Bank.uofcfcu.com Phishing scheme
Results 1 to 10 of 10

Thread: Bank.uofcfcu.com Phishing scheme

  1. #1
    Junior Member
    Join Date
    Apr 2005
    Posts
    18

    Bank.uofcfcu.com Phishing scheme

    My girlfriend was just a victim and she's very pissed off at herself for falling for it. I've told her about these types of tricks and she still fell for it unfortunately. She was sent an email requesting her identity to be verified and they asked for social security number and credit card numbers. See Below:

    "
    Elevations Credit Union is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive bank account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
    Why is my account access limited?

    Your account access has been limited for the following reason(s):
    # Jul 13, 2006: We would like to ensure that your account was not accessed by an unauthorized third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Elevations Credit Union account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

    (Your case ID for this reason is NSRA04-410-321-4364.)

    protect you. At Elevations Credit Union , one of our most important responsibilities to you, our customer, is the safekeeping of the nonpublic personal ("confidential") information you have entrusted to us and using this information in a responsible manner. Appropriate use of the confidential information you provide us is also at the heart of our ability to provide you with exceptional personal service whenever you contact us.

    Please confirm your identity here: https://bank.uofcfcu.com/UOFCFCU/Login.aspx

    Completing all of the checklist items will automatically restore your account access.

    Copyright ©2005 U of C Federal Credit Union/Member NCUA. All Rights Reserved. "


    I did a couple scans on this host name and it turned up this IP address: 12.111.190.67. I checked DNS Stuff and did a City by ISP and it said that the IP looks like its from Canby, Oregon. I'm interested in reporting this person but also finding out more about them, what else can I do? I've already emailed the antiphishing group (I found the sticky in the main phishing forum thread).

    Thanks for any tips, comments, etc!

  2. #2
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    One thing I didn't do was follow that link... Well I just did and it brings me to the banks webpage I called the 303 number and it seems legitimate? It also has an 800 number, so what happened was this really a phish or just an email from the bank sent to her by mistake? Or is this phone number real but everything else is fake.

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    If they asked for SSN, you can be sure it's a scam and your girlfriend should take action (file a police report, contact credit agencies,...). The page you are linking to is legitimate, but the URL in the e-mail may have been obfuscated (like so: Google.com). Check the headers to find out (you could post them here if you want - they'll also contain handy sender information) of the e-mail (in most e-mail clients, you can see the "real" link by hovering over the link)

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    Post your headers and the html of your email (obfuscating revealing info of course). Lets get a detailed look at what it really was. And to officially make this an 'I agree' post: Neg is right. Call the cops, notify the bank, and I would give the three major credit companies a call.


    http://www.equifax.com/
    http://www.experian.com/
    http://www.transunion.com/index.jsp

    Also the FTC website has a wealth of info for consumers (also where you can file a complaint)
    http://www.ftc.gov/bcp/conline/edcams/credit/index.html
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi,

    Please go to the Elevations Credit Union site:

    http://www.uofcfcu.com/security/

    And follow the instructions.

    They are aware of this phishing scam
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    Thanks guys for the tips I'll post the html header as soon as I can, thanks!

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I'd be sure to contact her bank and alert them to the scam. You can be sure others were victimized as well.

    If you post the full source of the e-mail, tracking can be done and if you're lucky, the ISP used will cooperate in finding the source. At very least, I can assure you that I can get the spam server shut down (if it isn't already).

    The full source is needed rather than just the headers because in the body is where you'll find ofuscated links to the bad guy's server. The headers will typically only show mail relays that were used. This is helpful but far from complete.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    The IP address 12.111.190.67 appears to belong to a bank hosting outfit called Corillian out of Hillsboro, OR. Here's what I turned up in a whois:

    http://ws.arin.net/whois/?queryinput...12-111-190-0-1

    They seem legit, but who knows? The "Corillean" domain's been registered with them since '01 looks like. Maybe they've been "taken" too. Here's more contact info on them:

    http://corillian.com/corporate/contact.aspx

    edit -- From what I can gather on doing some whois footwork, Elevations Credit Union hosts their own online banking (there's an ip range that's registered to them and sure enough, their site's found in that range), yet here's a subdomain showing up hosted by Corillian. Is there ANY way to do a whois on subdomains?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  9. #9
    Originally posted here by brokencrow
    Is there ANY way to do a whois on subdomains?
    I don't think so. I think that the only people who need to hold the infomation about a subdomain is the owner of the domain itself.


    Anyways, it's generally a safe bet to assume that a bank will never, ever e-mail you*. There's just no good reason to. E-mail headers can be forged about as easily as sending legitimate ones and it's for all intents and purposes, impossible to send an e-mail with sensitive infomation to the layperson.


    * unless you e-mail them first, but then they'll be careful not to mention any specifics about your account with them.
    \"Some say they go looking for Drugs, Dirty Dancing and Pounding, Pounding Techno Music.\"
    *ahem* contact me

  10. #10
    Junior Member
    Join Date
    Jul 2006
    Posts
    6

    Thumbs down

    My parents actually fell for a phising scam the other week, they are entirely computer illiterate to say the least. But to be fair to them the email looked pretty professional. It was spoofed from accounts@paypal.com and was an exact replica of the real paypal log in page, but when viewing the source it had "<a href="http://www.paypal.somesitehere.it/PAYPAL/login.php">www.paypal.com</a>" but when I went to the actual site it was directing you to, it was a church website ironic or what?
    - b0red

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides