PhishBucket.org News

FOR RELEASE: PhishBucket Job Fraud Trends Report Released

Thu, 22 Oct 2009 07:07:51 +0000

FOR IMMEDIATE RELEASE

PhishBucket Releases Report of Job Fraud Trends Presented at APWG 2009 eCrime Researchers Summit

(Tacoma, WA - October 20) Tabatha Marshall, PhishBucket.org founder and CEO, attended the Anti-Phishing Working Group (APWG) 2009 eCrime Researchers Summit to present trends in job fraud. This report included statistical data on:

-- the correlation between job fraud, unemployment and the economic recession
-- which countries are targeted and why
-- how people are finding out about job fraud
-- which fraudulent job offers are most common
-- which people, companies and industries are affected

Topics discussed included observations about the consequences of job fraud, challenges in dealing with job fraud, the impact of job fraud and possible solutions.

Click the following link to open the report from the browser, or right-click to save a copy of the file. The file may take a few minutes to load/download. Adobe Acrobat Reader or an equivalent PDF viewer is required.

APWG-PhishBucket Job Fraud Trends-2009.pdf (file size: 2.22 MB)

For more information, contact Tabatha Marshall – tabatha / at / tabathamarshall / dot / com, with "JOB FRAUD TRENDS REPORT" in the subject line.

PhishBucket loves October and Cyber Security Awareness

Thu, 08 Oct 2009 03:55:09 +0000

Hey talk-radio fans: listen in Oct 9-11 when we talk about job scams with host Ric Bratton of This Week in America!

October is a productive month for PhishBucket and many other organizations who work hard to combat fraud. In addition to our radio spot, we've joined the National Cyber Security Alliance in supporting National Cyber Security Awareness Month, and will be speaking at the Anti-Phishing Working Group Fall 2009 General Members Meeting and eCrime Researchers Summit to talk about trends in muling and job-related fraud.

Visit StaySafeOnline.org and check out their tips for staying safe online. Listen for us this weekend when we talk to This Week in America. Check out the Anti-Phishing Working Group's Public Education Initiative. And of course, don't forget to check those suspicious job offers at PhishBucket.org!

Make this October the month you learn how to protect yourself from online fraud!

October is National Cyber Security Awareness Month

Mon, 05 Oct 2009 03:23:59 +0000

Our lives are becoming web-based.

As the Internet becomes pervasive, we are online from home, school, work, and in between on
mobile devices. Even when we are not directly connected, our economy and much of the
everyday infrastructure we rely on uses the web.

Ultimately, our cyber infrastructure is only as strong as the weakest link. No individual,
business, or government entity is solely responsible for cyber security. Everyone has a role
and everyone needs to share the responsibility to secure their part of cyber space and the
networks they use. The steps we take may differ based on what we do online and our
responsibilities. However, everyone needs to understand how their individual actions have a
collective impact on cyber security.

Visit StaySafeOnline.org to check out their top recommended cyber security practices. You don't need to be a geek! These tips can be used by anyone to stay safe.

PhishBucket Mentioned in the Chicago Tribune

Wed, 23 Sep 2009 08:24:12 +0000

Tips for avoiding online job scams

September 2, 2009

Tribune staff report

Alert: Questionable loans: Milestone Financial Service

Mon, 07 Sep 2009 02:16:09 +0000

This isn't a suspicious job offer, but we wanted to show it to you for other reasons.

Tons of people are out of work and possibly looking for ways to make ends meet financially. This might mean some will take out loans. Beware though, that you don't respond to questionable offers. We found this one, which is rampant with bad grammar. Even though the WHOIS shows the email as being sent from the UK, an American received it, and we think that's more than just a little suspicious. The sender email address was spoofed and the headers show a trail of cover ups. We don't think you should dignify offers like these with a response. If they're a real company, they'll have to learn how to do it right. If they're bogus, well then, no love lost here. :)

Message text:
From: Milestone Financial Service [info @ loan.org]
Sent: Monday, May 25, 2009 6:01 AM
To: undisclosed-recipients:
Subject: Contact Us

Dear Esteemed Customer,

   The Milestone Financial Service provides you with the tools to get the
financing you need. You've worked hard to get to where you are and
where your business is.We can help you get to where you want to go.When
the need to finance a project,pay your bills and so on,a purchase or a
position arises and conventional sources are not the answer, Milestone
Financial Service can help.We can help you turn an adverse situation
into a positive outcome.

We offer Personals Like;

1: Business Loan,
2: Personal Loan,
3: Car Loan,

4: Any other Loans and so on at a low interest rate of 3% on the amount
and period involved.If you desire Quick assistance.

Kindly send in your Application.Your privacy is assured and serious minded
applicants

will be welcomed and you have to contact the us through the below info:

milestonela.laon1 @ yahoo.co.uk

We will relish the opportunity of doing business with you and also help to
put your financial problems behind you by offering you a loan.

Yours Sincerely
Mr. Perry G. Diamond
Milestone Financial Service.
E-mail: milestonela.laon1 @ yahoo.co.uk
Tel: +44-704-574-2845

Headers:
Return-Path: <info @ loan.org>
Received: from localhost (localhost [127.0.0.1])
        by [removed] (Postfix) with ESMTP id A65141B000F
        for [removed]; Mon, 25 May 2009 11:03:02 -0700 (PDT)
X-DH-Virus-Scanned: Debian amavisd-new at [removed]
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=999
        tests=[SARE_WEOFFER=0.3]
Received: from mail.triton.net (mail.triton.net [209.172.0.15])
        by [removed] (Postfix) with SMTP id DA0556801C
        for [removed]; Mon, 25 May 2009 11:03:01 -0700 (PDT)
Received: (qmail 3859 invoked from network); 25 May 2009 13:00:32 -0000
Received: from localhost (HELO mail.triton.net) (127.0.0.1)
by mail.triton.net with SMTP; 25 May 2009 13:00:32 -0000
Received: (qmail 3808 invoked from network); 25 May 2009 13:00:32 -0000
Received: from pop5.triton.net (HELO webmail.triton.net) (209.172.0.35)
by mail.triton.net with SMTP; 25 May 2009 13:00:32 -0000
Received: from 62.56.132.6 (proxying for 10.250.50.142)
        (SquirrelMail authenticated user cherylbenson)
        by webmail.triton.net with HTTP;
        Mon, 25 May 2009 09:00:32 -0400 (EDT)
Message-ID: <49409.62.56.132.6.1243256432.squirrel @ webmail.triton.net>
Date: Mon, 25 May 2009 09:00:32 -0400 (EDT)
Subject: Contact Us
From: "Milestone Financial Service" <info @ loan.org>
Reply-To: milestonela.laon1 @ yahoo.co.uk
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: [removed]

WHOIS sender IP 62.56.132.6:
(Courtesy: http://whois.domaintools.com/62.56.132.6)
IP Location:     United Kingdom United Kingdom Il-ipplanet
Resolve Host:     62.56.132.6.satcom-systems.net
IP Address:     62.56.132.6
organisation:   ORG-IPNL1-RIPE
org-name:       Gilat Satcom
org-type:       LIR
address:        Gilat Satcom
                21 Yegia Kapayim St.
                49130 Petach-Tikva
                Israel
phone:          +972 3 9255015
fax-no:         +972 3 9217938
abuse-mailbox: abuse @ gilat.net
admin-c:        AH2932-RIPE
admin-c:        GP8505-RIPE
admin-c:        ZIV1971-RIPE
mnt-ref:        AS12491-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered
person:         Tech IP Planet
address:        21 Yegia Kapaim St. Petach-Tikva, Israel
phone:          +972 3 9255015
abuse-mailbox: abuse @ gilat.net
nic-hdl:        TECH6-RIPE
mnt-by:         AS12491-MNT
source:         RIPE # Filtered

Job scam victims--the media wants to hear from you!

Thu, 03 Sep 2009 07:13:09 +0000

Ever since we were mentioned in the NY Times, representatives from television, radio and newspapers have been contacting PhishBucket and asking if there are any job scam victims out there willing to share their experience for stories they're working on.

If you've had a run-in with a job scam and you're willing to talk to someone in the media, please leave a comment at the bottom of this article and tell us a little about what happened. You don't have to leave your full name (we prefer you don't, actually), but we do need your email address so we can contact you if someone from the media wants to reach you for their article or news piece. Don't worry--your email address will NOT be published for others to see or shared with any third party under any circumstances; we prefer to send media contact information to you as opposed to the other way around.

By leaving your comment, you'll be helping countless numbers of people from becoming victims themselves...not only do our site visitors benefit from reading your comment, but people who might not otherwise know how to spot a job scam might read about you in the paper. Just think: your stories are so important that the media reached out to us to find brave souls who aren't afraid to speak out about their experience.

If someone in the media wants to contact you, a PhishBucket representative will email you and provide the full contact information so you can contact them. If you are unable to initiate contact, we will give them your contact info, but only with your written permission, and only what you choose to divulge.

If you're thinking about it but still not sure, ask your question in a comment. We'll gladly publish the answer for all to see.

Share your phish-story ~ spare a new victim ~ enjoy a moment in the spotlight ~ pat yourself on the back!

PhishBucket top keyword searches, August 2009

Wed, 02 Sep 2009 06:28:29 +0000

The most frequently searched keywords/phrases last month:

PhishBucket top keyword searches, July 2009

Fri, 14 Aug 2009 06:39:33 +0000

The most frequently searched keywords/phrases last month:

PhishBucket Mentioned in the NY Times

Fri, 14 Aug 2009 06:11:09 +0000

Online Scammers Prey on the Jobless

With unemployment high and rising, more people are streaming onto the Web in search of jobs — but running into costly scams.

August 5, 2009

By Riva Richmond

A version of this article appeared in print on August 6, 2009, on page B6 of the New York edition.

Alert: Fake FBI Lottery

Tue, 07 Jul 2009 02:19:28 +0000

Sorry to be the bearer of bad news, but the FBI doesn't conduct lotteries to award large sums of money to average citizens, making this email extremely bogus. Fortunately they left a clue: a Seattle phone number. And look at what we found on that! http://800notes.com/Phone.aspx/1-206-973-7546

Please avoid emails like these. They state right in the message that they haven't found a way around the fact that you need to send them money in order to get the ball rolling, and that's a complete load of crap. Samuel Oliver is a fraud and we're pretty sure the same goes for Robert Mueller.

Message text:

From: Federal Bureau Of Investigation [fbi_lottery_win @ fbi.gov]
Sent: Tuesday, April 28, 2009 6:42 AM
Subject: Official Message For You.

Federal Bureau of Investigation <http://www.fbi.gov/images/1b.gif>
<http://www.fbi.gov/images/2.gif>

Anti-Terrorist And Monetory Crimes Division
FBI Headquarters In Washington, D.C.
Federal Bureau Of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001
Website: www.fbi.gov
Telephone Number : (206) 973-7546

Attn: Beneficiary,

This is to Officially inform you that it has come to our notice and we have
thoroughly completed an Investigation with the help of our Intelligence
Monitoring Network System that you legally won the sum of $800,000.00 USD
from a Lottery Company outside the United States of America. During our
investigation we discovered that your e-mail won the money from an Online
Balloting System and we have authorized this winning to be paid to you via a
Certified Cashier's Check.

Normally, it will take up to 10 business days for an International Check to
be cashed by your local bank. We have successfully notified this company on
your behalf that funds are to be drawn from a registered bank within the
United States Of America so as to enable you cash the check instantly
without any delay, henceforth the stated amount of $800,000.00 USD has been
deposited with Bank Of America.

We have completed this investigation and you are hereby approved to receive
the winning prize as we have verified the entire transaction to be Safe and
100% risk free, due to the fact that the funds have been deposited at Bank
Of America you will be required to settle the following bills directly to
the Lottery Agent in-charge of this transaction whom is located in Lagos,
Nigeria. According to our discoveries, you were required to pay for the
following -

(1) Deposit Fee's ( Fee's paid by the company for the deposit into an
American Bank which is - Bank Of America )
(2) Cashier's Check Conversion Fee ( Fee for converting the Wire Transfer
payment into a Certified Cashier's Check )
(3) Shipping Fee's ( This is the charge for shipping the Cashier's Check to
your home address and this fee includes Insurance )

The total amount for everything is $200.00 (Two Hundred-US Dollars). We have
tried our possible best to indicate that this $200.00 should be deducted
from your winning prize but we found out that the funds have already been
deposited at Bank Of America and cannot be accessed by anyone apart from you
the winner, therefore you will be required to pay the required fee's to the
Agent in-charge of this transaction via Western Union Money Transfer Or
Money Gram.

In order to proceed with this transaction, you will be required to contact
the agent in-charge ( Mr. Samuel Oliver) via e-mail. Kindly look below to
find appropriate contact information:

CONTACT AGENT NAME: MR. Samuel Oliver

E-MAIL ADDRESS: samuel.oliver142 @ gmail.com
<http :// us.mc384.mail.yahoo.com/mc/compose?to= samuel.oliver156 @ gmail.com>

You will be required to e-mail him with the following information:

FULL NAME:
ADDRESS:
CITY:
STATE:
ZIP CODE:
DIRECT CONTACT NUMBER:

You will also be required to request Western Union or Money Gram details on
how to send the required $200.00 in order to immediately ship your prize of
$800,000.00 USD via Certified Cashier's Check drawn from Bank Of America,
also include the following transaction code in order for him to immediately
identify this transaction : EA2948-910.

This letter will serve as proof that the Federal Bureau Of Investigation is
authorizing you to pay the required $200.00 ONLY to Benson Edward via
information in which he shall send to you, if you do not receive your
winning prize of $800,000.00 we shall be held responsible for the loss and
this shall invite a penalty of $3,000 which will be made PAYABLE ONLY to you
(The Winner).

Mr. Robert Mueller
Special Agent.
Washington DC FBI.
Room, 7367
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW
Washington, D.C. 20535-0001

Please find below an authorized signature which has been signed by the FBI
Director- Robert Mueller, also below is the FBI NSB (National Security
Branch Seal)

NSB Seal<http://www.fbi.gov/hq/nsb/images/nsb_logo_med.jpg>

<http :// www .thehomebuyersrep.com/images/Signature%205.gif>

Authorized Signature

NSB SEAL ABOVE

NOTE: In order to ensure your check gets delivered to you ASAP, you are
advised to immediately contact Mr. Samuel Oliver via contact information
provided above and make the required payment of $200.00 to information in
which he shall provide to you

PhishBucket top keyword searches, June 2009

Mon, 06 Jul 2009 04:35:36 +0000

The most frequently searched keywords/phrases last month:

Alert: Spoof of U.S. Treasury Department

Mon, 06 Jul 2009 04:25:43 +0000

This message claims that recipients are getting this letter because of new measures being implemented by the US Treasury Department. Yet it originates from Poland!

Fortunately the Web site has already been shut down. But if you see this wording again you can bet there's something phishy going on.

Message text:
*Important:*

You're getting this letter in connection with new directions issued by
U.S. Treasury Department. The directions concern U.S. Federal Wire
online payments.

A country-wide phishing attack began on April 21, 2009. It's taking
place hitherto. Therefore a great number of banks and credit unions is
affected by this attack and quantity of illegal wire transfers has
reached an extremely high level.

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance
Corporation (FDIC) in common worked out a complex of immediate actions
for the highest possible reduction of fraudulent operations. We regret
to inform you that definite restrictions will be applied to all Federal
Wire transfers from April 29 till May 8.

Here you can get more detailed information regarding the affected banks
and U.S. Treasury Department restrictions:

http :// treasurydept.direct-ebank.us/32268/CM/wire/issue-127532/
<http :// treasurydept.direct-ebank.us/31970/CM/wire/issue-127333/>

*Federal Reserve Bank System Administration*

Headers:
Return-Path: <chris_odonnell @ uml.edu>
X-REPLACEME: No
Received: from 94-40-89-194.idk.net.pl (94-40-89-194.idk.net.pl
[94.40.89.194]) by [removed] (Postfix) with ESMTP id 017572FEF for
[removed]; Wed, 29 Apr 2009 01:40:23 +0300 (EEST)
Received: from [94.40.89.194] by emailgw2.uml.edu; Tue, 28 Apr 2009
23:42:36 +0100
Date: Tue, 28 Apr 2009 23:42:36 +0100
From: ADMINISTRATION <security @ banking.va.us>
X-Mailer: The Bat! (v3.62.14) Educational
Reply-To: chris_odonnell @ uml.edu
X-Priority: 3 (Normal)
Message-ID: <765534636.39422059108355 @ uml.edu>
To: [removed]
Subject: Read carefully - Important Customer Notification
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------4016E92584258B6E"

WHOIS direct-ebank.us
(Courtesy: http://whois.domaintools.com/direct-ebank.us):
Domain Status:     Deleted And Available Again

WHOIS sender IP 94.40.89.194
(Courtesy: http://whois.domaintools.com/94.40.89.194):
IP Location:     Poland Poland Warsaw Agnes P.jedrzejek
Resolve Host:     94-40-89-194.idk.net.pl
IP Address:     94.40.89.194
descr:          Agnes P.Jedrzejek
country:        PL
admin-c:        PJ344-RIPE
tech-c:         BS4075-RIPE
status:         ASSIGNED PA
mnt-by:         TKTELEKOM-MNT
mnt-lower:      TKTELEKOM-MNT
mnt-routes:     TKTELEKOM-MNT
source:         RIPE # Filtered
person:         Pawel Jedrzejek
address:        74-100 Gryfino, PL
e-mail:         pawel @ idk.net.pl
e-mail:         info @ idk.net.pl
phone:          +48 914168198
phone:          +48 609838516
mnt-by:         TKTELEKOM-MNT
nic-hdl:        PJ344-RIPE
source:         RIPE # Filtered
person:         Bartek Swedrowski
address:        74-100 Gryfino, PL
e-mail:         bartek @ idk.net.p
e-mail:         admin @ idk.net.pl
phone:          +48 914168198
mnt-by:         TKTELEKOM-MNT
nic-hdl:        BS4075-RIPE
source:         RIPE # Filtered

CONSUMER ALERT from WA State Attorney General's Office

Wed, 01 Jul 2009 06:30:44 +0000

JOINT CONSUMER ALERT:

Office of Washington Attorney General Rob McKenna
Office of Secretary of State Sam Reed

Better Business Bureau serving Alaska, Oregon and Western Washington

FOR IMMEDIATE RELEASE

June 29, 2009

CONSUMER ALERT: Pierce County businesses claiming to help homeless aren’t charities

TACOMA – The telemarketers’ pitch seems innocent enough: They want you to buy trash bags, light bulbs or gift cards at jacked-up prices. They claim your cash will help the homeless or support employment for those with disabilities. But state officials and consumer advocates are warning residents not to be misled by these sales calls.

State records show Jobs for the Homeless and American Homeless and Disadvantage Workers (sic), both located in Pierce County, aren’t properly registered as charities. That means they can’t suggest that money they collect from the sales of their products will be used for any benevolent purpose.

Jobs for the Homeless is a sole proprietorship run by David B. Archibald and lists a mailing address in Tacoma and a physical location Fife. Complaints filed with the Attorney General’s Office and the Better Business Bureau serving Alaska, Oregon and Western Washington suggest that consumers who agreed to give “donations” to the business in exchange for gift cards were mailed invoices stating they owed more money. In some cases, consumers said they never received the products they paid for.

American Homeless and Disadvantage Workers (sic), operated by Biancco M. Gardner, uses the same Tacoma mailing address and operates a similar business. Gardner told the Secretary of State’s Office he plans to register as a charity.

TIPS AND RESOURCES

1. Check out charities before you give.

o       Secretary of State’s Office: Confirm a charity is registered and review its financial records atwww.secstate.wa.gov/charities or call toll-free 1-800-332-4483. The office also publishes an annual report showing how much money commercial fundraisers give to their charitable clients and how much they keep.

o       Better Business Bureau Wise Giving Alliance: www.give.org

o       American Institute of Philanthropy: www.charitywatch.org

o       GuideStar: www.guidestar.org

o       Charity Navigator: www.charitynavigator.org

o       AARP Fraud Fighter Call Center: 1-800-646-2283. Receive free information about giving wisely.

o       Attorney General’s Office: If you believe you are a victim of charity fraud, please contact the Attorney General’s Consumer Resource Center between 10 a.m. and 3 p.m. weekdays at 1-800-551-4636 or file a complaint online.

2. Give to familiar organizations and those you trust.

3. Ask exactly how your money will be used.

4. Pay by check and protect your personal information.

5. Maintain records of your contributions. If a donation is “tax deductible,” you can deduct your contribution on your federal income tax return. Tax exempt simply means the organization doesn’t have to pay taxes.

6. Remove your name from mailing lists and telemarketing lists. Contact the Direct Marketing Association’s opt-out service at www.dmachoice.org. Register for the national Do Not Call list atwww.donotcall.gov or 1-888-382-1222. Individuals with dementia or other cognitive impairments may be particularly vulnerable to solicitations, so caretakers should remove them from these lists.

- 30 –

Media Contacts: Kristin Alexander, AGO, (206) 464-6432, kalexander@atg.wa.gov

Niki Horace, BBB, (206) 431-2217 ext. 187, niki.horace@thebbb.org

Christina Siderius, Secretary of State’s Office, (360) 902-4176, csiderius@secstate.wa.gov

You can also follow us on Twitter, YouTube, Facebook and the All Consuming blog!

PhishBucket top keyword searches, May 2009

Fri, 05 Jun 2009 06:54:32 +0000

The most frequently searched keywords/phrases last month:

PhishBucket Mentioned on NetworkWorld.com

Sun, 31 May 2009 22:02:48 +0000

Phishing using scary bait

University professor sees a phish about his own job.

Security Strategies Alert By M. E. Kabay

Network World, 05/22/2009

User login issues fixed

Tue, 19 May 2009 00:19:01 +0000

We're not going to go into great detail about what was wrong (to thwart scammers) but we were experiencing some login issues on the site. These issues are now resolved. If you were experiencing any trouble logging in, give it another try and let us know if you're still having problems.

Thanks,

PhishBucket Admin

PhishBucket top keyword searches, April 2009

Mon, 18 May 2009 03:28:34 +0000

The most frequently searched keywords/phrases last month:

Alert: CareerBuilder for Employers Spoof

Mon, 18 May 2009 00:59:56 +0000

We're confident CareerBuilder has already found this since we couldn't get to the page they tried to direct job seekers to, but here's the bogus email for posterity:

Message text:
CareerBuilder for Employers March 22, 2009 alert:

We have made modifications to your start Page, and preliminary testing with all
versions of Windows Explorer and Mozilla's release.
Easiest thing you can do to check your browser problem is clicking on the page below.

Proceed to view details:

http : // careerbuilder.employers.based.articles-73961yzv3.arekeninginfo.server5644.com/

home.htm?/emberUIWeb/updateprofile=g8m52xmvrxuvrpa

Sincerely, Keisha Reeves.
2009 CareerBuilder. Customer Service Department.

Headers:
Received: from email.cgraphics.com ([172.16.32.2]) by EXCHANGE.cgraphics.com with
Microsoft SMTPSVC(6.0.3790.3959);
         Tue, 24 Mar 2009 06:10:14 -0400
Received-SPF: fail (cltfire01b.cgraphics.com: domain of eoni.com does not designate
80.25.185.249 as permitted sender) client-ip=80.25.185.249;
envelope-from=akstceonimnsdgs @ eoni.com;
helo=249.Red-80-25-185.staticIP.rima-tde.net;
Received: from 249.red-80-25-185.staticip.rima-tde.net ([80.25.185.249])
        by cltfire01b.cgraphics.com with esmtp (Exim 4.43)
        id 1Lm3aH-00009A-Lr
        for [removed]; Tue, 24 Mar 2009 05:10:14 -0500
Received: from [80.25.185.249] by relay3.eoni.com; Tue, 24 Mar 2009 11:10:12 +0100
Message-ID: <01c9[removed]1950 @ akstceonimnsdgs>
From: "Employer Support" <support70 @ careerbuilder.com>
To: [removed]
Subject: CareerBuilder for Employers - you will still able to monitor account activity
Date: Tue, 24 Mar 2009 11:10:12 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
X-Spam-Score: 0.0 (/)
X-Spam-Report:         pts rule name              description
        ---- ---------------------- --------------------------------------------------
         0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                                    [score: 0.5108]
Return-Path: akstceonimnsdgs @ eoni.com
X-OriginalArrivalTime: 24 Mar 2009 10:10:14.0919 (UTC) FILETIME=[B9B80170:01C9AC68]

Alert: Western Union Promo Card Account

Sun, 17 May 2009 22:11:26 +0000

This isn't a job offer, but it's one we think Western Union might want to look into, and we report a lot of money transfer/mule scams and reshipping scams that abuse their services. So we hope they're reading.

This offer is for a Western Union promo card account. The first thing you need to know is they sent this offer to a COMPLETE AND UTTER STRANGER. This is most definitely NOT normal and warrants total suspicion. We sincerely hope they are caught, charged, prosecuted and sentenced accordingly.

Message text:
From: RAJOY DANIEL [rajjjodaniel @ gmail.com]
Sent: Saturday, March 21, 2009 8:08 AM
To: undisclosed-recipients
Subject: [Potential SPAM] NEW WESTERN UNION PROMO CARD ACCOUNT

I am just dropping by on this kinkos store to email you and let you know
that I have just sent the payment via Western Union in your name as I do
not have your account details correctly. I also want you to have the
payment information below:

Sender Name:Rajoy Daniel
Sender Address:Avd.Rebulico 200,Barcelona,Spain
Money Transfer Control Number (MTCN): 947-281-5084
Amount Sent: $187,000 USD

You can go to any Western Union location right now and pick up the cash
quick. I hope that you have a Western Union card / Promo code? You will
need this to send or claim amount above $12,000 USD from any Western
Union agent location.

My company will be sending my team to Chile this week. I am already on
my way to join my team in completing the unfinished bridge construction
project in Chile. We may leave town tomorrow and I couldn't go without
dropping the payment information with you. We may spend 2 to 3 months
there before the job would be completely finished. Remember that if you
do not claim the money before 9 days, they will call back the money to
my card. And if you do not have the Western Union Promo/Card, you cannot
pick up the cash.

I may not be around to reply any of your emails now, but I will talk to
you as soon as I return. If you do not have a Western Union Promo Code,
you may contact the western union agent details below so that they will
provide a Western Union card/Promo Card for you immediately and also
send you a copy of the voucher of the payment that I made, via email.
Contact the office below for your Western Union card:

Contact Person: Mr Pedro Hermanos
Email: westernpromcode @ ozu.es
Phone Number:+34-634-161-088
Send the below details to him
Your Full Name:
MTCN number: (as above)
Telephone:
Address: (including state and zip code)

As soon as the office gets the above information, they will use the
credentials to create your Western Union Promo code right away without
any delay.That is all to it. I hope to talk to you as soon as we are
back on the errand or call it project.

Payment From,
Rajoy Daniel
rajjjodaniel @ gmail.com

Headers:
None reported.

770 AM "The Truth" will set you free!

Sat, 11 Apr 2009 00:25:31 +0000

We want to thank David Boze from 770 KTTH "The Truth" for allowing us to tell his listeners about online job scams today. If you came here after hearing us on the radio, please head on over to our FAQ to learn more about the types of job scams we track, what clues to look for, and what to do if you've been scammed. Once you're done there, visit us regularly to research or report suspicious offers. Knowledge is power!

Thanks, David!

PhishBucket top keyword searches, March 2009

Sat, 04 Apr 2009 03:50:36 +0000

The most frequently searched keywords/phrases last month:

Desperate times...

Wed, 01 Apr 2009 06:20:32 +0000

We heard something today that broke our collective hearts. If you're looking for work, please don't let this happen to you.

We warned you the unemployment situation was going to get scary. People are desperate for work, but corporate America is quickly shrinking. Perhaps the growth in the government will create some public service jobs, but it's not for everybody. Maybe you're on unemployment. So if you were used to earning more than, oh--say $15-20 per hour or more, then you're probably in a lot of financial pain because of the cap on the weekly amount. Last we saw, if you didn't have taxes deducted (thanks a lot, "benefit"), it was somewhere around $500 per week. Or maybe your benefits ran out because you've maxed out and now you've had to go on welfare. Depending on your marital situation and number of kids, it can go from barely able to survive to living in the car. It's no wonder the cupboards are bare, the car got repo'd and the house is in jeopardy (or foreclosure is already a four-letter word).

It's so bad that a guy in Ellensburg, WA stopped by the neighborhood gas station with his little daughter, pumped some gas, got a coffee and some goodies for her, and proceeded to whip out a gun and demand that the store clerk put it through or he was going to...throw hot coffee in his face.

You thought we were going to say SHOOT, didn't you? Well, he did say if the guy called the cops he'd come back and kill him, but he never did threaten to SHOOT him.

We hope it didn't escape you that he brandished that gun and waved it around with his LITTLE DAUGHTER at his side. He finally put it in his pocket, but not before she caught sight of it. Surveillance video showed a visibly wide-eyed little girl standing an arm's length from her crazy father's trigger finger while he tried to rob the place.

Why? Because he was out of work! Granted, it was a stupid thing to do, with or without his daughter. But that's what the stress of unemployment is doing to some people. Again, please don't let this be you.

Full story, pictures and video here: http://www.q13fox.com/pages/news_story_landing_page/?Man-Brings-Young-Daughter-To-Armed-Robbe=1&blockID=254266&feedID=144

Alert: Western Union Account Verification Spoof

Mon, 16 Mar 2009 04:45:48 +0000

Someone sent out this spam spoofing Western Union in the hopes of obtaining user account information. Since this happened over a month ago we're pretty sure Western Union already knows about it, but we wanted to report it here as well. As shown in the message below, they want to get visitors to click on a link that goes to IP 203.129.241.52, which is located in India (see WHOIS info). And look in the headers at how the message recipient's spam filter went CRAZY!

Western Union is mentioned in the vast majority of the money transfer/mule offers we track here and we want you to know, if you don't already, that they would never send out a message like this. If you get one of these, we recommend you visit the Western Union Web site and report it to their fraud or security department. You can also add your report to this article by posting a comment below.

Message text:
Dear westernunion customer,

During our regularly scheduled account maintenance and verification
procedures, we have detected a slight error in your account information.

This might be due to either of the following reasons:

1. A recent change in your personal information ( i.e. change of address).
2. Submitting invalid information during the initial sign up process.

Please update and verify your information by clicking the link below:

https :// wumt .westernunion.com/asp/regLogin.asp/
<http :// 203.129.241.52/icons/small/regLogin.asp/index.htm>.

For help please contact Western Union Customer Service immediately by

email at customerservice @ westernunion.com
<mailto:customerservice @ westernunion.com> or call us at 1-877-989-3268 .

Headers:
Return-Path: <westernunionresponse @ westernunion.com>
X-REPLACEME: none [removed] DNSWLId 9825
Received: from [removed] by
100777.com (Postfix) with ESMTPS id 16601BBC for [removed]; Sun,
8 Feb 2009 16:52:33 +0200 (EET)
Received: from [removed] by
[removed] with ESMTP id n18Es7S0023436 for
[removed]; Sun, 8 Feb 2009 16:54:08 +0200 (EET)
Received: from bmc2850.BeMyCIO.com (mail.iatgroup.com [64.122.92.178])
by [removed] with ESMTP id n18Es54D013852 for
[removed]; Sun, 8 Feb 2009 16:54:07 +0200 (EET)
Received: from User ([24.214.177.110] RDNS failed) by
bmc2850.BeMyCIO.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 8 Feb
2009 08:53:58 -0600
From: westernunionresponse @ westernunion.com
Subject: Your account has been deleted !!!
Date: Sun, 8 Feb 2009 09:03:20 -0600
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <BMC2850AjUU49dmmzsi000027eb @ bmc2850.BeMyCIO.com>
X-OriginalArrivalTime: 08 Feb 2009 14:53:58.0838 (UTC)
FILETIME=[1296E560:01C989FD]
X-Spam-Flag: YES
X-Spam-Status: Yes, score=16.1 required=5.0 tests=FORGED_MUA_OUTLOOK,
FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HTML_IMAGE_ONLY_20,HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,HTML_TAG_BALANCE_BODY,HTTPS_IP_MISMATCH,MIME_HTML_ONLY,
MISSING_HEADERS,NORMAL_HTTP_TO_IP,URIBL_PH_SURBL autolearn=disabled
version=3.2.5
X-Spam-Report: * 1.6 MISSING_HEADERS Missing To: header * 0.0
NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 0.8
HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags * 1.8
HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words *
2.9 HTTPS_IP_MISMATCH BODY: IP to HTTPS link found in HTML * 0.0
HTML_MESSAGE BODY: HTML included in message * 1.7 MIME_HTML_ONLY BODY:
Message only has text/html MIME parts * 2.0 URIBL_PH_SURBL Contains an
URL listed in the PH SURBL blocklist * [URIs: 203.129.241.52] * 1.1
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 0.0
FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format * 0.0
FORGED_OUTLOOK_HTML Outlook can't send HTML message only * 4.2
FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
X-Spam-Level: ****************
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on leimasin.iki.fi
To: undisclosed-recipients:;

Alert: Spoof of US Treasury/Federal Reserve Bank

Sat, 14 Mar 2009 07:46:07 +0000

This is NOT a mesage from the US Treasury/Federal Reserve Bank. The Web link in the body of the message is onwed by an individual in Russia. The sender's IP looks like it's in Spain. We're guessing that clicking that link will result in the installation of malware or spyware. Maybe it installs a keylogger that captures everything you type in the hopes of getting your personal information. This is a fraudulent message and should be avoided.

Message text:
FEDERAL RESERVE BANK

Important:
You're getting this letter in connection with new directions issued by
U.S. Treasury Department. The directions concern U.S. Federal Wire
online payments.

On January 21, 2009 a large-scaled phishing attack started and has been
still lasting. A great number of banks and credit unions is affected by
this attack and quantity of illegal wire transfers has reached an
extremely high level.

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance
Corporation (FDIC) in common worked out a complex of immediate actions
for the highest possible reduction of fraudulent operations. We regret
to inform you that definite restrictions will be applied to all Federal
Wire transfers from January 28 till February 9.

Here you can get more detailed information regarding the affected banks
and U.S. Treasury Department restrictions:

http :// fedwire.1federalreservesystem.net/375989213/wire/

Federal Reserve Bank System Administration

Headers:
Received: via [removed] for [removed]; Sat, 31 Jan 2009
00:01:51 +0200 (EET)
Received: from 70.Red-80-24-141.staticIP.rima-tde.net
(70.Red-80-24-141.staticIP.rima-tde.net [80.24.141.70]) by
emh07.mail.saunalahti.fi (Postfix) with ESMTP id 72A781C6382 for
[removed]; Sat, 31 Jan 2009 00:01:50 +0200 (EET)
Received: from [80.24.141.70] by iris3.directnic.com; Fri, 30 Jan 2009
23:01:31 +0100
Date: Fri, 30 Jan 2009 23:01:31 +0100
From: "Анас Фарваз" <dwtakomaunitedm @ takomaunited.net>
X-Mailer: The Bat! (v2.04.7) Business
Reply-To: dwtakomaunitedm @ takomaunited.net
X-Priority: 3 (Normal)
Message-ID: <157477005.15271379165846 @ takomaunited.net>
To: [removed]
Subject: Read Carefully: Important Information!
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

WHOIS 1federalreservesystem.net:
(Courtesy: http://whois.domaintools.com/1federalreservesystem.net)
Domain Status:     Registered And No Website
DNS:
        ns1.1federalreservesystem.net
        ns2.1federalreservesystem.net
Created: 2009-01-21 18:04:36
Expires: 2010-01-21 18:04:36
Last Modified: 2009-01-21 18:03:31

Registrant Contact:
        Pavel Maryevich
        Pavel Maryevich (pasha @ ipanda.info)
        Podolskih Kursantov str. d.12 kv.316
        Moscow, Moscow, ru 117545
        P: +7.4957239069         F: +0.0
Registrant Search:     "Pavel Maryevich" owns about 9 other domains
(See: http://www.domaintools.com/registrant-search/?and[]=Pavel&and[]=Maryevich)

PhishBucket top keyword searches, February 2009

Sun, 08 Mar 2009 00:23:03 +0000

The most frequently searched keywords/phrases last month:

Alert: CareerBuilder User Login Page Update Spoof

Wed, 04 Mar 2009 05:33:37 +0000

This one comes to us courtesy of SpamCop.net. Obviously CareerBuilder would never send a message like this.

Message text:
CareerBuilder Web Update Service:

We have made modifications to our User Login Page, and preliminary testing with all versions of Windows Explorer and Mozilla's release.

We've created a web service to rebuild users databases that cannot be upgraded Automatically due to the server storage bugs discussed above.

Attention: Please visit browser update page, a window will appear where you'll find the new buttons:

Proceed to Update Page>>

Sincerely, Lorene Hamm.
2009 CareerBuilder Customer Service Department.

Headers:
Return-Path: <ijkfjn @ bolesch.com>
Delivered-To: x
Received: (qmail 18361 invoked from network); 24 Jan 2009 02:50:43 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8
X-Spam-Level: *****
X-Spam-Status: hits=5.5 tests=HTML_MESSAGE,RDNS_NONE,URIBL_BLACK,
URIBL_JP_SURBL version=3.2.4
Received: from unknown (192.168.1.108)
by filter8.cesmail.net with QMQP; 24 Jan 2009 02:50:43 -0000
Received: from unknown (HELO ?212.200.65.19?) (212.200.65.19)
by mx71.cesmail.net with SMTP; 24 Jan 2009 02:50:41 -0000
Received: from [212.200.65.19] by mx6.ewz.at; Sat, 24 Jan 2009 03:50:37 +0100
Message-ID: <01c9__________________c8d4 @ ijkfjn>
From: "CareerBuilder Employers Alert" <news @ careerbuilder.com>
To: <x>
Subject: My CareerBuilder - assigns to each customer an unique subdomain
Date: Sat, 24 Jan 2009 03:50:37 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C97DD6.EAA62480"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=5

More info:
User-targeted report, see notes, if any.
http://www.spamcop.net/w3m?i=z3811016736zc8389079b4404b24f75c1c92e42c8e91z

Alert: CareerBuilder and Setup Wizard for Windows Live

Sat, 21 Feb 2009 09:31:44 +0000

This little message looks like it encourages users to run a file attachment, and this probably installs some kind of malware on the user's computer. We're thinking a keylogger (a program that records user keystrokes as they're typed). The spam filter of this email recipient seemed to find issue with the headers. PhishBucket and CareerBuilder know one another pretty well and we're confident they aren't asking people to install anything attached in an email. We are also pretty sure they're already on top of this "alert" but hope the information helps track down the sender's origins.

Message text:
CareerBuilder ALERT SYSTEM UPDATE:

CareerBuilder offers the ability to sign in using
Microsoft Windows Live ID Certification service, which
provides security authentication for online sign in.
Please proceed to the Setup Wizard and install this
addon before January 17/2009

Setup Wizard review>>

Sincerely, Nola Funk. Customer Service Department.
2008 CareerBuilder.com All Rights Reserved.

Headers:
Received: (qmail 23857 invoked from network); 15 Jan
2009 16:44:49 -0600
Received: from 57.red-83-61-92.dynamicip.rima-tde.net
(83.61.92.57)
   by [removed] with SMTP; 15 Jan 2009 16:44:48
-0600
Received: from [83.61.92.57] by smtp.sentex.ca; Thu, 15
Jan 2009 23:08:11 +0100
From: "CareerBuilder Employers Security"
<info @ CareerBuilder.com>
To: [removed]
Subject: How does CareerBuilder protect my privacy and
personal information?
Date: Thu, 15 Jan 2009 23:08:11 +0100
Message-ID: <01c97766$22bdbf80$395c3d53 @ vocrcyka>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416
(9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Importance: Normal
X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07)
on [removed]
X-Spam-Level: ******
X-Spam-Status: No, score=6.1 required=7.0
tests=BAYES_50,FORGED_MUA_OIMO,
        HELO_DYNAMIC_SPLIT_IP,HTML_50_60,HTML_MESSAGE,HTML_TITLE_EMPTY,
        RCVD_IN_SORBS_DUL autolearn=no version=3.0.6

Alert: FBI Seattle Division, DHS & Central Bank of Nigeria

Thu, 19 Feb 2009 04:59:33 +0000

Here's another scammer attempting to pose as an FBI agent in the Seattle Division. "She" also claims to be working in conjunction with the Department of Homeland Security and wants you to contact some stranger with a suspicious email address.

We're quite sure the FBI and DHS are all over this. Please don't respond to emails worded like this one - they're ALL fraudulent.

Message text:
Federal Bureau of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW
Washington, D.C. 20535-0001

Date: February 18, 2009

FBI - FUND APPROVAL NOTICE:

The Federal Bureau of Investigation (FBI) has discovered through our intelligence Monitoring Network that you are eligible to receive the sum of $7.5Million USD your impending funds, which was intercepted,has not been released to you by the Federal Ministry of financial.

Therefore, the FBI Seattle Division in conjunction with the United States Department of Homeland Security (DHS), Has screened through our various Monitoring Networks and has been confirmed and notified that the transaction you have with Central Bank of Nigeria is Legal and you have theLawful Right to claim your due fund.

Please contact the Head of Operations Dr. James Awotide,Central Bank of Nigeria.

Dr. James Awotide
e-Mail: centralbank @ telepolis.com

Please, be advised and be aware that your funds had been insured and the necessary charges would be taken care of by you, as confirmed by the Monitoring network.

Sincerely,

Laura M. Laughlin (Special Agent-in-Charge)

Headers:
Return-Path: <helpdesk @ fbi.gov>
X-DH-Virus-Scanned: Debian amavisd-new
X-Spam-Score: 1.667
X-Spam-Level: *
X-Spam-Status: No, score=1.667 tagged_above=-999 required=999
    tests=[SARE_FRAUD_X3=1.667]
Received: from server.gamli.net (unknown [212.150.123.80])
    by [removed] (Postfix) with ESMTP id 5A2AF17D00B
    for [removed]; Wed, 18 Feb 2009 20:16:19 -0800 (PST)
Received: from static-66-15-119-165.bdsl.verizon.net ([66.15.119.165] helo=User)
    by server.gamli.net with esmtpa (Exim 4.67)
    (envelope-from <helpdesk @ fbi.gov>)
    id 1La0lj-0007en-HS; Thu, 19 Feb 2009 06:44:16 +0200
Reply-To: <centralbank @ telepolis.com>
From: "Federal Bureau of Investigation" <helpdesk @ fbi.gov>
Subject: FBI - FUND APPROVAL NOTICE
Date: Wed, 18 Feb 2009 20:09:14 -0800
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20090219041619.5A2AF17D00B @ enforcer.dreamhost.com>
To: [removed]

WHOIS IP 212.150.123.80: http://whois.domaintools.com/212.150.123.80 (Israel)
WHOIS IP 66.15.119.165: http://whois.domaintools.com/66.15.119.165 (US)

PhishBucket top keyword searches, January 2009

Wed, 04 Feb 2009 08:51:44 +0000

The most frequently searched keywords/phrases last month:

Phish Flash

Wed, 04 Feb 2009 08:24:34 +0000

We haven't posted much news lately because we're trying to keep up with all the job phish you've been reporting. Keep it up! Unemployment rates are climbing and lay-offs are happening everywhere in droves. There has been such a flood of new unemployment claims being filed that many of you might be very vulnerable to a well-worded offer.

Job phishers are pounding job seekers with more bogus offers than ever. Between January 12 and February 3 we received 238 emails from you reporting suspicious job offers (we estimate that about a third of them are duplicates). That's in three weeks, folks.

While we catch up on our mail, we'd like to leave you with some of the news items we've found on the Web that talk about job scams and phishing, and provide more information to help you stay safe while you look for work. We especially like the last link, which discusses Act 1273, new consequences for computer-related crimes and the abuse of information and data. If you accept one of the blatantly bogus jobs we report on, some of these consequences could apply to you too.

BBC NEWS | Business | Davos 2009 | Cybercrime threat rising sharply
Source: BBC News

How to Foil "Phishing" Scams
Source: Scientific American

FBI warns of money mule scams
Source: ITworld

Data Privacy Day occurs during streak of breaches
Source: WA State Office of the Attorney General

INTERNET LAW - Offenses related to Computer Crimes and the Protection of Information and Data
Source: Internet Business Law Services

January 28, 2009 is Data Privacy Day

Wed, 28 Jan 2009 08:29:52 +0000

Even if you aren't in Washington State, please join us in recognizing January 28, 2009, which has been declared Data Privacy Day by Governor Christine Gregoire.

Since December 2006, PhishBucket has been educating job seekers about suspicious and fraudulent employment offers, and works vigilantly with a variety of like-minded organizations, including law enforcement, to help raise awareness about this growing problem and thereby reduce the number of victims who fall prey to job scams.

Millions of job seekers have now been unemployed for more than a year. Many have had to suffer reduced hours, lay-offs or go from full time to part time or even to contract work to make ends meet. Last year saw record gas and oil prices, a housing crash, and a stock market crash. People who just recently became unemployed have good reason to fear, when so many more have been jobless for much longer.

In the United States, the federal government recognizes the fact that unemployment rates continue to increase, and our new administration plans to address this by extending unemployment benefits, lowering taxes on unemployment and encouraging candidates to apply to civil service jobs. While this may alleviate some pain, it won't address the safety of your identity, so for us it means that PhishBucket must continue by working harder than ever to keep you abreast of suspicious offers.

Here's the thing: scammers read newspapers, watch TV and surf the 'net. They know that students fresh out of college or university, stay-at-home moms, the recently laid off and those who have retired (or are about to) make the most attractive targets. You're the ones keeping your resumes up-to-date, registering on job boards, responding to online classified ads, and you're making sure you're accessible. In other words, you're a VERY easy mark.

There's a wealth of information here at PhishBucket and around the Web. While we may only list a few links and don't mean to exclude anyone, we know these will lead you to information that will help protect you. If you'd like to recommend a site or want to see your own cause listed here, please leave your comment below!

Observe Data Privacy Day with us on January 28, 2009 by thinking about how you communicate with strangers online, even if they might be potential employers. Think about how you spend your money, how you use your computers and mobile phones, even how you dispose of your sensitive documents and data. Develop a few new, SIMPLE habits and they might save you from financial theft, identity theft and even prison!

Data Privacy Day, January 28, 2009 (Intel)
The Two Things Job Phishers Want From You (PhishBucket)
How to Use a Job Board Without Getting Burned (PhishBucket)
StaySafeOnline.org (National Cyber Security Alliance)
Consumer Advice on Phishing (Anti-Phishing Working Group)
File a Complaint (PhishBucket Web Links)

Report a Suspicious Job Offer (PhishBucket)
CareerBuilder.com Trust & Site Security (CareerBuilder)
Monster.com Security Center (Monster)

Alert: US Embassy Spoof

Wed, 28 Jan 2009 02:01:39 +0000

Unfortunately, we don't have headers. We've included images of this email, because it's like an online version of a ransom note. Notice there are areas filled in with different fonts and colors. The spelling and grammar make it even more obviously illegitimate.

If anyone else has received this message and has headers, please post them in a comment below the article. We're pretty sure the Feds will be interested in this.

Message text:

From: adamsjohn444 @ centrum.cz
Sent: Tuesday, January 06, 2009 5:59 PM
To: unlisted-recipients
Subject: CONTACT USA EMBASSY

U.S. Department of State

Bureau of Consular Affairs
Washington , DC 20520

Greeting from USA Embassy,
THIS MAIL IS ONLY FOR THE OWNER OF THIS E-MAIL ADDRESS

ATTENTION;

This is to notify you that your consignment has been in our custody waiting for your comply before the delivery will be effected to your delivery address. We have been waiting for you to contact us regarding your consignment box which Courier Company suppose to deliver to you which was on hold by US Department of State Bureau and requesting for clearance certificate which will be obtain from the origination of the consignment box before it will be released. As a result of you not comply within duration given by Benin Government that is the reason the consignment box was diverted to treasury.

All the walfare of United States Citizen is my consine. Am here to take the protocol of all our citizens to not be cheated by Africans.

After the meeting held by our board of director which was concluded that the delivery of your consignment to your address must be complete within three working days upon your comply to our requirement which is by sending the sum of $75.000 dollars to enable us obtain the needed certificate and effect with the delivery of your consignment immediately.

Note that your consignment box has been arrived in US embassy and waiting to receive clearance certificate before the gate pass is given. Mean while you are advice to reconfirm the below information upon contacting us to avoid delivery to wrong person.

1, Your full name
2, Your home address
3, Your occupation
4, Direct Telephone Number

Once you notify us with the above information we will release your consignment to you,

Contact the Embassy Office Direct with the payment information for following information Below,
Contact person, Ms. Johnson Aka

Phone +229 93178505

Email( usaembassy001 @ hotmail.fr )

Note that you are expected to pay only :$75.00 Dollars for clearance certificate and you are to pay it to Benin Republic as the origination of the consignment box in favour of Mr Chris Bala as our accountant officer in Benin Republic Send the :$75.00 Dollars through western union or Money Gram once you receive this mail with the information below for immediate release of
your consignment box,

HERE IS THE INFORMATION FOR SENDING THE FEE.

Receivers Name:............MR OKOLO CHINEDU

Country:.............Benin Republic

City................Cotonuo

Test Question:....... who is the receiver?
Answer :............... OKOLO

Amount: ...............:$75.00 DOLLARS

Once you send the money, try to notify us with the MTCN for easy pick up and for immediate action on the release of your consignment.

Please treat this as matter of urgency .
Note that any uncliam consignment will be return to the Courier Company after 3 days for final divertion.

So you are urgently advise to comply with our demand so that we will release your consignment.
Regard,

Dr. Johnson Ike

Assistant Secretary of State for African Affairs
FROM UNITED STATE OF AMERICA

Email image, page 1 (click image for larger view):

Email image, page 2 (click image for larger view):

Alert: Monster hack compromises job seeker data

Mon, 26 Jan 2009 04:56:23 +0000

On January 23, 2009 Monster posted a message on their site to notify job seekers that some of their data, including user names and passwords, has been stolen. If you're a Monster user, this would probably be a good time to go change your password and double check your security settings.

Many of you will probably ask what's going to happen now that your info is in someone else's hands. We expect that the email addresses will be used to send you fraudulent job offers. Please remember to check our site frequently and report suspicious offers if you aren't sure about something you receive. Our FAQ item, How can I tell if an offer I've received might be fraudulent? contains a huge list of clues you can look for when researching offers. Stay safe, folks!

Source: http://help.monster.com/besafe/jobseeker/index.asp

January 23, 2009

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data.

Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.

In order to help assure the security of your information, you may soon be required to change your password upon logging onto the site. Please follow the instructions on the site. We would also recommend you proactively change your password yourself as an added precaution. We regret any inconvenience this may cause you, but feel it is important that you take these preventative measures.

As a further precaution, we want to remind you that an email address could be used to target “phishing” emails. Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, “tool” or “access agreement” in order to use your Monster account. Monster’s security page, http://my.monster.com/securitycenter, provides users with a substantial amount of information about different types of Internet fraud. We encourage you to review the information to learn more about what you can do to protect yourself on the Internet.

The protection of your data is a high priority for Monster. Our newly redesigned Web site has, and will continue to add, safety and security features to protect your information and we want you to feel confident using it.

We continue to devote significant resources to ensure Monster has appropriate security controls in place to protect our infrastructure, and while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks.

We truly value the trust you place in Monster and appreciate the opportunity to continue to serve as your online career resource.

Sincerely,
Patrick Manzo

Senior Vice President, Global Chief Privacy Officer
Monster Worldwide

Instructions to change your password:
If you are already logged into your account, you can easily change your password by clicking on Preferences. If you are not logged in, then click on Forgot Password link on the Sign In panel, and Monster will send you an email with instructions to change your password.

Alert: EFCC and United Nations 419 scam victims compensation

Sun, 25 Jan 2009 09:36:21 +0000

Doesn't get much lower than this. This offer is to those who are 419 (Nigeria) scam victims. And yet almost word for word, it READS like a 419 scam. Or like this alert which we published back in September '08. Or this one, published last May.

If the Senate House delegated by the United nations was really going to compensate 419 scam victims, they wouldn't be offering to do it using ATM cards. What tends to happen in these offers is you are told to send a certain amount of money which is usually attributed as some sort of fee. Some time will go by and they will ask for more, making excuses as to why they need it. In all cases you end up losing thousands of dollars because you believe at some point this is really going to happen.

If you don't believe us, look at this article written a couple months ago:
Oregon Woman Loses $400,000 to Nigerian E-Mail Scam

Expect more of the same if you respond to this email.

Message text:
From: Mrs. Farida Mzamber Waziri [efccpaymentoffice @ mail.com]
Sent: Monday, January 05, 2009 3:15 PM
Subject: Compliment of the Season
Importance: Low

Aso Rock Villa PMB 166 FCT Abuja.
EFCC Executive Chairman,
Chief Mrs. Farida Mzamber Waziri (AIG rtd.)

Good day,

We are writing you this message just to bring to your notice that The
Senate House delegated from the United Nations has resolved to pay one
hundred (100) 419 scam victims the sum of $7.5 Million dollars each; you
are listed and approved for this payment as one of the scammed victims.

On this faithful recommendations, I am using this medium to inform you
that during the last meeting held at Abuja, it was alarmed so much by
the rest of the world in the meeting on the lose of funds by various
foreigners to the scam artists operating in syndicates all over the
world today. In other to retain the good image of this country, the
President and Commander-in-Chief is now paying 100 victims of this
operators $7.5 Million dollars each, through an ATM card OR ONLINE BANK
TRASFER due to the corrupt and inefficient banking systems in Nigeria.

Inline with this directives, your ATM card/ ONLIBANK PAYMENT will pay to
you depend on your choice.

1) Your full name ..............................
2) Your Phone, fax and mobile #.........
3) Your occupation/position..................
4) Company address. (IF ANY)..............
5) Profession, age and marital status..........

As soon as you fill the above text form, please send it to the currency
board of Nigeria department through their below contacts email.

E-mail:currencyboardofnigeria @ live.com
Tel.: 234-1-2180009
Contact person: FRED AZUKA

According to the number of applicants at hand, 40 beneficiaries has been
paid, half of the victims are from the United States, we still have more
60 left to be paid the compensations of $7.5 Million dollars each. Your
name and email was mentioned by one of the syndicates who was arrested
in Lagos Nigeria as one of their victims of the operations, you are
hereby warned not to communicate or duplicate this message to him for
any reason what so ever, the US secret service is already on tail for
the rest of the culprits.

Now you are directed to contact the currency board of Nigeria department
above for your compensation ATM card/ ONLINE BANK TRASFER.

NOTE: We have mounted our security network to monitor every in-coming
call, if we still find out that you is Still dealing with all those
fraudsters that have been frustrating extracting money from you, we
shall stop and Cancel your payment immediately.

Yours faithfully,

EFCC Executive Chairman,
Chief Mrs. Farida Mzamber Waziri (AIG rtd.)

Alert: Revenue Canada Tax Spoof

Thu, 15 Jan 2009 23:51:26 +0000

This one is a warning to Canadians about an offer taking advantage of the tax season. the "click here" link points to a domain owned and hosted out of Taiwan, and the email message was sent from Russia according to the headers. please DO NOT click on the link and fill out the form. They are asking for your Social Insurance Number, date of birth, full name and the tax amount in dollars of your return. They can very easily steal your tax refund and then sell your personal information.

We hope the REAL Revenue Canada goes after 'em!

Message text:
Canada Revenue Agency
Online Refund Form

After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 386.00.

Please submit the tax refund and allow us 3-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here>> (link points to: http :// www .tinlex.com.tw/cira/getStatus_en.htm)

Copyright Canada Revenue Agency. All rights reserved. www .cra-arc.gc.ca

Headers:
Return-Path: <[removed] @ mbdesignsandflooring.com>
X-DH-Virus-Scanned: Debian amavisd-new at [removed]
X-Spam-Score: 2.558
X-Spam-Level: **
X-Spam-Status: No, score=2.558 tagged_above=-999 required=999
    tests=[HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=2.143,
    MIME_HTML_ONLY=0.414]
Received: from hotwire-68.hotwire.postdirect.com (95-83-17-171.saransk.ru [95.83.17.171])
    by [removed] (Postfix) with SMTP id 179A617D010
    for [removed]; Thu, 15 Jan 2009 04:56:15 -0800 (PST)
Subject: Mywm Canadian Revenue Agency tprj
To: [removed]
From: Service @ cra-arc.gc.ca
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Message-Id: <20090115125615.179A617D010 @ [removed]>
Date: Thu, 15 Jan 2009 04:56:15 -0800 (PST)

WHOIS tinlex.com.tw:
(Courtesy: http://whois.domaintools.com/tinlex.com.tw)
Website Title:     Ting LIH INDUSTRIAL CO., LTD.IP
Address:     60.249.118.160
IP Location     Taiwan - Taiwan - Chtd Chunghwa Telecom Co. Ltd
Response Code:     200
Domain Status:     Registered And Active Website
Created:     1999-06-22
Expires:     2009-07-28
Whois Server:     whois.twnic.net.tw
Domain Name: tinlex.com.tw
Registrant:
ting immediately ind. co., ltd.
no.25, da shin rd., lane 80, tan tze, taichung.
   Contact:
      lily chen    tinlex @ tinlex.com.tw
      TEL: ( 04 )25381234
      FAX: ( 04 )25383743
   Record expires on 2009-07-28 (YYYY-MM-DD)
   Record created on 1999-06-22 (YYYY-MM-DD)
   Domain servers in listed order:
      dns.tinlex.com.tw           60.249.118.160
      dns2.tinlex.com.tw          60.249.118.160
      webmail.tinlex.com.tw       60.249.118.160
Registration Service Provider: TWNIC

What the page looked like in a text browser:

[Canada Revenue Agency]
[Symbol of the Government of Canada]
[Canada Revenue Agency]
Skip to content | Skip to institutional links
Common menu bar links

    * Fran蓷is
    * Home
    * Contact Us
    * Help
    * Search
    * canada.gc.ca

Tax Refund > Get Status >

Tax Refund Online Form

Please enter your details below:
All fields are required
Social insurance number:
Do not use spaces or hyphens.
Date of birth:
YYYY
MM
DD
Please enter Refund Amount here:
$ .00
Do not use commas, spaces, periods or cents.
Help for line 150
Your full Name:

Cancel

QAS.01

Back to input field
Back to input field

Tax Refund - Help

You must enter the exact whole dollar amount shown on your tax return. Providing the exact whole dollar amount is essential to receiving the correct response.

Note: For security reasons, we recommend that you close your browser after you have finished to complete the online form.

2008-08-08

Top of Page
Important Notices

PhishBucket top keyword searches, December 2008

Fri, 02 Jan 2009 06:45:00 +0000

The most frequently searched keywords/phrases last month:

Alert: FBI and Debt Settlement Commission Central Bank of Nigeria

Mon, 29 Dec 2008 04:18:12 +0000

We wish we had headers for this, but if the email sender's address is to be believed, it was sent from Mongolia. There is mention of the FBI and Nigeria in the message, but we didn't see anything regarding Mongolia, so right on the surface there's an obvious problem with this message. It's like they didn't even bother to spoof the sender address. Maybe they were in a hurry for Christmas shopping money?

Although it's not a suspicious JOB offer, we find it absolutely reprehensible when scammers use the names of legitimate organizations to do their dirty work. Job seekers are NOT the only victims! Corporations both large and small have been found on our site. Do a search on our site for Ashley Furniture, Coca Cola, Texaco, Mailboxes Etc. What we want you to notice is that even the FBI, who fight this daily at the international level, are victims like the rest of us.

Sooner or later we hope all these organizations see the value in posting their jobs here, since PhishBucket's JobTank is the only GUARANTEED phish-free job board on the Web. And we know the job seekers who visit us are pretty smart cookies since they all have the sense to look here for the bad guys. It's a win-win.

We're pretty sure the FBI is aware of this email as we are late in reporting it, but even though it's not exactly a red alert, you should be concerned that above you, the individual, are corporations and governments who are victims too, and since they hold our personal information en masse it makes little guys like us even more vulnerable.

Message text:
From: info126 @ mail.mn
Reply-to: info128 @ mail.mn
Sent: 11/21/2008 9:44:02 A.M. Central Standard Time
Subj: FEDERAL BUREAU OF INVESTIGATION (FBI Washington)

FEDERAL BUREAU OF INVESTIGATION
FBI HEADQUARTERS IN WASHINGTON, D.C.
J. EDGAR HOOVER BUILDING
935 PENNSYLVANIA AVENUE, NW WASHINGTON, D.C. 20535-0001
http://www.fbi.gov

Attn: Beneficiary,

We the Federal Bureau Of Investigation (FBI Washington) United States Of
America have discovered through our intelligent monitoring network that you have
a transaction going on as either inheritance payment,Lottery or contract
payment in a tone of US$14 Million of United States Dollars which have been
approved but have not been settled by the paying bank:CENTRAL BANK OF NIGERIA
{CBN}.This was the agreement with the Nigerian Government,in conjunction with
IMF and the United Nation.

This is to officially inform you that we have verified your contract /
inheritance file after close monitoring and find out why you have not received
your payment, both on your part and on the part of your debtors.

Secondly, we have been informed that you are still dealing with the non
officials in the bank who are attempting to secure the release of your fund to
you. We wish to advise you that this is illegal and you should stop further
communication with any body in regards to this fund,while because such an
illegal act can only lead to cancellation of your fund by the Apex Bank.

we have been having so many complains from people who have been scammed
around the world hence, after concluding in a meeting with members of the
International Monetary Fund (IMF),United Nation and the Nigerian Government we came
to a conclusion that every payment should be made through the APEX bank in
Nigeria which is the CENTRAL BANK OF NIGERIA. We also concluded on the use of
ELECTRONIC ATM PAYMENT SYSTEM as the only direct means to pay all
beneficiaries.

By this method, your fund will be loaded in TWO BATCHES into an ATM card,
and send to you, from this card you can withdraw a maximum of US$7,000. per day
from any ATM machine worldwide, But, from the financial houses there is no
limit.

So if you would like to receive your fund in this way please send your
following information to the paying bank{CENTRAL BANK OF NIGERIA}.

(1)Your Full Name: __________________________________________
(2)Your Complete Address (Physical Address with Zip Code not
P.O.BOX) : __________________________________________________
(3)Name of City of Residence:________________________________
(4)Country:_____________Direct Telephone Number:_____________
(5)Mobile Number:___________________Fax Number:______________
(6)Age:______Sex:______Occupation:___________________________
(7)Working Identity Card/Int'l Passport:___________,

Below are the contact details of the PAYING BANK(CENTRAL BANK OF NIGERIA) in
the Federal Republic Of Nigeria to whom you will send your information for
the processing of the ATM card as soon as possible:

CONTACT PERSON: DR.OBADIAH MAILAFIA.
EMAIL ADDRESS: info128 @ mail.mn
PHONE NUMBER: +234 1 6659797
HEAD OF OPERATIONS:FOREIGN DEBT SETTLEMENT
DEBT SETTLEMENT COMMISSION: CENTRAL BANK OF NIGERIA.

The DEBT SETTLEMENT COMMISSION has been mandated to issue out your payment
on this day 25th september, 2008. Also for your information, you have to stop
any further communication with any other person(s) or office(s) who claimed
to be established agents using it to defraud innocent people worldwide. This
is to avoid any hitch in receiving your payment.

THANKS FOR LISTENING TO OUR ADVISED.

Faithfully Yours,

MR.ROBERT S. MUELLER, III
FOR CORPORATE AFFAIRS
FEDERAL BUREAU OF INVESTIGATION (FBI Washington)
UNITED STATES OF AMERICA.

Headers:
None reported.

Alert: International Monetary Funds and Union Bank Swiss

Sun, 07 Dec 2008 09:56:27 +0000

This message, supposedly sent by George Ellis, a US Member of the Board of Trustees located in the US Embassy in London, UK, was actually sent from Nigeria. We got it right down to names and addresses, too, assuming those identities are real. We have to wonder what motivates folks like these to scam others the way they do, and whether they even realize that if they put this much effort into legitimate business, they'd probably be doing quite well. Are they poor? Naked? Hungry? Greedy? Stupid? It's a bummer when people choose to do wrong instead of right.

Message text:
From: Us Member Board of Trustees [usreconciliationboard @ live.com]
Sent: Friday, October 31, 2008 6:51 AM
To: undisclosed-recipients:
Subject: Attn: Sir/Madam (US Reconsiliation Board)

Attn: Sir/Madam

I write to inform you that following a meeting with the International
Monetary Funds Body and the Us Government. The subject of discussion is
why American citizens who executed foreign contracts/Inheritance/Lotteries
are either paid part payment or not paid at all. There are series of
complaints by the American citizens and other Western World that they have
lost some amount of money in pursuit of their payments and this gave rise
to the US Government setting up a five man committee to work with the US
Embassy here London UK.

The primary objective of this committee is to strictly comply to enforce
the payment of their original contract sum/Inheritance and Lotteries as
the case may be. Members of the committee are Mr. Philip Bryant, Mr.
Jeffery Peterson, Mr. Mac Anthony Tosel, Mr. George Ellis and Mr. Donald
Vann, all the members of the committee are American citizens. Once your
claim is verified by the Union Bank Swiss and approved for payment and if
the above countries fail to pay you within the stipulated seven days, the
USA Government will pay the exact amount in question to you. You are
therefore directed to contact the Management of the Union Bank Swiss for
further instructions.

Sir, Sir/Madam because of the report received from the West African
Government about your transaction with an Organisation/Individuals from
West Africa and their fraudulent act towards your payment the government
has declared him wanted for interrogation of impersonation and theft.

Contact Mrs. Anita Williams for further instructions on your payment as
stated below:

Contact Mrs Anita Williams

Mrs. Anita Williams
Union Bank Swiss
Kingfisher Business Centre
Burnley Road Rawtenstall
Lancashire BB4 8EQ
Phone: +(44) 704-570-3034
            +(44) 704-570-7466
            +(44) 704-570-7467
www.ubs.com

Contact us as soon as possible with details of your desired method of
payment for our record keep and do the same to Mrs. Anita Williams for
your payment instructions.

Best Regards

Mr. George Ellis
Us Member Board of Trustees

Headers:
Return-Path: <usreconciliationboard @ live.com>
X-DH-Virus-Scanned: Debian amavisd-new at [removed]
X-Spam-Score: 0.96
X-Spam-Level:
X-Spam-Status: No, score=0.96 tagged_above=-999 required=999
    tests=[UNDISC_RECIPS=0.96]
Received: from server.likrishmedia.com (unknown [216.246.124.126])
    by [removed] (Postfix) with ESMTP id 792B6F402E
    for [removed]; Fri, 31 Oct 2008 06:57:38 -0700 (PDT)
Received: from nbnice69 by server.likrishmedia.com with local (Exim 4.69)
    (envelope-from <usreconciliationboard @ live.com>)
    id 1KvuP8-0001Y0-74; Fri, 31 Oct 2008 13:51:10 +0000
Received: from 41.219.205.45 ([41.219.205.45])
        (SquirrelMail authenticated user femo1luv @ naughtierbutnice.com)
        by naughtierbutnice.com with HTTP;
        Fri, 31 Oct 2008 13:51:10 -0000 (GMT)
Message-ID: <2556.41.219.205.45.1225461070.squirrel @ naughtierbutnice.com>
Date: Fri, 31 Oct 2008 13:51:10 -0000 (GMT)
Subject: Attn: Sir/Madam (US Reconsiliation Board)
From: "Us Member Board of Trustees" <usreconciliationboard @ live.com>
Reply-To: georgeellis.boardmember @ hotmail.com
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - server.likrishmedia.com
X-AntiAbuse: Original Domain - [removed]
X-AntiAbuse: Originator/Caller UID/GID - [32003 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - live.com
X-Source: /usr/local/cpanel/3rdparty/bin/php
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php
/usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php
X-Source-Dir: :/base/3rdparty/squirrelmail/src
To: undisclosed-recipients: ;

WHOIS sender 41.219.205.45:
(Courtesy: http://whois.domaintools.com/41.219.205.45)
IP Information for 41.219.205.45
IP Location:     Nigeria Nigeria Assigned To Lagos Dial-pool Customers
Resolve Host:     dial-pool44.lg.starcomms.net
IP Address:     41.219.205.45
Blacklist Status:     Clear
Whois Record
inetnum:        41.219.205.0 - 41.219.205.255
netname:        ORG-SA57-AFRINIC-20050513
descr:          Assigned to Lagos dial-pool customers
country:        NG
admin-c:        NS4-AFRINIC
tech-c:         CM9-AFRINIC
status:         Assigned PA
mnt-by:         STARCOMMS-MNT
mnt-lower:      STARCOMMS-MNT
source:         AFRINIC # Filtered
parent:         41.219.192.0 - 41.219.255.255
person:         NAVNEET SINGH
address:        Plot 1261, Bishop Kale Close, off Saka Tinubu
address:        Victoria Island, Lagos, Nigeria
phone:          +234-1-804-9370
fax-no:         +234-1-811-0301
e-mail:         navneets @ starcomms.com
nic-hdl:        NS4-AFRINIC
source:         AFRINIC # Filtered
person:         Catalin Miclaus
address:        Plot 1261C, Bishop Kale Close, off Saka Tinubu
phone:          +234-7028000733
fax-no:         +234-1-8110301
e-mail:         catalin @ starcomms.com

Alert: IRS Economic Stimulus Refund Scam

Sun, 07 Dec 2008 09:30:43 +0000

This one was tricky to figure out without headers, but we did it. It's a spoof email purporting to be from the IRS notifying this recipient about eligibility for a new Economic Stimulus refund. A link is provided to "access" the refund. This domain, carbidrelatedtech.com is owned by a company called Acampora Enterprises (acampora.com), which didn't tell us much since there was nothing at the BBB. When we clicked the link (which we don't recommend to visitors; we use proxies to view questionable pages), we were told that the URL, reported to be at IP 59.7.91.98, was invalid. When we looked up that IP address we found out the location was Korea. See below for details.

