Cataloguing Phishing and Scamming Attacks

[HTRegz]

Hey Hey,

I just recieved my first phishing email... (at least the first one that I've noticed anyways)... and it got me thinking. These offers seem too good to be true (which they are) but that's part of the reason why people bite into them.. Hook, Line and Sinker.... They obviously work or we wouldn't still receive attempts. I'm willing to be that a good number of people don't reply blindly, but that they at least try to find information (or at least I hope that they would). These people may search google and find nothing so they 'don't worry as much because no one else has mentioned it and what are the odds that they're the only person to get this email' (or at least that seems to be to be a fairly normal line of thinking with people). We all know that if we search for our posts online that google has many of them listed. Also the thread I posted about the phone call I received was responded too because someone else searched for that number on google. It can be a source of information for some people.

So here's what I'm getting at (Yes I know... I'm long winded)... I think we need a single thread, dedicated to the purpose of cataloguing these phishing attempts. If we post every attempt we receive it could seriously narrow down the chances of someone being scammed. I realize there are sites dedicated to this, but AO is linked by some fairly big sites and is a rather large source of information for people... I think it'd be a nice addition to the site.

So here's the first one... including full headers... only my email address has been sanitized.

X-Gmail-Received: ec731e790fb4a937dfd81db3bbc8338a831e7a1c
Delivered-To: XXXXXXXX
Received: by 10.38.86.73 with SMTP id j73cs23808rnb;
Thu, 27 Jan 2005 07:33:11 -0800 (PST)
Received: by 10.54.28.80 with SMTP id b80mr49576wrb;
Thu, 27 Jan 2005 07:33:11 -0800 (PST)
Return-Path: <hagolden@zipmail.com.br>
Received: from www.zipmail.com.br (smtp.zipmail.com.br [200.221.11.147])
by mx.gmail.com with ESMTP id 43si706330wri.2005.01.27.07.33.09;
Thu, 27 Jan 2005 07:33:11 -0800 (PST)
Received-SPF: pass (gmail.com: domain of hagolden@zipmail.com.br designates 200.221.11.147 as permitted sender)
Received: from [66.178.81.66] by www.zipmail.com.br with HTTP; Thu, 27 Jan 2005 13:17:17 -0200
Message-ID: <41F8917500001FF7@www.zipmail.com.br>
Date: Thu, 27 Jan 2005 16:17:17 +0100
From: hagolden@zipmail.com.br
Subject: =?iso-8859-1?Q?from=20HARRY=20GOLDEN?=
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dear Sir

PRIVATE AND CONFIDENTIAL.

First of all I wish to introduce myself, I am a bank manager with a bank
in Indonesia and we have a contract in the Sweden and my client and his
family died in the flood that claimed many life in Indonesia and we hav=
e
unconcluded business here in Indonesia which runs into millions and I wil=
l
need you to act as the next of kins to this transaction.

The bank have called for us to produce the next of kin immediately, since=

the client is dead, that we can be able to withdraw the sum of $30,000,00=
0.00.(Thirty
Million United States Dollar only.) deposited in their bank which we are
doing business with.

Kindly accept my appeal as quickly as possible to enable us divert the fu=
nd
to your account before the civil unrest in these Asia country is under co=
ntrol.

What I need from you is to act as next of kins to the fund I will introdu=
ce
you to the bank / companies attorney who have all the relevant documents
of the whole transaction and who will handle the process of this claims.

We have agreed the followings,

That you will be required to provide a company /private account were this=

money will be transferred to.

That you will produce a personal/company account to receive the sum of $3=
0,000,000.00.

That you will have 25% of the total sum when the money arrives in your ac=
count.

That 5% will be maped out for local and international expenses to be incu=
red
during the process of transaction.

This transaction is 100% Risk free,and you will be required to keep this
transaction absolutely confidential.

kindly forward to us your contact details for easy communication.

Thanks for anticipated corporation.

Yours faithfully,

HARRY GOLDEN.





------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br

Anyways, it's just an idea... let's see if it flies.

Peace,
HT

[MrLinus]

I don't know if I'd consider that a phish as much as a Nigerian/419 scam. And there are marked differences between the two.

Scams (variations of 419/Nigerian type)

• - usually involves the claim that the recipient will receive a large some of money for a small investment
  - scams usually involve sending money to someone for a preceived service OR receiving money for an auction
  - scams may also (as I noticed in a recent one) involve the transmission of goods and payments bouncing (fake money orders, cashier's cheques, etc.)
  - scams rarely involve credit cards, pin numbers and the like
  - scams are often done via email
  - some scams play on people's emotions (recently saw one that pleaded for help after family lost and they couldn't access their parents "millions")
  - top source: Nigeria

Phishing (Art of Gathering Information/Online Social Engineering)

• - the activity is relatively an old practise but with newer twists. Historical done as an email attempt to get a user to send the attacker what their user name and password is to the server they access (think early internet and logging on to a single terminal -- pre-browser days; and yes, I remember these days)
  - today, it starts with email and often leads to a website
  - the email, representing a "credible" firm informs the user of the need for more information from them. Usually it centers around one of the following:
  
  PHP Code:

  - violation in the account
- violation to the account
- potention malicious activity by the user (best two I've seen in this regard: child porn and terrorist links)
- potention investigation of user
- verification of user/account info
- upgrading of security features 

  - the email provides, for ease of use to the user, a link that has a spoofed URL. Main browser that has been targetted for this: Internet Explorer
  - generally the website asks for things like username, password, credit card number, bank card number, security code on card(s), DOB, driver's license, SIN #, Mother's Maiden name, etc.
  - many of these sites have links and graphics from the original source site
  - main sites of target: eBay and Paypal are the two largest. Others: Visa, CitiBank, SunTrust, FDIC, etc.
  - the url sometimes can be just enough to fool e.g., www.citibank-financial.com. Citibank is www.citibank.com but some may not realize that.
  - top source for these: USA

My contention is that email SHOULD NOT have HTML capabilities and the person that thought this was a good idea be shot. Worst. Idea. Ever.

