CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 937
Comments: 25
block bottom
spacer spacer
image Another Amazon ''Urgent Fraud Prevention Group Notice'' Phishing Email image
Phishing

***Urgent Fraud Prevention Group Notice***

You have received this email because we have strong reason to believe that your Amazon account had been recently compromised. In order to prevent any fraudulent activity from occurring we are required to open an investigation into this matter. To speed up this process, you are required to verify your Amazon account by following the link below.
The above is the start of another phishing scam trying to get my Amazon account information. Here is the email snapshot:


[click to enlarge]


I'm told to visit the following link:

http://www.amazon.com/exec/obidos/flex-sign-in/

Yet when I mouse hover it, I see this in the status:

http://www.vereine-noe.at/mambo/images/amazon/index.html

So I check out that page and this is whats displayed:


[click to enlarge]


This page actually brings up a frameset which points to:

http://www.vereine-noe.at/mambo/images/amazon/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

But careful, if you enter your information and click the Continue button you are not sending the information to amazon, you are sending it to here:

http://www.vereine-noe.at/mambo/images/amazon/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=

Bingo, someone now has your data for Amazon on a phishing site. The domain vereine-noe.at is registered by:

domain:         vereine-noe.at
registrant:     SF1536198-NICAT
admin-c:        WM1542233-NICAT
tech-c:         WM1542233-NICAT
zone-c:         WM1542233-NICAT
nserver:        ns1.max4eu.net
remarks:        80.64.128.10
nserver:        ns2.max4eu.net
remarks:        80.64.129.10
nserver:        ns3.max4eu.net
remarks:        80.64.128.100
nserver:        ns4.max4eu.net
remarks:        80.64.129.100
changed:        20040510 10:23:15
source:         AT-DOM
 
personname:     Walter Kirchler
organization:   Service Freiwillige
street address: Hofgarten 3/4
postal code:    A-2801
city:           Katzelsdorf
country:        Austria
phone:          +43262278467
fax-no:         +432622784674
e-mail:         service@vereine-noe.at
nic-hdl:        SF1536198-NICAT
changed:        20040323 10:03:14
source:         AT-DOM
 
personname:     Werner Muss
organization:   
street address: Burgholzstrasse 9
street address: A-3352 St. Peter / Au
street address: Austria
postal code:    
city:           
country:        
phone:          +43 676 3078533
fax-no:         +43 1 212 127 222
e-mail:         wmuss@freasy.com
nic-hdl:        WM1542233-NICAT
changed:        20040603 11:23:07
source:         AT-DOM


So don't be fooled by messages like this. Amazon won't be sending these kinds of emails to you. Instead, report these immediately. Get them shut down.

This particular phishing scam's email header portion:

Return-Path: <IUSR_websrv05@websrv05.globalpoint.ch>
Received: from websrv05.globalpoint.ch (websrv05.globalpoint.ch [212.60.53.31])
by bugsbunny.castlecops.com (8.13.4/8.13.4) with ESMTP id jBVCpE6t015154
for <zx@castlecops.com>; Sat, 31 Dec 2005 07:51:14 -0500
Received: by websrv05.globalpoint.ch (Postfix, from userid 500)
id 39C8E1B5EF; Sat, 31 Dec 2005 13:51:19 +0100 (CET)
Posted on Saturday, 31 December 2005 @ 10:36:32 UTC by Paul (3298 reads)
[ Trackback ]		image

"Another Amazon ''Urgent Fraud Prevention Group Notice'' Phishing Email" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· PHP HomePage
· HotScripts
· W3 Consortium
· Amazon.com
· More about Phishing
· News by Paul

Most read story about Phishing:
False PayPal Charges!
block bottom
Article Rating
spacer
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
123ppm 0.174s (0.006s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer