Phishing for acc't numbers...

[brokencrow]

...got this email from my bank (see image). All in all, a credible job (I'm not awake yet). The sender is using the imbedded gif to trick readers. The gif is linked to this website: http://www.53.com.wps.portal.secure....fo/context.id/

Here's the email headers:

----------------------------------------------------------------------------

X-Apparently-To: xxxxxxxx@yahoo.com via 206.190.48.84; Fri, 25 Aug 2006 10:21:46 -0700
X-YahooFilteredBulk: 200.158.67.174
X-Originating-IP: [200.158.67.174]
Return-Path: <reference-id_71384id@53.com>
Authentication-Results: mta302.mail.re4.yahoo.com from=53.com; domainkeys=neutral (no sig)
Received: from 200.158.67.174 (HELO 200-158-67-174.dsl.telesp.net.br) (200.158.67.174) by mta302.mail.re4.yahoo.com with SMTP; Fri, 25 Aug 2006 10:21:46 -0700
Received: from transmitting.ifg.com (unknown [35.220.96.177]) by cobaltweb.com with SMTP id X5PPP2ZNBV for <karlstrangfeld@yahoo.com>; Sat, 26 Aug 2006 06:20:50 -0800
From: "FIFTH THIRD BANK 2006" <support_reference851516162754id@53.com> Add to Address BookAdd to Address Book Add Mobile Alert
To: Send an Instant Message "Karlstrangfeld" <karlstrangfeld@yahoo.com>
Subject: Fifth Third Bank: Urgent Notice From Billing Department Sat, 26 Aug 2006 06:20:50 -0800
Message-ID: <73048sj83k89$c7uk474ohf8$5jz6fta76@Y4887529>
User-Agent: PObox II beta1.0
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/related; boundary="GIMXXV0Z00UTQGIS7Q6S"
Content-Length: 9325
-----------------------------------------------------------------------------------

I traced the originating ip address (200.158.67.174) in the email to Sao Paulo. The website's in Latvia with an ip address of 85.115.127.165, belonging to ProNets-LV from what I can tell.

Don't you love those domain names? www.53.com.wps.portal.secure.huaru.info? WTF?

What's the best way to report something like this?

[nihil]

Hi BC,

If it is your bank, then tell them about it first..........it should help build some street cred?

Then take a look at this:

http://www.ccmostwanted.com/report/report3.htm

[HTRegz]

Hey Hey,

Gotta love those ridiculously long domains that screw with people's heads.. THey see the first .com and assume it's real..

For reporting it... You definately want to submit it to PIRT/Fried Phish - http://www.castlecops.com/pirt

You'll also want to contact your bank... -- 53investigation@security.53.com

I'm actually surprised you got one for your own bank... I keep getting alerts in my online banking that there are phishes going around.. but I haevn't had one yet.

Peace,
HT

[brokencrow]

Funny thing is I've never used online banking. Won't touch it with a 10-foot pole. They'll never be able to emulate flirting with the tellers.

edit -- I would've missed it if I hadn't fished it out of my spam folder.