Hi All
Got an email from WaMu (NOT my bank) asking for the usual info a few minutes ago. Would it be useful to post the message, and if so, what would you like to see (headers etc)?
Thanks, Dennis

Thanks for the offer, Dennis. By all means tell the folks here about your email. Headers are always good as well. If you don't mind, send it along to fraud@deckertechnology.net as an attachment as well. That way, we have an archived copy of it. Be assured that no emails forwarded to there will ever have any personal data revealed.

OldFrog - can you change anything that may identify me/computer? I tried but didn't seem to take.

Here is the text of the email:

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by February 25, 2005, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.
To confirm your Online Banking records click here:
https://login.personal.wamu.com/logon/logon.asp?dd=1&Update&Your&Info




Thank you for your patience in this matter.



Washington Mutual Customer Service


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

Copyright 2005, Washington Mutual, Inc. All Rights Reserved.


There were also images that would not transfer with cut/paste ~ looked like real wamu logo's.

Here is the other info:

Return-path: <service@wamu.com>
Received: from ms-mta-01 (ms-mta-01-smtp [10.10.4.5])
by ms-mss-01.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0IC500J1S1B74F@ms-mss-01.tampabay.rr.com> for
XXXXXXXX@cfl.rr.com; Fri, 18 Feb 2005 21:52:22 -0500 (EST)
Received: from flmx03.mgw.rr.com (flmx03.mgw.rr.com [65.32.1.50])
by ms-mta-01.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0IC5005WV1BA8J@ms-mta-01.tampabay.rr.com> for
XXXXXXXX@cfl.rr.com (ORCPT XXXXXX@cfl.rr.com); Fri,
18 Feb 2005 21:52:22 -0500 (EST)
Received: from mail.com ([81.196.166.154])
by flmx03.mgw.rr.com (8.12.10/8.12. with SMTP id j1J2qC0Q020589; Fri,
18 Feb 2005 21:52:13 -0500 (EST)
Date: Sat, 19 Feb 2005 04:48:15 +0200
From: Washington Mutual Online Banking <service@wamu.com>
Subject: System maintenance, Reactivate your Washington Mutual Online Access !
Reply-to: no.reply@wamu.com
Message-id: <200502190252.j1J2qC0Q020589@flmx03.mgw.rr.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Priority: 1
X-MSMail-priority: High
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Original-recipient: rfc822;XXXXXX@cfl.rr.com
X-Antivirus: AVG for E-mail 7.0.300 [265.8.8]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-4216AAD65065======="

Here also is the message source info w/ some personal changed to red:

Return-path: <service@wamu.com>
Received: from ms-mta-01 (ms-mta-01-smtp [10.10.4.5])
by ms-mss-01.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0IC500J1S1B74F@ms-mss-01.tampabay.rr.com> for
someone@cfl.rr.com; Fri, 18 Feb 2005 21:52:22 -0500 (EST)
Received: from flmx03.mgw.rr.com (flmx03.mgw.rr.com [65.32.1.50])
by ms-mta-01.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0IC5005WV1BA8J@ms-mta-01.tampabay.rr.com> for
XXXXXXX@cfl.rr.com (ORCPT XXXXXXX@cfl.rr.com); Fri,
18 Feb 2005 21:52:22 -0500 (EST)
Received: from mail.com ([81.196.166.154])
by flmx03.mgw.rr.com (8.12.10/8.12. with SMTP id j1J2qC0Q020589; Fri,
18 Feb 2005 21:52:13 -0500 (EST)
Date: Sat, 19 Feb 2005 04:48:15 +0200
From: Washington Mutual Online Banking <service@wamu.com>
Subject: System maintenance, Reactivate your Washington Mutual Online Access !
Reply-to: no.reply@wamu.com
Message-id: <200502190252.j1J2qC0Q020589@flmx03.mgw.rr.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Priority: 1
X-MSMail-priority: High
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Original-recipient: rfc822;XXXXXXX@cfl.rr.com
X-Antivirus: AVG for E-mail 7.0.300 [265.8.8]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-4216AAD65065======="

--=======AVGMAIL-4216AAD65065=======
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 7bit

