TCS - Identity Theft

Identity Theft

by Don Singleton
Tulsa Computer Society
From the December, 2004 issue of the I/O Port Newsletter

I recently received a number of Identity Theft scam attempts. Here are some of them, with documentation on who is attempting them

PayPal

http://www.google.com/url?q=%68%74%74%70%3a%2f%2fwww.google.com%2f%75%72%6c%3f%71%3d%68%74%74%70%253a%252f%252Fnfs.name/.paypal/

I am not certain how to decode that. The first part %68%74%74%70%3a%2f%2f is http:// and %2f%75%72%6c%3f%71%3d%68%74%74%70 is /url?q=http so it is something like http://www.google.com/url?q=http://www.google.com/url?q=http

I am not sure what to do with %253a%252f%252Fnfs.name/.paypal/ but it boils down to

http://nfs.name/.paypal/ which takes you to IP address 217.160.243.228

nfs.name was registered to Fred Phelps in Sebastopol, California on Nov 7 (I got the email on Nov 9).

As VisualRoute shows

As SmartWhois indicates: Schlund is in Karlsruhe, Germany and has two abuse addresses abuse@schlund.de and abuse@schlund.com

I will email both to see what they think about this scam on their site.

Tobias Fehrenbach of Abuse-Department 1&1 Internet AG said

thank you for bringing this matter to our attention. The account in question has been suspended.

I replied

Can you do more than that, i.e. report them to the authorities. It is easy for them to just get a new account with another provider, or with you under a different name

They replied

a collegue of mine suspended the account and cancelled the contract. Thats the normal procedure.

I guess the money to be made from Identity Thieves must be so great that they dont want to offend them by getting them arrested.

Washington Mutual Banking

We recently reviewed your account, and suspect that your Washington Mutual Banking account may have been accessed by an unauthorized third party. Protecting the security of your account and of the System network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.

To restore your account access, please take the following steps to ensure that your account has not been compromised:

1. Login to your Internet Banking account. In case you are not enrolled for Internet Banking, you will have to use your Social Security Number as both your Personal ID and Password and fill in all the required information, including your name and your account number.

2. Review your recent account history for any unauthorized withdrawals or deposits, and check your account profile to make sure not changes have been made. If any unauthorized activity has taken place on your account, report this to Internet Banking Staff immediately.

To get started, please click the link below:

http://login.personal.wamu.com/logon/logon.asp?dd=1

We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire Internet Banking system. Thank you for your prompt attention to this matter.

Sincerely,

The WaMu, Inc Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Online Banking account and choose the "Help" link in the header of any page.

I don't happen to have an account with Washington Mutual Banking but clicking on the link would not take me to http://login.personal.wamu.com/logon/logon.asp?dd=1 but rather to http://142.177.237.113:8080/

As VisualRoute shows

As SmartWhois indicates: IP 142.177.237.113 is owned by Stentor National Integrated Communications Network in Ottawa Canada with an email of hostmaster@aliant.ca and abuse@aliant.net. I emailed them and this is what they said:

This issue has been resolved. Thank you for bringing it to our

I responded

What is the resolution? Did you just cut them off, or did you report them to the police and do they have the perp under arrest?

They responded

We did not report this to the police. If you have reported it to the police they may request the customer information once they have obtained a Canadian court order.

I guess for Aliant Internet Security the money they can make protecting Identity Thieves is more important than their reputation.

I got another Washington Mutual scam:

Dear Washington Mutual user,

We are performing system maintenance, wich may interfere with access to your Online Services. Due to these technical updates your online account has been deactivate. Washington Mutual recommend you to reactivate your online account. Go to Internet Banking by clicking this link, verify your identity as a customer of Washington Mutual and your online account access will be reactivate by our system.

1. Go to https://login.personal.wamu.com/logon/logon.asp

2. Enter your Username and Password.

3. You will be taken to the " Security Measures" page to confirm your identity

4. After your verification process is completed you will be able to access your account again.

* Our goal is to have Internet Banking available 24 hours a day, seven days a week, but Internet Banking may be unavailable during the following times for scheduled systems maintenance: Sunday: 12:00am - 6:15am Eastern Time. We regret any inconvenience this may cause you. Washington Mutual INC (c) 2004.

The link this time goes to http://219.166.90.242/img/wamu/index.html As VisualRoute shows IP 219.166.90.242 is in Japan

I also got a scam supposedly from "Citibank(R) Card Department" which also is from Japan, this time from http://218.45.31.164/citifi/

I will contact apnic-ftp@nic.ad.jp and see what they say.

Citibank Alerting Service

Clicking on the link would go to http://200.198.188.188/citi

As VisualRoute shows 200.198.188.188 is in Montevideo, Uruguay

I got another from "Citibank Alerting Service" for IP address http://200.189.70.90 plus one from "Citibank(R) Card Department" for IP address http://209.13.96.44/citifi/ which also goes to Montevideo, Uruguay

Their abuse address is abuse@lacnic.net. We will see what they say.

SunTrust Bank Alert

I don't have an account with SunTrust bank, but clicking on the link would take me to 68.221.247.135

As VisualRoute shows IP 68.221.247.135 is in Atlanta, GA.

As SmartWhois indicates the abuse address is abuse@bellsouth.net. We will see what they say.


Dear Wells Fargo customer,

Recently there have been a large number of cyber attacks pointing our database servers. In order to protect your account, we require you to sign on immediately.

This personal check is requested of you as a preventive measure and to insure yourselves that everything is normal with your balance and personal information.

This process is mandatory and if you don't sign on within the nearest time your account may be subject to temporary suspension.

To update your account information please click on the link below:

https://www.wellsfargo.com/wfonline/access/apply.jhtml

!!!Note that we have no particular indications that your details have been compromised in any way.

Thank you for your attention to this matter and thank you for using Wells Fargo!

Clicking on the link would go to http://wellsfargo.informationupdates.com/SignOn.htm

There is no server up for that URL, but the informationupdates.com domain was registered on October 15 (I got the email on October 17) to Robert Thibodeau in Saint John, PW, Canada. The tech contact is domain.tech@YAHOO-INC.COM and I will see what he says.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 12/01/2004
Don Singleton, President