Hey Hey,

I just recieved my first phishing email... (at least the first one that I've noticed anyways)... and it got me thinking. These offers seem too good to be true (which they are) but that's part of the reason why people bite into them.. Hook, Line and Sinker.... They obviously work or we wouldn't still receive attempts. I'm willing to be that a good number of people don't reply blindly, but that they at least try to find information (or at least I hope that they would). These people may search google and find nothing so they 'don't worry as much because no one else has mentioned it and what are the odds that they're the only person to get this email' (or at least that seems to be to be a fairly normal line of thinking with people). We all know that if we search for our posts online that google has many of them listed. Also the thread I posted about the phone call I received was responded too because someone else searched for that number on google. It can be a source of information for some people.

So here's what I'm getting at (Yes I know... I'm long winded)... I think we need a single thread, dedicated to the purpose of cataloguing these phishing attempts. If we post every attempt we receive it could seriously narrow down the chances of someone being scammed. I realize there are sites dedicated to this, but AO is linked by some fairly big sites and is a rather large source of information for people... I think it'd be a nice addition to the site.

So here's the first one... including full headers... only my email address has been sanitized.


X-Gmail-Received: ec731e790fb4a937dfd81db3bbc8338a831e7a1c
Delivered-To: XXXXXXXX
Received: by 10.38.86.73 with SMTP id j73cs23808rnb;
Thu, 27 Jan 2005 07:33:11 -0800 (PST)
Received: by 10.54.28.80 with SMTP id b80mr49576wrb;
Thu, 27 Jan 2005 07:33:11 -0800 (PST)
Return-Path: <hagolden@zipmail.com.br>
Received: from www.zipmail.com.br (smtp.zipmail.com.br [200.221.11.147])
by mx.gmail.com with ESMTP id 43si706330wri.2005.01.27.07.33.09;
Thu, 27 Jan 2005 07:33:11 -0800 (PST)
Received-SPF: pass (gmail.com: domain of hagolden@zipmail.com.br designates 200.221.11.147 as permitted sender)
Received: from [66.178.81.66] by www.zipmail.com.br with HTTP; Thu, 27 Jan 2005 13:17:17 -0200
Message-ID: <41F8917500001FF7@www.zipmail.com.br>
Date: Thu, 27 Jan 2005 16:17:17 +0100
From: hagolden@zipmail.com.br
Subject: =?iso-8859-1?Q?from=20HARRY=20GOLDEN?=
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dear Sir

PRIVATE AND CONFIDENTIAL.

First of all I wish to introduce myself, I am a bank manager with a bank
in Indonesia and we have a contract in the Sweden and my client and his
family died in the flood that claimed many life in Indonesia and we hav=
e
unconcluded business here in Indonesia which runs into millions and I wil=
l
need you to act as the next of kins to this transaction.

The bank have called for us to produce the next of kin immediately, since=

the client is dead, that we can be able to withdraw the sum of $30,000,00=
0.00.(Thirty
Million United States Dollar only.) deposited in their bank which we are
doing business with.

Kindly accept my appeal as quickly as possible to enable us divert the fu=
nd
to your account before the civil unrest in these Asia country is under co=
ntrol.

What I need from you is to act as next of kins to the fund I will introdu=
ce
you to the bank / companies attorney who have all the relevant documents
of the whole transaction and who will handle the process of this claims.

We have agreed the followings,

That you will be required to provide a company /private account were this=

money will be transferred to.

That you will produce a personal/company account to receive the sum of $3=
0,000,000.00.

That you will have 25% of the total sum when the money arrives in your ac=
count.

That 5% will be maped out for local and international expenses to be incu=
red
during the process of transaction.

This transaction is 100% Risk free,and you will be required to keep this
transaction absolutely confidential.

kindly forward to us your contact details for easy communication.

Thanks for anticipated corporation.

Yours faithfully,

HARRY GOLDEN.





------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br





Anyways, it's just an idea... let's see if it flies.

Peace,
HT

I don't know if I'd consider that a phish as much as a Nigerian/419 scam. And there are marked differences between the two.

Scams (variations of 419/Nigerian type)

- usually involves the claim that the recipient will receive a large some of money for a small investment
- scams usually involve sending money to someone for a preceived service OR receiving money for an auction
- scams may also (as I noticed in a recent one) involve the transmission of goods and payments bouncing (fake money orders, cashier's cheques, etc.)
- scams rarely involve credit cards, pin numbers and the like
- scams are often done via email
- some scams play on people's emotions (recently saw one that pleaded for help after family lost and they couldn't access their parents "millions")
- top source: Nigeria


Phishing (Art of Gathering Information/Online Social Engineering)

- the activity is relatively an old practise but with newer twists. Historical done as an email attempt to get a user to send the attacker what their user name and password is to the server they access (think early internet and logging on to a single terminal -- pre-browser days; and yes, I remember these days)
- today, it starts with email and often leads to a website
- the email, representing a "credible" firm informs the user of the need for more information from them. Usually it centers around one of the following:

- violation in the account
- violation to the account
- potention malicious activity by the user (best two I've seen in this regard: child porn and terrorist links)
- potention investigation of user
- verification of user/account info
- upgrading of security features

- the email provides, for ease of use to the user, a link that has a spoofed URL. Main browser that has been targetted for this: Internet Explorer
- generally the website asks for things like username, password, credit card number, bank card number, security code on card(s), DOB, driver's license, SIN #, Mother's Maiden name, etc.
- many of these sites have links and graphics from the original source site
- main sites of target: eBay and Paypal are the two largest. Others: Visa, CitiBank, SunTrust, FDIC, etc.
- the url sometimes can be just enough to fool e.g., www.citibank-financial.com. Citibank is www.citibank.com but some may not realize that.
- top source for these: USA


My contention is that email SHOULD NOT have HTML capabilities and the person that thought this was a good idea be shot. Worst. Idea. Ever.

That all said, I do think it's worth while to have a list of phishing. While Antiphishing does a good job of keeping an archive, it seems rather selective. I've included a sample of a recent phish.

Oh.. and if you get a phish, notify the company that it affects (e.g., Paypal if it's a Paypal phish). They often can get the site dealt with quickly before anyone gets hugely hurt.


Dear PayPal Member,

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your PayPal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below

Click here to verify your Information



Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.


Protect Your Account Info
Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open up a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (http://www.paypal.com/).

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at http://www.paypal.com/securitytips

PayPal Email ID PP478



See attachment for HTML version. The code below is the "phish" location.

<td class=3D"pp_sansserif" align=3D"center"><a href=3D"http://66.219.105.161/webscr/" onMouseOver=3D"window.status=3D'https://www.paypal.com';return true;" onMouseOut=3D"window.status=3D' '; return true;">Click here to verify your Information</a>

Hey Hey,

My Bad... guess you learn something new every day... I've only recently started to recieve these type of emails, phone calls and messages. Since it won't let me change the topic would you mind doing it MsM? How about Phishing and Scams? or something along those lines.

Anyways I'll still stand by the idea that we should attempt to catalogue all the variations of these messages that travel the internet.

Thanks and Peace
HT

Now i have been a member of this site for some time and have been readng others posts more then posting replys.But i have to say one thing this is a extremely bad post.

Now i have been a member of this site for some time and have been readng others posts more then posting replys.But i have to say one thing this is a extremely bad post.

Why do you think that?

I would be negged for saying so but the fact is that i believe that it is a fake mail.
No one sent it to no one.
It is created to be posted here.

I have a few points to support my claim but i need time to do so i will get back on that later.

I would be negged for saying so but the fact is that i believe that it is a fake mail.
No one sent it to no one.
It is created to be posted here.


Good lord. You can't be that dense. Both the emails presented are real examples. HTRegz is a real example of a Nigerian Scam. And mine, to which I received two copies, is a sample of a phish. I didn't include the headers because the post was getting long enough as it is and felt they were irrelevant. But if it's so critical for you...


From - Sat Jan 22 02:55:58 2005
X-Account-Key: account3
X-UIDL: 2ab2ce97d66da3e42a115525296d55cf
X-Mozilla-Status: 1001
X-Mozilla-Status2: 10000000
X-Apparently-To: xx.xx.xx.xx via xx.xx.xx.xx; Fri, 21 Jan 2005 23:48:17 -0800
X-YahooFilteredBulk: xx.xx.xx.xx
Authentication-Results: xx.xx.xx.xx.yahoo.com
from=paypal.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.xx.xx.xx]
Return-Path: &lt;support@paypal.com&gt;
Received: from xx.xx.xx.xx (EHLO mailhub.xx.xx) (xx.xx.xx.xx)
by xx.xx.xx.xx.yahoo.com with SMTP; Fri, 21 Jan 2005 23:48:17 -0800
Received: from xx.xx.xx.xx (unknown [xx.xx.xx.xx])
by mailhub.korax.net (Postfix) with SMTP id 82AA02B6CFA
for &lt;msmittens@msmittens.com&gt;; Sat, 22 Jan 2005 02:48:15 -0500 (EST)
Received: from 132.104.204.48 by ; Sat, 22 Jan 2005 13:39:12 +0600
Message-ID: &lt;LJWPTRUHRBXZWOSASORMPYPZZ@msn.com&gt; (some how I doubt this is PayPal)
From: "PayPal" &lt;support@paypal.com&gt;
Reply-To: "PayPal" &lt;support@paypal.com&gt;
To: msmittens@msmittens.com
Subject: [Bulk] PayPal Flagged Account
Date: Sat, 22 Jan 2005 01:46:12 -0600
X-Webmail-Time: Sat, 22 Jan 2005 00:47:12 -0700
X-Antivirus: AVG for E-mail 7.0.300 [265.7.1]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-41F2070E52F0======="


[edit]

I did a quick search on the "Received: from" address (132.104.204.48):

Army National Guard Bureau ANGB-MIL (NET-132-104-0-0-1)
132.104.0.0 - 132.104.255.255
DoD Network Information Center NG-CONC3 (NET-132-95-0-0-1)
132.95.0.0 - 132.108.255.255

Definately not paypal... ;)

I strongly disagree d3mok. The intent of this post was to reccomend a catalogue of phishing and scam~mails. There is no reason to neg a user for such minimal circumstances.

But i have to say one thing this is a extremely bad post.

I negged you because, yes, that was a very bad post you made. You contributed nothing to the ongoing thread, which has good potential to be used as a learning tool. Evidently someone else agreed with me because the thread quickly became extremely negative. I then greened the original poster and the thread itself to try to keep things going here.

Some of us would dearly love to read and learn about the various scams and phishes going around. This is usually the place where we see them first.

TheHorse13 and I were looking into a similar phishing site, and I will not post the URL, but some things were clear it was not legit:

1.whois showed the registrant used a PO Box instead of a real address.

2. Had a credit fixing service.

3. No privacy policy (2 sentences)

4. No way to contact via phone

5. Not listed with the BBB

6. The SSL cert was not valid

7. an affilate program where people could make money via mortgages.

It reeked a spam operation....

Do please enlighten us with that url Donkey Punch?

This really wouldn't be a bad idea. I agree that there are differences. So you categorize the catalog:

Phishing
Scam
Virus

But then you get into the virus arena where the virus creates an email stating that you need to "click the following link to reset your password" signed computer/company staff.

Of course you only get infected by clicking the link, well wait....

Now I'm confused - it's a virus because it replicates itself
You were tricked into launching the virus (Phishing)
The Trojan installed allows a remote user to steal you bank info (Scam)

S**T this is going to keep me awake all night :D

Never mind Trend already did this http://www.trendmicro.com/vinfo/default.asp?sect=SA

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265602#post819661) by |3lack|ce
I negged you because, yes, that was a very bad post you made. You contributed nothing to the ongoing thread, which has good potential to be used as a learning tool. Evidently someone else agreed with me because the thread quickly became extremely negative. I then greened the original poster and the thread itself to try to keep things going here.

Some of us would dearly love to read and learn about the various scams and phishes going around. This is usually the place where we see them first.

|3lack|ce u negged me coz you can you don't have to give an excuse.
Now if you can keep your ****ing mouth shut let me concentrate on that mails header and by the way have you ever before seen a mail header son?

Now I'm confused - it's a virus because it replicates itself
You were tricked into launching the virus (Phishing)
The Trojan installed allows a remote user to steal you bank info (Scam)

I thought worms replicated themselves. I don't know if I'd include Scam in there since it's a trojan (active program rather than social engineering) that steals the info. Most scams usually require the user to do legitimate activities (e.g., transferring of funds) under false pretenses (e.g., the idea that they are going to get rich). The scammer tends to be rather passive for this.


...let me concentrate on that mails header and by the way have you ever before seen a mail header son?

Don't hurt yourself, sweetie. :D

Thanks MsM - I stand enlightened.

I thought that the definition of a virus was 'a program that replicates itself'

I didn't consider the programming vs social engineering aspect.

Yea and b3mok WTF?

http://personalcreditservices.com/Default.html

Have fun looking around and seeing what you can find that is illegit. :D

I thought that the definition of a virus was 'a program that replicates itself'

Viruses tend to need help replicating continually. It's not just a matter of clicking but doing activity that will cause it to replicate (e.g, macro viruses). Worms, while initially getting help to get started, once started are quite independent creatures.

At least that's the way I understand it.