For those of you who think you're getting Economic Stimulus checks, we can guarantee you this is NOT how the IRS issues them!

Message text:

From: info @ irs.gov
Sent: 10/29/2008 5:31:05 P.M. Central Daylight Time
Subj: Notice

Over 130 million Americans will receive refunds as part of President Bush program to jumpstart
economy. Our records indicate that you are qualified to receive the 2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by direct deposit to your checking/savings account.

Please follow the link and fill out the form and submit before 30 October, 2008 to ensure that your refundwill be processed as soon as possible.

Submitting your form on 30 October, 2008 or later means that your refund will be delayed due to the volume of requests we anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please _click here_
(http :// mail .carbiderelatedtech.com/exchweb/help/usa/ie5/basics/owairs.css/) .
Note: If you received this message in your SPAM/BULK folder, that is because of the large amount of e-mails we are sending out or because of the restrictions implemented by your ISP.

WHOIS carbiderelatedtech.com:
(Courtesy: http://whois.domaintools.com/carbiderelatedtech.com)
Meta Description:
Carbide Related Technology, Inc. Specializing in Drill Repointing, Spindle Repair, Drill Seminars, Drills, Countersinks, Counterbores, product sales, Replacement Parts
Registrant:
Acampora Enterprises
   32 CENTER RD
   WOODBRIDGE, CT 06525
   US
   Domain Name: CARBIDERELATEDTECH.COM
   Administrative Contact, Technical Contact:
      Acampora Enterprises paul @ acampora.com
      32 CENTER RD
      WOODBRIDGE, CT 06525
      US
      203-397-8918 fax: 123 123 1234
   Record expires on 05-Jan-2012.
   Record created on 05-Jan-2007.
   Database last updated on 7-Dec-2008 04:04:41 EST.
   Domain servers in listed order:
   DNS1.ACAMPORA.COM            69.182.191.17
   DNS2.ACAMPORA.COM            69.182.191.18

WHOIS 59.7.91.98:
(Courtesy: http://whois.domaintools.com/59.7.91.98)
IP Information for 59.7.91.98
IP Location:     Korea, Republic Of Korea, Republic Of Korea Telecom
IP Address:     59.7.91.98
Blacklist Status:     Clear
Whois Record
inetnum:      59.0.0.0 - 59.31.255.255
netname:      KORNET
descr:        KOREA TELECOM
descr:        Network Management Center
country:      KR
admin-c:      IM76-AP
tech-c:       IM76-AP
remarks:      ***********************************************
remarks:      KRNIC of NIDA is the National Internet Registry
remarks:      in Korea under APNIC. If you would like to
remarks:      find assignment information in detail
remarks:      please refer to the NIDA Whois DB
remarks:      http://whois.nida.or.kr/english/index.html
remarks:      ***********************************************
status:       Allocated Portable
mnt-by:       MNT-KRNIC-AP
changed:      hm-changed @ apnic.net 20040802
changed:      hm-changed @ apnic.net 20041007
source:       APNIC
person:       IP Manager
nic-hdl:      IM76-AP
e-mail:       ip @ krnic.kornet.net
e-mail:       abuse @ kornet.net
address:      Seoul
address:      206, Jungja-Dong, Bundang-Gu, Sungnam, Gyunggi-Do
address:      463-711
phone:        +82-2-3674-5708
fax-no:       +82-2-747-8701
country:      KR
changed:      hostmaster @ nic.or.kr 20061009

PhishBucket top keyword searches, November 2008

Tue, 02 Dec 2008 01:32:30 +0000

The most frequently searched keywords/phrases last month:

FOR RELEASE: PhishBucket Introduces the JobTank

Thu, 27 Nov 2008 12:21:32 +0000

FOR IMMEDIATE RELEASE

JobTank to Offer Real Jobs and a New Way to Bait Job Phishers

(Seattle, WA - November 27, 2008) It's easy for job seekers to mistake bogus job offers for legitimate work. PhishBucket's new JobTank protects job seekers a step further by only listing offers from verified employers and recruiters, while screening out and exposing fraudulent submissions as they happen.

PhishBucket.org, a nonprofit organization that has been tracking and investigating suspicious and fraudulent job offers since 2006, announced the launch of JobTank today. Their aim is simple: to provide scam-free job listings and stop job phishers in their tracks.

Employers and recruiters who want to post jobs will go through the same checks and balances used to investigate fraudulent offers.

"We don't want job seekers to have to read between the lines of a job offer anymore," said founder and CEO Tabatha Marshall, who hopes the verification process will be a deterrent to would-be scammers. "Jobs from genuine employers and recruiters will be approved quickly because of the best practices they tend to follow."

Job phishers, on the other hand, might just find their offers on display in the PhishBucket instead. "Our commitment has always been to protect the job seeker's anonymity, not the scammers."

So if the verification process is tougher, how do employers and recruiters benefit? Not only will the JobTank listings be seen by hundreds of thousands of job seekers, but the prices per listing are comparable to the bulk rates of the big-name job boards.

But PhishBucket doesn't believe the JobTank should be perceived as competition to anyone. Driven by their pledge to continually protect and inform job seekers, all revenue earned through the sale of job listings will be applied to PhishBucket's operations. "We just want to see everyone get back to work as safely as possible."

Contact : Tabatha Marshall – tabatha / at / tabathamarshall / dot / com
Subject : JobTank

PhishBucket is a WA nonprofit corporation that tracks and investigates reported fraudulent job offers and works with law enforcement and other organizations worldwide to protect and educate job seekers about employment-related fraud. To view the JobTank, either go to PhishBucket.org and click JobTank - Phish-free Jobs from the main menu or go to www.JobTank.org .

###

Alert: PhishBucket hack attempt

Thu, 13 Nov 2008 05:55:39 +0000

UPDATE 2008-12-05: We appear to be slowly returning to Google's search results. We are very grateful to the folks on the Google Webmaster forum who helped us work through this issue and are very relieved that job seekers will once again be able to see our search results when using Google to research suspicious offers. Thank you!

We recently learned of a hacking attempt on the PhishBucket site. It seems that around November 4 or 5, someone found an unsecured directory and inserted some spammy metadata into our html site template. The metadata involved numerous affiliate hyperlinks, all of which belonged to www.disual.net, a company in Turkey (we have never heard of the site in question). As a result, Google stopped crawling PhishBucket.org and has temporarily removed our articles from their search results.

Today we removed the offending metadata from our site template, ensured all directories were secured, and have submitted to Google for reconsideration. We appreciate your patience as it may take some time for Google to re-index our pages once our submission for reconsideration has been accepted. We apologize to our visitors, especially to job seekers, for any inconvenience this may cause.

Stay safe, and thanks for all the phish!

PhishBucket Admin

PhishBucket top keyword searches, October 2008

Mon, 03 Nov 2008 09:11:27 +0000

The most frequently searched keywords/phrases last month:

Alert: Spoof of Barclays Bank

Sun, 26 Oct 2008 08:59:16 +0000

Unfortunately, the person who reported this offer didn't provide us with headers. These types of emails always concern us at PhishBucket because they imply that they are trying to be part of the solution to fraud when, in fact, they appear to be committing fraud using the Barclays Bank name. A WHOIS search on barclaysprivacy.com turned up a domain that was used but is now available again.

Message text:

From: Barclays Bank PLC [mailto:service @ barclaysprivacy.com]
Sent: 05 October 2008 22:21
Subject: Privacy message - Protect your account service

-----Inline Attachment Follows-----

************************************************************************
THIS IS AN AUTOMATED EMAIL - PLEASE DO NOT REPLY.
************************************************************************
Dear Barclays Bank PLC. Customer,

Solution:

We are proud to announce that Barclays Bank PLC. in association with
National Network Secure Administration launch a new campaign against
online fraud and reward all participants with a 25,00 pounds just for
secure your account.

Please process this verification by clicking on the link below:

http :// ibank.barclays.co.uk.barclaysprivacy.com/olb/g/LoginMember

Your verification link will only be valid for 24 hours.

Thank you for using Barclays Bank PLC.

*******************************
Barclays Bank PLC. Security Reminders

Protect Your Password
Barclays Bank PLC. and its representatives will NEVER ask you to reveal
your password. There are NO EXCEPTIONS to this policy. If anyone asks
for your password by phone or by email, refuse and immediately report
this to security @ barclaysprivacy.com.

Access your account ONLY using the login link on the Barclays Bank PLC.
homepage Please be advised that Barclays Bank PLC. and its
representatives will NEVER send you an email asking you to provide your
login details within a form provided or to click on a hyperlink to
access your account! Immediately report any incident to
security @ barclaysprivacy.com.

Case Sensitive Login
Please remember your password is case-sensitive, at least 6 characters
long and contains at least one number or non-alphabetic character such
as '-'.
*******************************
Barclays Bank PLC. Registered in England. Registered No: 1026167.
Registered Office: 1 Churchill Place, London, E14 5HP.
Barclays Bank PLC adheres to the principles of the Banking Code. A copy
of the Code is available on request.
"The Woolwich" and "Woolwich" are trading names of Barclays Bank PLC.

The Two Things Job Phishers Want From You

Sun, 12 Oct 2008 08:55:12 +0000

There’s nothing quite like getting the wind knocked out of you when you’re already down. The plight of the unemployed individual has often been ignored by the media. Only in times of financial crisis do people seem to stop and notice the millions out of work—many of whom have not had jobs for a year or more.

Why does PhishBucket believe that talking about job phish is so important? Because who else besides job seekers keep their contact information so up-to-date? Who else besides job seekers are so financially vulnerable? Who else besides job seekers are as willing participate in risky-sounding ventures to pay their bills and feed their families?

And here’s an added kick in the gut for you: while job phishers might enjoy the added bonus of gaining enough information to steal your entire identity, that’s not really their bread and butter. They don’t necessarily need your bank account numbers or identification numbers to fool you; basics like your street address, email and phone number are quite enough.

So what is it job phishers want from you exactly? They want to make a quick buck from you, and there are two specific ways in which they do this.

Stealing Your Money Directly

These job phishers entice you to move money or stolen goods. When you accept the “job” of cashing someone else’s checks and keeping a percentage, it’s a set up designed to fail. You’ll deposit the checks sent to you (which have been illegally manufactured), withdraw all but the percentage that is “yours” and wire it to them. A few days later the bank will inform you the check has bounced and your account will go into the negative for that amount. If you have little or no money to start with, that’s going to hurt. Many PhishBucket visitors have informed us that even though they hadn’t agreed to participate, just sending their address was enough for the checks to start arriving.

If you ship or re-ship parcels (as seen on Dateline), you are helping move goods purchased with stolen credit card numbers. These packages—electronics and other retail goods—end up reaching the criminals, usually in other countries, where they can be re-sold for a profit. As with the money transfer and mule scams, even if all you provide is an address, you might start finding parcels arriving at your door.

The majority of other job scams are variants of these, or are typical pyramid schemes, multi-level marketing, or programs that claim you can get rich in online advertising or auctions.

These job phishers want your money. You’ll either pay a pittance for a get-rich-quick scheme that’s a complete lie, or they’ll sucker you in the bank account—just once—enough to grab a chunk. You may not fall for any of these again once you’ve been burned, but the job phishers have another way to rob you once they’ve robbed your wallet.

Buying/Selling/Renting Your Personal Information

In addition to, or sometimes instead of taking money from you directly, job phishers keep track of all the personal information they acquire so they can rent and sell it. Your contact info alone is more valuable than you might think—your social security, driver’s license and other personal identification numbers are just the icing on the cake.

Both legitimate marketers and illegitimate scammers consider your information a hot commodity. For scammers to get even a few bites, they have to send email to thousands upon thousands of people. The more info that can be acquired, the more they have to rent or sell. After all, scammers want a steady income too.

