake website in an attempt to elicit bank account information, but rather a toll free telephone number and an automated system in an effort to collect Salin Bank credit card numbers, expiration date and PIN code data.  This is certainly an escalation of effort and a savvy use of technology from the fraudsters who are probably using a VOIP / Linux application.  Since it used a telephone as part of the scam this could further be identified as a “vishing” attempt.

The email appears to have been routed through Amundsen Food Equipment mail servers in an effort to obfuscate the email sender’s originating IP address.

++++++++++++++++++++++++++++++++++++++++++

From: Salin Bank [mailto:memberservice@salin.com]
Sent: Saturday, August 02, 2008 10:15 PM
Subject: This is not a promotional e-mail.

++++++++++++++++++++++++++++++++++++++++++

Investigator Notes:

1.  The email was sent without a “To” field so that additional recipients could not be identified.  Most legitimate emails to account holders and customers are sent directly to the recipient and are often personalized with the account holder’s name in the email.

2.  The recipient of the email does not have an account with Salin Bank.

3.  The 800 number provided in the email could not be identified as a legitimate Salin Bank telephone number and is not listed on the Salin Bank website.

4.  When calling the provided telephone number, (800) 805-7110, the message and voice prompts do not identify the bank by name before asking for credit card account information.  It should be noted that the message heard when calling the number provided on the Salin Bank website is professionally recorded while the message and prompts heard when calling the fake telephone number sound like they were recorded using crude text to speech software; a lack of expected quality is generally a huge red flag when investigating fake corporate identity claims and counterfeit products.

5.  Advanced investigation techiniques:  The email’s originating IP is 98.174.167.159, which is assigned to Amundsen Food Equipment’s mail server, mail.afeok.com.  There is no reasonable or legitimate explanation why Salin Bank would route email through another company’s email server.  Fraudsters will often exploit weaknesses in mail servers in order to hide their identities.