Email Fraud

Craigslist – Confirmation for Posting Fraud

Sunday, August 7th, 2011

A clever Craigslist Phishing fraud is using a highly targeted approach to trick Craigslist advertisers into giving up their username and passwords.

The trick is to provide the headline from an actual Craigslist posting in order to help evade spam filtering and more importantly, to increase the likelihood of fooling the recipient into believing the “Confirmation for Posting” is legitimate.

A typical email will arrive such as:

Subject:     Your ad, titled ‘1970 short bed ford ‘ has been posted.
From:     craigslist <acount@pueblo.craigslist.org>

The Subject line will vary according to match the title of the specific Craigslist posting.

more »

The Executive Registry, Who’s Who Among Spammers

Saturday, August 6th, 2011

Bogus “Who’s Who” listings and other similar publications have been around long before the Internet, so there’s nothing new about selling fake credentials and memberships in non-existent “executive” publications.

But, as with many things, Email and the Internet combine to make the scammer’s job easier with a wider and deeper reach, and all for lower cost.

The latest fake credential listing touts your invitation to join “The Executive Registry” and is signed by someone claiming to be “Ethan Andrews” of the “Candidate Review Committee” – for what that’s worth.

Here’s a copy of the latest email:

more »

New Skype Has Been Releases ! Upgrade Now

Saturday, July 16th, 2011

Mailboxes are now receiving fake Skype upgrade spam sent from hijacked Rhapsody.com mail servers.

The current campaign arrives as:

Subject:     New Skype Has Been Releases ! Upgrade Now
From:     “Skype” <newsletter@news.skype.com>

In an interesting twist, the spammers involved appear to have hacked and are in control of Rhapsody.com mail servers as the samples we’ve reviewed so far are actually from:

  • mta900.e.rhapsody.com ([63.211.90.40]
  • mta902.e.rhapsody.com ([63.211.90.42]
  • mta903.e.rhapsody.com ([63.211.90.43]
  • mta904.e.rhapsody.com ([63.211.90.44]
  • mta905.e.rhapsody.com ([63.211.90.45]
  • etc., etc.

The spam email itself is as follows:

more »

Chase Online Alert: Debit Card/ATM Deduction from Account

Thursday, July 14th, 2011

As the biggest banks get bigger, they capture even more attention from spammers and online criminals intent on stealing legitimate user’s accounts.

Such is the case with JP Morgan Chase and yet another Phishing fraud email now circulating:

Subject:     Chase Online Alert: Debit Card/ATM Deduction from Account
From:     Chase Online Alert <Chase@emailnotify.chase.com>

more »

Account Update Notice – Craigslist Fraud

Monday, July 11th, 2011

While spam volumes may be down, the Phishing fraud’s continue in high volume with Craigslist.org users being highly favored targets.

Look for these spam emails to trap unsuspecting users:

Subject:     Account Update Notice
From:     “craigslist” <help@craigslist.org>

While they spoof  “help@craigslist.org” as the sending address, most that we’ve reviewed have come from various hijacked Earthlink accouts:

from elasmtp-banded.atl.sa.earthlink.net ([209.86.89.70])
from elasmtp-scoter.atl.sa.earthlink.net ([209.86.89.67])

Here’s a complete copy of one of these “Account Update Notice” frauds:

more »

Wells Fargo Online Fraud Prevention

Thursday, June 30th, 2011

More spam claiming to be from Wells Fargo headed toward mailboxes as:

Subject:     Wells Fargo Online Fraud Prevention.
From:     “Wells Fargo Online”<wellsfargo@wellsconnect.wellsfargo.com>

When in reality the sending address is spoofed and the email is actually originating from Yahoo’s mail servers:

nm28-vm1.bullet.mail.ac4.yahoo.com ([98.139.52.247])

As is common for such Phishing frauds, the email warns you

more »

Important Technical Service Message – FedEx Spam

Wednesday, June 22nd, 2011

Phishing fraud involving the various shipping companies continues its upswing, and a newer version of FedEx fraud is looking to steal legitimate user’s account credentials.

Emails typically arrive:

Subject:     Important Technical Service Message (CODE:90738-00)
From:     “FedEx Technical Support”<update@online-update.com>

The are not sent from any legitimate Federal Express server, but instead are sent through hijacked user accounts, the latest copy reviewed came to us through Verizon’s servers:

more »

Flagged & Removed: Craigslist Spam

Tuesday, June 14th, 2011

There’s a renewed effort from spammers trying to hijack legitimate Craigslist.org accounts.

One version currently in distribution arrives:

Subject:     flagged & removed: 36984099
From:     “Craigslist” <no-reply@craigsIst.org>

To further add the appearance of legitimacy and to help evade spam filtering systems the number at the end of the subject line is randomized.

more »

IMPORTANT – Account Deactivation Notice – Bank of America Fraud

Friday, June 3rd, 2011

A surprisingly well done spoof of a Bank of America notice is making the rounds and is convincing enough to trick a number of email recipients:

Subject:     IMPORTANT – Account Deactivation Notice
From:     Bank of America Alert <onlinebanking@ealerts.bankofamerica.com>

The email, actually sent from foreign servers, warns:

We have noticed that you need to resolve important security issues on your account to prevent temporal deactivation. It is therefore recommended that you complete this process. Your security is important to us.

Please click on the link below to resolve this issue:

www.bankofamerica.com/upd.screc/id.2140180220.sessid/home.sec.index.cfm?page=update

more »

Wells Fargo Online Fraud Prevention – Spam – Fraud

Monday, May 23rd, 2011

One of the “better” Wells Fargo Phishing frauds we’ve seen lately (and there are a lot to choose from) arrives as:

Subject:     Wells Fargo Online Fraud Prevention.
From:     “Wells Fargo Online”<wellsfargo@wellsconnect.wellsfargo.com>

The basic pitch:

Wells Fargo’s Internet Services Group Fraud Operations would like to verify some recent activity on your account.

Here’s a complete copy of the fraudulent spam email:

more »