Well here is a legit site that tracks phishing scams through the feedback of the user comunitty and there own staff. It will also lend some insight into the world of these scams and how they work. Training, training, training is the answer. Make your users, family members, etc. aware of these and they will not be as effective. Enjoy...

http://www.antiphishing.org/

b3mok:

Before I neg you... In case you gat banned and I never get a chance to say this.....

I'm negging you because you have all the experience and skill of a retarded slug..... This stuff is at least four years old. HT only received one recently... So what? there are reasons why and I won't speculate on them here.

I'm also negging you because you not only took a stupid shot at HT but you had the incredible stupidity to take one at Ms. M. It shows that you don't pay attention to detail.... Detail is what computer security is all about.... It's the little things like looking to see who the hell Ms. M. _might_ be.... It takes but 30 seconds research to work out that she is, and has been for a long time, the senior administrator here and is well respected by everyone who has ever read anything she posts or responds to. but I guess, in your desperate wandering through the headers of the email trying to prove your worth you forgot the "details" didn't you......

Oh, and, by the way:-

Now i have been a member of this site for some time

registering in Dec 2004 hardly makes you an "old timer".... There are annoying insects that live longer than you have been here....

Now, to the subject at hand......

let me concentrate on that mails header and by the way have you ever before seen a mail header son?

I'll take this in two parts if I may:-

1. What, _exactly_, are you going to show me from these headers? That the email originated from a UK or Dutch ISP, (that's where they often come from), but that the originating IP, if it is present, (some ISP's block the originating IP, did you know that? Didn't think so...), is somewhere in, gosh, Africa????? OMG, unbeleivable..... Son, (and I'm pretty sure i can say that with authority), you will hit a dead end before you start.... It will be an Internet Cafe somewhere in Woga-Woga Chad, (Chad is a country in Africa.... trust me on this one.....). Give up before you start... we've all been down this road years ago....

2. It's cute that you call people "son". You need one of two things to carry it off, preferably both. First you need some age.... I can't say how much of that you have so we'll drop that part. But then, even with the age bit in place you need some experience in what you are talking about coupled with actual knowledge.... Otherwise the "age" thing just becomes "grandpappy yelling at the grandkids" _because_ he's older..... You just did the grandpappy thing.... and failed dismally.... Blackice may not be as old as you but I do know he's smarter than you... I learned that from experience....

Give up reading the headers... this shit is old hat.... Quit abusing people who's shoes you couldn't shine and quit calling people "son".... You don't have the credentials to carry it off....

Now... It's Bam time..... You ever watch Emeril?



OUCH.... A grey down to two reds....

Ohhh.... the power....

Let him be folks.... I'm dying to see the response.... ;)

It could of been somebody that got banned then signed up again, but it does not sound that way. On with the program

posted Today 02:44 PM
Viewing user-hidden post
Now if you can keep your ****ing mouth shut let me concentrate on that mails header and by the way have you ever before seen a mail header son?
b3mok, damm son, it has now been over 7 hours, where is that mail header info I told you to get?

I think we're still waiting on it - I just HAD to add this though, after maintaining silence rather than letting it degenerate to a flamewar between (yet another) idiot and myself:

Now... It's Bam time..... You ever watch Emeril?

GO TIGER!!!!!!!!

And yet again we see truth to the old addage about not needing common sense because we have Tiger Shark.

Oh, and one more tip of the rapier - I could've *walked* that header report to AO by now...son. *cackle* He missed on the 'son' bit too - I'm 39. Bet my kid is his age.

Now if you can keep your ****ing mouth shut let me concentrate on that mails header and by the way have you ever before seen a mail header son?

I guess He made a mistake and he is never gonna come back to AO.Shouldn't there be some enterance test for people who want to join AO.
Atleast a simple mathematical question paper + some questions from c c++ and networking .........
What the hell was he thinking ?
I mean when you see a post by MsMittens you know it is something damn good and for someone to question its credibility is .............WTF(i don't have proper words i mean to call it stupidity or a hactic and imprudiant move will me insulting these words :D )

yah yah yah two red dot great isn't it?

Littlenick you ******* you are wrong i am right here facing all you idiots who think of themself as some one special.

Now i guess i am about to be banned after this post of mine but you *******s should remember tat i am coming back in a few days with anather id and with a bang that will prove you all that you guys are nothing more then newbies.

That's it?????

No startling revelations from the headers? No phone number and photograph of the perpetrator of this henous crime?

Why do I have the horrible feeling that your "bang" will be more of a "phhhht"....

You're right, not one of us here have a clue......

