Results 1 to 4 of 4
  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country

    Phishing for acc't numbers...

    ...got this email from my bank (see image). All in all, a credible job (I'm not awake yet). The sender is using the imbedded gif to trick readers. The gif is linked to this website: http://www.53.com.wps.portal.secure....fo/context.id/

    Here's the email headers:


    X-Apparently-To: xxxxxxxx@yahoo.com via; Fri, 25 Aug 2006 10:21:46 -0700
    X-Originating-IP: []
    Return-Path: <reference-id_71384id@53.com>
    Authentication-Results: mta302.mail.re4.yahoo.com from=53.com; domainkeys=neutral (no sig)
    Received: from (HELO 200-158-67-174.dsl.telesp.net.br) ( by mta302.mail.re4.yahoo.com with SMTP; Fri, 25 Aug 2006 10:21:46 -0700
    Received: from transmitting.ifg.com (unknown []) by cobaltweb.com with SMTP id X5PPP2ZNBV for <karlstrangfeld@yahoo.com>; Sat, 26 Aug 2006 06:20:50 -0800
    From: "FIFTH THIRD BANK 2006" <support_reference851516162754id@53.com> Add to Address BookAdd to Address Book Add Mobile Alert
    To: Send an Instant Message "Karlstrangfeld" <karlstrangfeld@yahoo.com>
    Subject: Fifth Third Bank: Urgent Notice From Billing Department Sat, 26 Aug 2006 06:20:50 -0800
    Message-ID: <73048sj83k89$c7uk474ohf8$5jz6fta76@Y4887529>
    User-Agent: PObox II beta1.0
    X-Priority: 3 (Normal)
    MIME-Version: 1.0
    Content-Type: multipart/related; boundary="GIMXXV0Z00UTQGIS7Q6S"
    Content-Length: 9325

    I traced the originating ip address ( in the email to Sao Paulo. The website's in Latvia with an ip address of, belonging to ProNets-LV from what I can tell.

    Don't you love those domain names? www.53.com.wps.portal.secure.huaru.info? WTF?

    What's the best way to report something like this?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hi BC,

    If it is your bank, then tell them about it first..........it should help build some street cred?

    Then take a look at this:


  3. #3
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    Gotta love those ridiculously long domains that screw with people's heads.. THey see the first .com and assume it's real..

    For reporting it... You definately want to submit it to PIRT/Fried Phish - http://www.castlecops.com/pirt

    You'll also want to contact your bank... -- 53investigation@security.53.com

    I'm actually surprised you got one for your own bank... I keep getting alerts in my online banking that there are phishes going around.. but I haevn't had one yet.

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country
    Funny thing is I've never used online banking. Won't touch it with a 10-foot pole. They'll never be able to emulate flirting with the tellers.

    edit -- I would've missed it if I hadn't fished it out of my spam folder.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.