July 14th, 2006, 03:55 AM
Bank.uofcfcu.com Phishing scheme
My girlfriend was just a victim and she's very pissed off at herself for falling for it. I've told her about these types of tricks and she still fell for it unfortunately. She was sent an email requesting her identity to be verified and they asked for social security number and credit card numbers. See Below:
Elevations Credit Union is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive bank account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?
Your account access has been limited for the following reason(s):
# Jul 13, 2006: We would like to ensure that your account was not accessed by an unauthorized third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Elevations Credit Union account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.
(Your case ID for this reason is NSRA04-410-321-4364.)
protect you. At Elevations Credit Union , one of our most important responsibilities to you, our customer, is the safekeeping of the nonpublic personal ("confidential") information you have entrusted to us and using this information in a responsible manner. Appropriate use of the confidential information you provide us is also at the heart of our ability to provide you with exceptional personal service whenever you contact us.
Please confirm your identity here: https://bank.uofcfcu.com/UOFCFCU/Login.aspx
Completing all of the checklist items will automatically restore your account access.
Copyright ©2005 U of C Federal Credit Union/Member NCUA. All Rights Reserved. "
I did a couple scans on this host name and it turned up this IP address: 22.214.171.124. I checked DNS Stuff and did a City by ISP and it said that the IP looks like its from Canby, Oregon. I'm interested in reporting this person but also finding out more about them, what else can I do? I've already emailed the antiphishing group (I found the sticky in the main phishing forum thread).
Thanks for any tips, comments, etc!
July 14th, 2006, 04:00 AM
One thing I didn't do was follow that link... Well I just did and it brings me to the banks webpage I called the 303 number and it seems legitimate? It also has an 800 number, so what happened was this really a phish or just an email from the bank sent to her by mistake? Or is this phone number real but everything else is fake.
July 14th, 2006, 04:39 AM
If they asked for SSN, you can be sure it's a scam and your girlfriend should take action (file a police report, contact credit agencies,...). The page you are linking to is legitimate, but the URL in the e-mail may have been obfuscated (like so: Google.com). Check the headers to find out (you could post them here if you want - they'll also contain handy sender information) of the e-mail (in most e-mail clients, you can see the "real" link by hovering over the link)
July 14th, 2006, 07:33 AM
Post your headers and the html of your email (obfuscating revealing info of course). Lets get a detailed look at what it really was. And to officially make this an 'I agree' post: Neg is right. Call the cops, notify the bank, and I would give the three major credit companies a call.
Also the FTC website has a wealth of info for consumers (also where you can file a complaint)
The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
July 14th, 2006, 08:33 AM
Please go to the Elevations Credit Union site:
And follow the instructions.
They are aware of this phishing scam
July 14th, 2006, 04:00 PM
Thanks guys for the tips I'll post the html header as soon as I can, thanks!
July 15th, 2006, 05:13 PM
I'd be sure to contact her bank and alert them to the scam. You can be sure others were victimized as well.
If you post the full source of the e-mail, tracking can be done and if you're lucky, the ISP used will cooperate in finding the source. At very least, I can assure you that I can get the spam server shut down (if it isn't already).
The full source is needed rather than just the headers because in the body is where you'll find ofuscated links to the bad guy's server. The headers will typically only show mail relays that were used. This is helpful but far from complete.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
July 15th, 2006, 05:54 PM
The IP address 126.96.36.199 appears to belong to a bank hosting outfit called Corillian out of Hillsboro, OR. Here's what I turned up in a whois:
They seem legit, but who knows? The "Corillean" domain's been registered with them since '01 looks like. Maybe they've been "taken" too. Here's more contact info on them:
edit -- From what I can gather on doing some whois footwork, Elevations Credit Union hosts their own online banking (there's an ip range that's registered to them and sure enough, their site's found in that range), yet here's a subdomain showing up hosted by Corillian. Is there ANY way to do a whois on subdomains?
“Everybody is ignorant, only on different subjects.” — Will Rogers
July 16th, 2006, 02:49 PM
I don't think so. I think that the only people who need to hold the infomation about a subdomain is the owner of the domain itself.
Originally posted here by brokencrow
Is there ANY way to do a whois on subdomains?
Anyways, it's generally a safe bet to assume that a bank will never, ever e-mail you*. There's just no good reason to. E-mail headers can be forged about as easily as sending legitimate ones and it's for all intents and purposes, impossible to send an e-mail with sensitive infomation to the layperson.
* unless you e-mail them first, but then they'll be careful not to mention any specifics about your account with them.
\"Some say they go looking for Drugs, Dirty Dancing and Pounding, Pounding Techno Music.\"
*ahem* contact me
July 17th, 2006, 02:30 PM
My parents actually fell for a phising scam the other week, they are entirely computer illiterate to say the least. But to be fair to them the email looked pretty professional. It was spoofed from firstname.lastname@example.org and was an exact replica of the real paypal log in page, but when viewing the source it had "<a href="http://www.paypal.somesitehere.it/PAYPAL/login.php">www.paypal.com</a>" but when I went to the actual site it was directing you to, it was a church website ironic or what?