Date: Fri, 25 Mar 2005 21:13:35 -0500
From: Charter One Online Banking <jmdavis@charteronesecurities.com>
To: email removed
Subject: Online Customer Service

Charter One Bank Home Page

Dear Charter One Bank customer,

We recently reviewed your account, and suspect that your Charter One Bank Internet Banking accountmay have been
accessed by an unauthorized third party.
Protecting the security of your account and of the Charter One Bank network is our primary concern. Therefore, as a
preventative measure, we have temporarily limited access to sensitive account features.

To restore your account access, please take the following steps to ensure that your account has not been compromised:

1. Login to your Charter One Bank Internet Banking account. In case you are not enrolled for Internet Banking, you will
have to fill in all the required information, including your name and you account number.

2. Review your recent account history for any unauthorized withdrawals or deposits, and check you account profile to
make sure not changes have been made. If any unauthorized activity has taken place on your account, report this to
Charter One Bank staff immediately.

To get started, please click the link below:

http://www.charterone.com/home/

We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of
the entire Charter One Bank system. Thank you for attention to this matter.



Sincerely,

Charter One Bank Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your
Charter One Bank account and choose the "Help" link in the header of any page.


| Member FDIC | Equal Housing Lender Charter One is an Equal Housing Lender | © 2005 Charter One Bank

_________________________

Above link directs to http://210.0.213.115/~chuihf/Secure/CHARTERONE/
_________________________

Headers from email:

Return-Path: <nobody@server145.6host.com>
Received: from server145.6host.com (ns1.6host.com [69.72.196.210])
by bugsbunny.castlecops.com (8.13.2/8.13.2) with ESMTP id j2Q2DOOe018361
for <email removed>; Fri, 25 Mar 2005 21:13:24 -0500
Received: from nobody by server145.6host.com with local (Exim 4.44)
id 1DF0nv-0005K9-27
for email removed; Fri, 25 Mar 2005 21:13:35 -0500
To: email removed
Subject: Online Customer Service
From: Charter One Online Banking <jmdavis@charteronesecurities.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1DF0nv-0005K9-27@server145.6host.com>
Date: Fri, 25 Mar 2005 21:13:35 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server145.6host.com
X-AntiAbuse: Original Domain - computercops.biz
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server145.6host.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-NOD32Result: clean
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
bugsbunny.castlecops.com
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.6 tests=BAYES_50,HTML_50_60,
HTML_EVENT_UNSAFE,HTML_MESSAGE,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,
REPLY_TO_EMPTY autolearn=no version=3.0.2
X-Spam-DCCB: SIHOPE-DCC-3
X-Spam-DCCR: bugsbunny.castlecops.com 1085; Body=1 Fuz1=1 Fuz2=1

This looks like the same one I received at work about two weeks ago.

Oldfrog said

/t111328-Charter_One_email_warning_unauthorized_bank_account_access.html

It may be the same email, but the URL must be different. This one is still live at the moment although Netcraft is blocking it and it has been reported elsewhere as well.

_________________
MS MVP Security 2006-2008

Yea, the one I received came from Korea. The IP in the link in this one appears to be coming from Hong Kong.

Alas, why don't they target the Russians for a change?