CastleCops® - VVestern Union Phish

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

VVestern Union Phish

Phishing

A brand new Western Union phish email just came into my inbox. I took note right away of the tomfoolery. The domain is not "Western" Union, but "VVestern" Union that is being pitched here:

wumt.vvesternunion.biz

The email follows... and it seems crooks are preying on people's tired eyes at 4 AM who are up and surfing.

We are contacting you regarding your Western Union account. Due to inactivity, your account has been deactivated from using our services.

Therefore, we invite you to update your Western Union profile in order to regain full access to our services. Please go to http://wumt.vvesternunion.biz/[TRUNCATED until a PIRT report is released] to confirm your identity and update your profile.

Please Note: If your account information is not updated within the next 24 hours, your account will be deleted.

We apologize for any inconvenience this may have caused.

Best regards,
Western Union Customer Service.

-------------------------------
Western Union endeavors to maintain physical, electronic and procedural safeguards to guard your Information. We also endeavor to restrict Information access to our employees, agents and representatives that need to know it. Western Union will never disclose your personal or billing information to a third party. Copyright � 2007 Western Union. All Rights Reserved.

Posted on Friday, 15 June 2007 @ 02:55:49 UTC by Paul (1780 reads)
[ Trackback ]

"VVestern Union Phish" | Login/Create an Account | 5 comments | Search

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: VVestern Union Phish (Score: 1)
by PAN_IRISH on Friday, 15 June 2007 @ 05:05:51 UTC
(User Info | Send a Message)

ok,
i see what it is,
it's a double V !!

at first i couldn't tell what you were trying to point out.

Re: VVestern Union Phish (Score: 1)
by TBearr on Monday, 18 June 2007 @ 03:30:51 UTC
(User Info | Send a Message)

On 15 June 2007 Pan_Irish wrote:

ok,
i see what it is,
it's a double V !!

at first i couldn't tell what you were trying to point out.

Often scammers using this type of domain spoofing rely on recipients who use sans serif fonts as they help mask the spoof.

When I first got the newsletter I did a doubletake, as I've got Eudora configured for serif. Then followed the ah ha moment :-)

�� TBear ��

]

Re: VVestern Union Phish (Score: 1)
by TBearr on Monday, 18 June 2007 @ 03:35:44 UTC
(User Info | Send a Message)

On 15 June 2007 Pan_Irish wrote:

ok,
i see what it is,
it's a double V !!

at first i couldn't tell what you were trying to point out.

Often scammers using this type of domain spoofing rely on recipients who use sans serif fonts as they help mask the spoof.

When I first got the newsletter I did a doubletake, as I've got Eudora configured for serif. Then followed the ah ha moment :-)

�� TBear ��

]

Re: VVestern Union Phish (Score: 1)
by TBearr on Monday, 18 June 2007 @ 03:38:54 UTC
(User Info | Send a Message)

Oops, sorry about that. I posted my reply twice and can't find a way to delete the second.

Mea culpa.

]

Re: VVestern Union Phish (Score: 1)
by TBearr on Monday, 18 June 2007 @ 03:11:33 UTC
(User Info | Send a Message)

Many thanks for this one.

If possible, I'd be grateful if in future you could provide as much of the full header info as you judge reasonable. For example, displaying the address of the system that actually passed the message off to you may be helpful for those of us who create filters for our domains.

We are watching which systems pass off such messages and, sometimes, will block those addressess (by way of an example, if they're from the PRC). Was the phish domain used only in the body, or did it also appear anywhere in the header?

A quick check of vvesternunion.* reveals that .com, .biz, .info, and .us are also registered. And all look suspicious. Three were registered in March 2007 (biz, us, info), two of them within two days of each other. We've blocked the root (vvesternunion).

	Login

	Nickname Password Security Code: Type Security Code: Usage signifies AUP acceptance · New User? · Click here to create a registered account.

	Related Links

	· del.icio.us! · digg it! · reddit! · TrackBack (0) · HotScripts · W3 Consortium · More about Phishing · News by Paul Most read story about Phishing: False PayPal Charges!

	Article Rating

	Average Score: 0 Votes: 0 Please take a second and vote for this article:

	Options

	Printer Friendly Page


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 224ppm 0.313s (0.029s) Making cybercriminals unhappy since 2002*