This is all a big joke right..... Memory?

Let me end your suffering, b3mok... you're welcome.

BTW: if we're going to catalogue scams, let's definitely include the "I need to buy some hardware from you and I'll pay with a cc if you ship to Nigeria!" scam :D

Here's one I got this morning:


Return-path: &lt;tom_deen1@yahoo.com&gt;
Envelope-to: XXX
Delivery-date: Fri, 28 Jan 2005 08:23:04 -0500
Received: from [68.142.200.162] (helo=web30909.mail.mud.yahoo.com)
by server78.totalchoicehosting.com with smtp (Exim 4.44)
id 1CuW5X-0005Cg-Oe
for XXX; Fri, 28 Jan 2005 08:23:03 -0500
Received: (qmail 16077 invoked by uid 60001); 28 Jan 2005 13:24:10 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
b=RUm5oSYt7oYUdZ6dCznpRvCUQlzfx+KVQrP0bjpYaSrmHqPUEKHbx0+arUZ+s0BcIZbVNF6qVdrY7+lAQ2vO5biVQwgseCCezXiNkOKEpf80591ziOHuaAHe8y6BmJVm3O7upmwVTAyAjZkcl/GnctfIO2uKtRR+dMX/c83jlNg= ;
Message-ID: &lt;20050128132410.16075.qmail@web30909.mail.mud.yahoo.com&gt;
Received: from [81.18.42.115] by web30909.mail.mud.yahoo.com via HTTP; Fri, 28 Jan 2005 05:24:10 PST
Date: Fri, 28 Jan 2005 05:24:10 -0800 (PST)
From: tom deen &lt;tom_deen1@yahoo.com&gt;
Subject: products enquiry needed
To: tom_deem1@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-578902174-1106918650=:15605"
X-Antivirus: avast! (VPS 0504-3, 01/27/2005), Inbound message
X-Antivirus-Status: Clean

--0-578902174-1106918650=:15605
Content-Type: text/plain; charset=us-ascii


Hello sales
I will like to order some items from your store but first i'll
really appreciate if you can give me an approval to the products
available in your store before i' proceed with the items
needed.i'll also like you to know that my mode of payment is with my
Credit Card Accounts and i want those items to shipped to NIGERIA ,so
please let me know your response. notes:i will like to know your
acceptable credit card for the payment
Regards
mr tom deen

I've learned that asking for the cc info right away usually works... even before they tell you what they want to order :D
More stuff to send to the FBI... This one seems to be actually located in Nigeria... that's a new one... heh... the others were in Germany/Holland.

Ohhhh... Neg.... You killed him..... ;)

Now... Should we get back to the topic at hand?

My personal feeling is that there are already places out there where much of this stuff is categorized... Wouldn't we be re-inventing the wheel?

The biggest place I know of is Antiphishing.org but them seem rather selective at posting the phishing samples they receive. Additionally, there is a bit of a delay (2-3 days) before it appears on their archive or on their website. This might provide a quicker heads up and might also make others more aware of the risks.

I'd suggest the delay is because they are waiting for the server to be shut down... But that's speculation....

Outside of that thhis would only be useful on a personal level. I'm surely not going to send out a warning to my users every time something gets posted... It would end up a lot like "crying wolf".

What might be handy is cataloging the the trick/technique that the scammer is using and how to defeat/recognize the redirection. That would result in a more compact forum and "cut to the quick" rather then being an endless list of the same old phish perpetrated in the names of 100 financial institutions....

Just my $2.... ;)

£$%^&!

I missed this one,

Tiger~ shame on you sir!

I'm negging you because you have all the experience and skill of a retarded slug

Shame on you sir! have you any idea of the hours of hard work that my wife puts into the care and maintenance of a rest centre for those poor creatures? (it is called "our garden" by the way :D )

I don't think that worms, viruses trojans are really relevant here. This seems to be about scams, frauds, identity thefts which are more in the social engineering area? I personally feel that social engineering is an important facet of IT security that quite a few of us do not pay enough attention to, because it has little or no technical content.

What might be handy is cataloging the the trick/technique that the scammer is using and how to defeat/recognize the redirection. That would result in a more compact forum and "cut to the quick" rather then being an endless list of the same old phish perpetrated in the names of 100 financial institutions....

That is very true IMHO, it is the underlying methodology rather than the detail that is important.

My, hopefully, constructive suggestion is that the title should contain "identity theft", "fraud" and "confidence tricks". That way people searching might find the information somewhat more easily. The victims of these activities almost certainly are not familiar with terms like "phishing" :)