That all said, I do think it's worth while to have a list of phishing. While Antiphishing does a good job of keeping an archive, it seems rather selective. I've included a sample of a recent phish.

Oh.. and if you get a phish, notify the company that it affects (e.g., Paypal if it's a Paypal phish). They often can get the site dealt with quickly before anyone gets hugely hurt.

Dear PayPal Member,

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your PayPal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below

Click here to verify your Information



Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.


Protect Your Account Info
Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open up a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (http://www.paypal.com/).

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at http://www.paypal.com/securitytips

PayPal Email ID PP478

See attachment for HTML version. The code below is the "phish" location.

PHP Code:

<td class=3D"pp_sansserif" align=3D"center"><a href=3D"http://66.219.105.161/webscr/" onMouseOver=3D"window.status=3D'https://www.paypal.com';return true;" onMouseOut=3D"window.status=3D' '; return true;">Click here to verify your Information</a> 


[HTRegz]

Hey Hey,

My Bad... guess you learn something new every day... I've only recently started to recieve these type of emails, phone calls and messages. Since it won't let me change the topic would you mind doing it MsM? How about Phishing and Scams? or something along those lines.

Anyways I'll still stand by the idea that we should attempt to catalogue all the variations of these messages that travel the internet.

Thanks and Peace
HT

[b3mok]

Now i have been a member of this site for some time and have been readng others posts more then posting replys.But i have to say one thing this is a extremely bad post.

[MrLinus]

Now i have been a member of this site for some time and have been readng others posts more then posting replys.But i have to say one thing this is a extremely bad post.

Why do you think that?

[b3mok]

I would be negged for saying so but the fact is that i believe that it is a fake mail.
No one sent it to no one.
It is created to be posted here.

I have a few points to support my claim but i need time to do so i will get back on that later.

[MrLinus]

I would be negged for saying so but the fact is that i believe that it is a fake mail.
No one sent it to no one.
It is created to be posted here.

Good lord. You can't be that dense. Both the emails presented are real examples. HTRegz is a real example of a Nigerian Scam. And mine, to which I received two copies, is a sample of a phish. I didn't include the headers because the post was getting long enough as it is and felt they were irrelevant. But if it's so critical for you...

From - Sat Jan 22 02:55:58 2005
X-Account-Key: account3
X-UIDL: 2ab2ce97d66da3e42a115525296d55cf
X-Mozilla-Status: 1001
X-Mozilla-Status2: 10000000
X-Apparently-To: xx.xx.xx.xx via xx.xx.xx.xx; Fri, 21 Jan 2005 23:48:17 -0800
X-YahooFilteredBulk: xx.xx.xx.xx
Authentication-Results: xx.xx.xx.xx.yahoo.com
from=paypal.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.xx.xx.xx]
Return-Path: <support@paypal.com>
Received: from xx.xx.xx.xx (EHLO mailhub.xx.xx) (xx.xx.xx.xx)
by xx.xx.xx.xx.yahoo.com with SMTP; Fri, 21 Jan 2005 23:48:17 -0800
Received: from xx.xx.xx.xx (unknown [xx.xx.xx.xx])
by mailhub.korax.net (Postfix) with SMTP id 82AA02B6CFA
for <msmittens@msmittens.com>; Sat, 22 Jan 2005 02:48:15 -0500 (EST)
Received: from 132.104.204.48 by ; Sat, 22 Jan 2005 13:39:12 +0600
Message-ID: <LJWPTRUHRBXZWOSASORMPYPZZ@msn.com> (some how I doubt this is PayPal)
From: "PayPal" <support@paypal.com>
Reply-To: "PayPal" <support@paypal.com>
To: msmittens@msmittens.com
Subject: [Bulk] PayPal Flagged Account
Date: Sat, 22 Jan 2005 01:46:12 -0600
X-Webmail-Time: Sat, 22 Jan 2005 00:47:12 -0700
X-Antivirus: AVG for E-mail 7.0.300 [265.7.1]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-41F2070E52F0======="

[edit]

I did a quick search on the "Received: from" address (132.104.204.48):

Army National Guard Bureau ANGB-MIL (NET-132-104-0-0-1)
132.104.0.0 - 132.104.255.255
DoD Network Information Center NG-CONC3 (NET-132-95-0-0-1)
132.95.0.0 - 132.108.255.255

Definately not paypal...

[fraggin]

I strongly disagree d3mok. The intent of this post was to reccomend a catalogue of phishing and scam~mails. There is no reason to neg a user for such minimal circumstances.

[|3lack|ce]

But i have to say one thing this is a extremely bad post.

I negged you because, yes, that was a very bad post you made. You contributed nothing to the ongoing thread, which has good potential to be used as a learning tool. Evidently someone else agreed with me because the thread quickly became extremely negative. I then greened the original poster and the thread itself to try to keep things going here.

Some of us would dearly love to read and learn about the various scams and phishes going around. This is usually the place where we see them first.

[Donkey Punch]

TheHorse13 and I were looking into a similar phishing site, and I will not post the URL, but some things were clear it was not legit:

1.whois showed the registrant used a PO Box instead of a real address.

2. Had a credit fixing service.

3. No privacy policy (2 sentences)

4. No way to contact via phone

5. Not listed with the BBB

6. The SSL cert was not valid

7. an affilate program where people could make money via mortgages.

It reeked a spam operation....