Phishing Lessons

Your account has been locked – TCF Spam

Friday, April 29th, 2011

A highly targeted spam Phishing fraud campaign is actively going after TCF (a regional bank) customers.

The email arrives:

Subject:     Your account has been locked.
From:     TFC Bank <service@tcfbank.com>

But does not come form any legitimate TCF server, instead, traveling through sites such as:

from ds2017.centos-server.net ([207.45.176.146])

The message itself warns:

more »

You have received a refund – Chase Phishing Fraud

Wednesday, April 27th, 2011

The typical bank Phishing fraud spam email warns you about your account security, claiming there have been unauthorized transactions or invalid login attempts from overseas.

In a creative twist, the latest spam Phishing campaign targeted toward J.P. Morgan Chase customers uses more of a carrot than a stick; announcing that you’ve received a billing refund.

Subject:     You have received a refund of $70.95
From:     J.P. Morgan Chase <online.service@chase.int.com>

more »

Account has stopped running this morning – Google AdWords Fraud

Wednesday, April 20th, 2011

Spammers are again looking to hijack Google AdWords accounts by mass mailing campaigns targeting legitimate AdWords account holders.

Messages arrive as:

Subject:    Account has stopped running this morning.
From:    “Google AdWords”<adwords-noreply@google.com>

While the emails typically spoof the adwords-noreply@google.com address, they are sent from stolen and fraudulently registered email accounts.

The message itself looks like:

more »

Important Notice From Online Banking – Bank Of Montreal Fraud

Monday, April 11th, 2011

Email Phishing frauds for Bank Of Montreal are in high gear, with most arriving as:

Subject:     Important Notice From Online Banking
From:     BMO Bank of Montreal <helpdesk@bmo.com>

Though the sending address is of course spoofed, with these actually coming from bogus  and hijacked mail servers such as:

‘from beta.dnshree.com ([208.87.243.22])
<nobody@beta.dnshree.com>

Here’s a full copy of of the email fraud:

more »

New Message from Online Banking – Chase Card Services Fraud

Wednesday, March 30th, 2011

The newest JP Morgan Chase email Phishing fraud is now being sent as:

Subject:     New Message from Online Banking
From:     “Chase Card Services”<SMChaseNotification@emailonline.chase.com>

The spoofed email itself looks convincing enough:

more »

Flagged & Removed – Craigslist Frauds

Monday, March 21st, 2011

We’re seeing a strong increase in Phishing Fraud emails targeting Craigslist.org accounts.

The emails generally arrive such as:

Subject:     flagged & removed : 1977204121
From:     “no-reply@craigslist.net” <no-reply@craigsliist.net>

The ID/Case number in the subject line will vary in an attempt to evade spam filtering.

The sending address is spoofed as the emails are not actually sent from Craigslist.org servers.

An example email:

more »

craigslist.org: Account Temporarily suspended – Fraud

Monday, February 28th, 2011

Stealing Craigslist usernames and passwords is becoming increasingly popular amount Internet spammers and hackers.

The latest campaign warns of account suspension in order to get the recipient’s attention:

Subject:     craigslist.org: Account Temporarily suspended
From:     “craigslist.org” <noreply@craigslist.org>

Though the message actually comes from hijacked Yahoo email accounts (from nm11-vm0.bullet.mail.ac4.yahoo.com) the email itself is a pretty good approximation of a legitimate Craigslist notification:

Craigslist.org Account Temporarily Suspended - Fraud

Click for Larger Image

more »

Your Mailbox Quota Has Exceeded The Set Quota/Limit Which Is 20GB.

Thursday, February 17th, 2011

One of the tactics that works very well for spammers is tricking (Phishing) users into sharing their email account login and passwords and then using the hijacked account to send spam.

The advantages of using a hijacked account include:

  • Access to the recipients online address book
  • Ability to send from a fresh and clean address
  • Use of legitimate mail servers for sending spam

The only downside is since many users will eventually take back their accounts (or admins will disable them) the spammer needs a constant source of new email accounts.

more »

TD ALERT : You have received a new payment

Wednesday, February 9th, 2011

More Phishing frauds are being received for TD Canada Trust Bank customers:

TD ALERT : You have received a new payment.
TD Canada Trust Bank. <e-payment@easywebsoc.td.com>

This campaign appears to originate from accounts on  SimpleHELIX web servers:

‘from defend3.simplehelix.com ([206.126.97.8]’

more »

Notification at usaa.com

Monday, February 7th, 2011

Here’s a well designed Phishing fraud targeting USAA.com users:

Subject:     Notification at usaa.com
From:     USAA <USAA.Web.Services@customermail.usaa.com>

The somewhat standard warnings are used:

Dear Customer,

As part of our security measures, we regularly screen activity in the usaa.com system. We recently contacted you after noticing an issue on your account. We requested information from you for the following reason: more »