You might be asking what’s so bad about this; lead lists (as they are often known) are frequently used in legitimate business for the same reason—to reach large numbers of people who have something in common (such as the need for a job, in this case). But imagine that someone with less than your best interests at heart now has your name, address, phone number and email. Suppose, since this was for a job application, that you also told them where you attended school and other places you worked.

1.   The scammer finds out whether you own or rent your home. If you own, maybe you soon see a phishing email telling you that another bank owns your mortgage and points you to a (fraudulent) site to enter your financial or other personal details.

2.   The scammer contacts your last school pretending to be you, claiming to have lost your transcripts. Soon someone tries tricking you into a bogus financial arrangement to pay off your student loan.

3.   The scammer finds out where you’ve worked and pretends to be a new employer, asking questions about your performance, and is able to learn about your work habits and perhaps some psychology that can be used against you.

4.   The scammer finds out your cell phone provider (sometimes asked on questionable Web-based “job” applications) and calls pretending to be you. Your bill is suddenly re-routed or your financial information is stolen through an online password reset at that provider’s Web site.

In all these scenarios, the scammers want to learn about who you are, what companies you do business with in your personal and professional life, what products or services you use, and turn your email and postal mailboxes into a living nightmare. Some of the offers that come your way, particularly via email, may trick you even further into giving away more about yourself than you had intended. Maybe you suddenly receive credit card bills because someone is using your name to acquire credit, or bills for other products and services that were purchased using your identification. Worse, maybe the police arrive at your door to arrest you for a crime committed by someone who had identification in your name. How easy do you think it’s going to be to convince law enforcement it wasn’t you?

Always Be Vigilant

The best way to protect yourself is to always be cautious and wary about giving away your personal details. Trust no one without proof of legitimacy. Learn where to report suspicious offers. Don’t be afraid to talk to law enforcement about your concerns. And if you’ve been a victim of a job scam, speak up and share your experiences to help others understand the consequences of talking to strangers.

PhishBucket is a proud supporter of National Cyber Security Awaress Month. Please visit www.staysafeonline.org for more information.

Questions? Comments? Leave them below!

FOR RELEASE: The Global Economic Crisis and Employment-Related Fraud

Sat, 11 Oct 2008 02:57:26 +0000

FOR IMMEDIATE RELEASE:

In Hard Times, Real Jobs Needed

(Seattle, WA - October 10, 2008) The Bureau of Labor Statistics announced last week that another 159,000 jobs were lost in the United States in September 2008. Over two million Americans have been out of work for a year or more. Because people are struggling to stay afloat amid a national economic crisis, many are more easily falling prey to job phishers.

PhishBucket founder Tabatha Marshall believes that with millions of people struggling to make ends meet, there needs to be more emphasis on immediately improving domestic job markets, and that the corporate community needs to take responsibility and act quickly to ensure that this happens.

Said Ms. Marshall, "Former homeowners might have to start renting, former car owners might have to resort to taking the bus, but what's going to happen after a year of unemployment when you've run out of money, exhausted your benefits, the majority of the job offers you’re getting are fraudulent, and there's nowhere left to turn?"

• In 2007, over 800,000 identity theft and fraud complaints were reported to the Consumer Sentinal by the FTC and several other data contributors. Since it is probable that not all victims filed reports, the actual number of identity theft and fraud victims may be significantly higher.

• In 2007, over 1.2 billion dollars was lost by consumers due to fraud, excluding identity theft—a slight rise from 2006, which reported 1.1 billion dollars in losses.

• Overall, the financial loss to consumers reported for 2007 reflected over 500,000 reported fraud complaints, but this number didn’t account for losses resulting from identity theft or account for any unreported losses.

• About 14 percent of all Internet fraud reported in the United States in 2007 was employment-related.

A recent analysis of PhishBucket's site statistics and fraudulent job offers reported over the last 12 months indicated that job seekers in the US, Australia, New Zealand, the UK, Canada and Spain are currently the top targets of employment-related fraud. Several of these countries—the US, UK and Spain in particular—are experiencing similar economic spirals that are contributing negatively to the job market and making millions of jobless individuals very easy marks.

• In Spain the unemployment rate is currently at 11.3%, the highest in 10 years after the recent 4.2% increase. This increase in unemployment is being felt as a consequence of the current economic climate in Spain. According to the Wall Street Journal, Spain is said to be working on a bailout package similar to the bill currently passed in the US.

• In the UK, 1.72 million people lost jobs over the past year; the unemployment rate is currently at 5.5% and trending up. About 400,000 people in the UK have been unemployed for a year or more, and it's anticipated that this number will reach 700,000 by the end of 2009. The employment rate is expected to increase to 6.0% until 2010, at which time it’s said there will be a positive turn in growth in the wake of their recent bank bailout plan.

• Although Canadians are seeing positive employment growth, there have been some disagreements as to the degree in which the country will be affected by the economic meltdowns occurring around them. The unemployment rate in Canada has remained steady at 6.1%, with 1.1 million people currently unemployed, but there have been noticeable declines in merchandise importing and exporting, with volumes down, particularly with the US.

• Australia is said to be holding up through the financial turmoil of the past week; still, almost half a million people are out of work, and 89,000 people are unemployed in New Zealand, which has a 3.9% employment rate. Despite a reportedly strong labor market, Australia and New Zealand are both experiencing a negative impact on their currency values, which dropped significantly over the summer of 2008.

"If you do the math," said Ms. Marshall, "these countries have well over 8 million people out of work among them. Many have been unemployed a year or more now and are desperate for work, which makes them extremely vulnurable to a well-worded job offer." When the financial loss to online fraud victims ranges from $350 to $2400 per person, and this happens to someone who's been unemployed for this length of time or who’s been living paycheck to paycheck, the consequences to their lives can be devastating.

Without legitimate jobs to turn to, bailouts might not be enough to help people recover from the current crises. It can be argued that no matter how balanced or unbalanced these economies are, regardless of whether or not the employment climate improves, job seekers will remain vulnerable to job scams. But if the countries experiencing significant economic hardship take action right now by creating opportunities to get their unemployed back to work, we might finally see a noticeable reduction in employment fraud and possibly stand a chance of recovering from the financial catastrophes in front of us now.

Contact : Tabatha Marshall – tabatha / at / tabathamarshall / dot / com

Sources

US Bureau of Labor Statistics September 2008: http://www.bls.gov/news.release/empsit.nr0.htm
2007 Consumer Sentinel report: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2007.pdf

New Zealand Household Labour Force Survey June 2008 Quarter:
http://www.stats.govt.nz/products-and-services/media-releases/household-labour-force-survey/household-labour-force-survey-jun08qtr-mr.htm
Article: http://online.wsj.com/article/SB122357783225119865.html?mod=googlenews_wsj

Australia Labour Force Statistics September 2008: http://www.abs.gov.au/AUSSTATS/abs@.nsf/mf/6202.0

UK Labour Market Statistics September 2008:
1. http://www.statistics.gov.uk/CCI/nugget.asp?ID=12
2. http://www.hrmguide.co.uk/jobmarket/unemployment.htm
Article: http://ukpress.google.com/article/ALeqM5gZXRUTSgv2pXwf7Oq02-09B7ZY3A

Canada Labour Force Survey September 2008:
Unemployment: http://www.statcan.ca/english/Subjects/Labour/LFS/lfs-en.htm
Trade: http://www.statcan.ca/Daily/English/081010/d081010b.htm
Article: http://www.hrmguide.net/canada/jobmarket/canadian-unemployment.htm

Spain Labor Force Statistics:
Article: http://english.people.com.cn/90001/90777/90853/6491978.html
Article: http://online.wsj.com/article/SB122349490236216351.html?mod=googlenews_wsj

PhishBucket top keyword searches, September 2008

Thu, 02 Oct 2008 05:42:46 +0000

The most frequently searched keywords/phrases last month:

TOP TEN CYBER SECURITY TIPS FOR 2008

Thu, 02 Oct 2008 04:42:07 +0000

OCTOBER 2008 IS NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber security is our shared responsibility. Here are ten things you can do to take action today!

The Internet is supposed to make our lives better, and for most of us, that's exactly what it does. But the Internet has a dark side, and unless we take the proper precautions, this wonderful tool can end up causing us more harm than good.

October is National Cyber Security Awareness Month, and it's a good time to take a hard look how our online behaviors may be putting us in harm's way.

You don't have to be a computer genius to protect yourself online and you don't have to spend a lot of money. By following a few common sense tips, you can make the most out of your Internet experience, while protecting you and your family from online threats.

1.    Use strong passwords at work and at home. Update your password frequently and encourage others to do the same.

2.    Update your anti-virus software and firewalls. New threats are discovered everyday. Keeping your software and firewalls updated is one of the easiest ways to protect yourself from an attack. Set your computer to automatically download and install updates for you.

3.    Back up your important files. Files stored on your computer can easily be lost, stolen or corrupted. To safeguard these files, copy them onto external storage devices or removable discs, and keep them in a safe place.

4.    Suggest or sponsor an event at your local school or University designed to increase student and staff cyber security education and awareness. Download EDUCAUSE’s cyber resource kit online at www.educause.edu .

5.    Reach out to people that you know – your co-workers, friends, even your kids – and remind them to practice good online safety and security habits, including protecting their personal information and their online reputation. For more information and tips go to www.staysafeonline.org and www.us-cert.gov .

6.    Use regular communications like your website, newsletters, and email alerts to reach your organizations stakeholders and promote your commitment to cyber security. Useful newsletter topics might include: updating software processes; protecting personal identifiable information; and securing your wireless network. Download and brand your own newsletter at www.msisac.org .

7.    Create a separate section for cyber security tips on your website. Download online buttons and banners about phishing, identity theft, file-sharing, and other cyber security topics at www.msisac.org or www.OnGuardOnline.gov and place on your organization’s home page.

8.    Print cyber security posters and cards from www.OnGuardOnline.gov and post them in work-rooms, hallways, and other employee gathering places. Print and post cyber security tips near your computer at work and at home near the family computer. Review them with your colleagues, classmates, employees and family members.

9.    Subscribe to the National Cyber Alert System from the U.S. Computer Emergency Readiness Team at www.us-cert.gov . Through the Alert System, you can receive timely information about current cyber security problems to protect home and office computers. This information includes weekly bulletins with summaries of new vulnerabilities, patch information when available, and tips on common security topics, such as privacy, and wireless security.

10.    Ask IT security specialists at your workplace to report any potential cyber incident, threat, or attack to the United States Computer Emergency Readiness Team (US-CERT) at 1-888-282-0870 or www.us-cert.gov .

Identity Theft Prevention | How to Prevent Phishing Scams

Tue, 30 Sep 2008 19:35:57 +0000

{youtube}x-XmwmZhFrA{/youtube}

A short 2-3 minute video could save you $$$ ! Please take some time to listen to the easy things you can do to avoid getting phished!

Alert: Illegal Sales of Western Union MTCN

Fri, 26 Sep 2008 02:37:49 +0000

If anyone has more information about the person described below, who is allegedly selling Western Union MTCN numbers, please send us further details. What we have here is a little sketchy. Reported to PhishBucket recently:

BEWARE OF HENRY HE CLAIMS TO SELL WESTERN UNION MTCN
WESTERN UNION MTCN AVAILABLE NOW CONTACT ME FAST FOR IT @ hackspams IS A SCAM DO NOT CONTACT HIM RATHER REPORT HIM
HE RECEIEVS PAYMENT WITH THE BELOW DETAILS HE IS BASED IN GHANA
FULL NAME............HENRY KOFI JOHNSON
ADDRESS...........234 RING ROAD CENTRE
CITY...............ACCRA
RECEIVERS ID.................INTERNATIONAL PASSPORT
MOBILE NUMBERS ARE +233240653775
+233244722398
+233246498761
email: henry_lewis7 @ yahoo.com
alexj001 @ gmail.com
kellymorgan688 @ gmail.com