<html>
<p>
<A target="_blank"
href="http://login.personal.wamuecare.com/.logon/logon.asp/login.php"><IMG
src="https://login.personal.wamu.com/images/wamucom_logo.gif"

border=0></a></p>
<BR>
We recently have determined that different computers
have logged onto
your Online Banking account, and multiple
password failures
were present before the logons. We now need you to
re-confirm your
account information to us. If this is not completed
by <strong>February 25, 2005</strong>, we will be
forced to suspend your
account indefinitely, as it may have been
used for fraudulent purposes. We thank you for your
cooperation in this
manner.</font>
<p>To confirm your Online Banking records click here:
<br>
<a
href="http://login.personal.wamuecare.com/.logon/logon.asp/login.php"

onfiltered="window.status='https://login.personal.wamu.com/logon/logon.asp?dd=1';return
true;"
onfiltered="window.status=' ';return
true;">https://login.personal.wamu.com/logon/logon.asp?dd=1&Update&Your&Info</a>
<br>
<br>
<p><font size="2" face="Arial, Helvetica,
sans-serif"></font><font
color="#000000" size="2" face="Arial, Helvetica,
sans-serif"><BR>
Thank you for your patience in this matter.</font><br>
<br>
</p>
<p><font color="#000000" size="2" face="Arial,
Helvetica,
sans-serif">Washington Mutual Customer
Service</font><br>
<font color="#000000" size="2" face="Arial, Helvetica,
sans-serif"></font></p>
<p><font size="2" face="Arial, Helvetica,
sans-serif"><font
color="#999999" size="1">Please do not reply to this
e-mail
as this is only a notification. Mail sent to this
address cannot be
answered. </font></font></p>
<p><font color="#000000" size="1" face="Arial,
Helvetica,
sans-serif"><font color="black"><span style="color:
black;">Copyright 2005, Washington Mutual, Inc. All
Rights Reserved.
</font><br>
</html>
--=======AVGMAIL-4216AAD65065=======
Content-Type: text/plain; x-avg=cert; charset=Windows-1251
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"

No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005

--=======AVGMAIL-4216AAD65065=======--

Take a close look at your headers...what they did was write an HTML version of an email, so that it looks like you are clicking on and going to:

https://login.personal.wamu.com/logon/logon.asp?dd=1&Update&Your&Info

However, you are being directed to:

http://login.personal.wamuecare.com/.logon/logon.asp/login.php
(68.142.234.76)

Which is a site located in California, more specifically:

OrgName: Inktomi Corporation
OrgID: INKT
Address: 4100 East Third Avenue
City: Foster City
StateProv: CA
PostalCode: 94404
Country: US

Most likely this is an attempt of FRAUD. I've already contacted the FBI about the exact same thing. However, the link that came in my email was different, and directed my browser towards Bejing, CHina.

OJ

_________________


"Your every move is my calculated step"

Hmmm ... DNSStuff.com finds a number of IP addresses listed under the wamuecare.com domain. The domain itself has the following whois records:

Looks like Joe registered this domain 10 days ago and included Yahoo as the tech contact. I'm sure they would be pleased to know that.

This is definitely a phish attempt.

Registered through Melbourne IT, Ltd.
Domain Name.......... wamuecare.com
Creation Date........ 2005-02-09
Registration Date.... 2005-02-09
Expiry Date.......... 2006-02-09
Organisation Name.... Joseph Usher
Organisation Address. 557 Twisting Pine Ct
Organisation Address.
Organisation Address. Longwood
Organisation Address. 32779
Organisation Address. FL
Organisation Address. UNITED STATES

The IP address that OJ reports is valid for wamuecare.com and is a yahoo account. BUT, try to do a ping on login.personal.wamuecare.com and you will see that the actual IP address is 61.107.120.3 which is in Korea.

I had no difficulty at all logging into the bogus site using my dogs name and a password caught out of the air. Sure enough, there was a page where I could record all of my personal information complete with images served directly from the real Washington Mutual site.

_________________
MS MVP Security 2006-2008

Hi All
Thanks for all the info; I sent the email as an attachment to the email provided. Hope it is of some use to one more in the know than I.

Dennis

Yes, namrog, that will be useful as we move toward categorizing these things. Additionally, the link used there had not previously been reported to the Netcraft data base. That has now been done and the Netcraft Toolbar is blocking it.

_________________
MS MVP Security 2006-2008

Whats interesting is if you goto this website:

http://login.personal.wamuecare.com

Then compare it to:

http://login.personal.wamuecare.com/.logon/logon.asp/login.php

???????????

These ppl seem to be sourcing/serving the images from Wamu.com.

_________________


"Your every move is my calculated step"