Home / When “Gone Phishing” Spells Trouble

When “Gone Phishing” Spells Trouble

Please Share...Print this pageTweet about this on TwitterShare on Facebook0Share on Google+0Pin on Pinterest0Share on Tumblr0Share on StumbleUpon0Share on Reddit0Email this to someone

Amongst the plethora of messages awaiting me today, I was surprised to see the following subject line: “Your Washington Mutual Profile is Locked.” I was more disappointed than suspicious, figuring my financial disruptions of late were the cause, but that changed when I read the message’s contents:

Dear Washington Mutual Customer:

For your security, the profile that you are using to access Washington Mutual Online Banking has been locked because of too many failed login attempts. You can unlock this profile online by selecting an option below:

Unlock your profile with:

My ATM/Visa Check Card number and PIN
Other personal information (SSN, Date of Birth, Account #, etc)

We regret any inconvenience this may cause you.

Washington Mutual Account Review Department.

Need help? Use “Site Helper” or call customer service at 1.800.788.7888.

Please do not “Reply” to this Alert.

©2005 Washington Mutual Financial Group. All rights reserved.

Given that I haven’t made any recent attempts to access my account, I immediately wondered who had. A bit disturbed, I immediately tried to call the customer service number, which lo and behold gives the following recording: “Call 1-800-918-TALK, that’s 1-800-918 T-A-L-K, just 69 cents per minute.” (This is the point where in the movie version of my life, the film score will emit a duhn duhn duhn).

Now I knew that the message is bogus not in that someone else had attempted to access my account, but in that someone is trying to get me to release my personal information. Fortunately I hadn’t clicked on any of the given links, but I did scroll over them to reveal their destination, which turned out to be the third confirmation of a fraudulent message. The hyperlinks for “unlocking your profile” were to www.lynn-sanders.com/login.personal.wamu/unlock/SignOnError.php.
Who’s Lynn Sanders? The bank president? The same perverse curiosity that found the 69 cents per minute to be too much to follow up was given the go ahead to find out what’s behind http://www.lynn-sanders.com/. Unsurprisingly, nothing. My browser wouldn’t go there.

So, I give you these details in order to offer a first time warning for some and a reminder for others, of a practice known as phishing (pronounced fishing) that has nothing to do with driving around the country in a vintage 60s Volkswagen van, doused in patchouli and incense, making friendship bracelets to sell at the next Phish show, which I hear is no longer possible anymore. Darn. Anyway, the kind of phishing my experience illustrates is a type of Internet fraud whereby some clever bastards spoof legitimate web sites in order to get the gullible, naïve, ill-informed, distracted, or unlucky to hand over the keys to their financial identities. I had heard of it but have taken it only vaguely seriously until now because I’ve only ever received messages to entities with which I have no relationship such as Citibank. I don’t have an account with Citibank so whenever I get a message regarding problems with my Citibank account, I automatically know it’s a fake. But this one has taught me to be a little more savvy.

Several groups are taking this quite seriously, including the FBI and the National White Collar Crime Center (NWC3). They have partnered to create the Internet Fraud Complaint Center, whose mission is “to address fraud committed over the Internet. For victims of Internet fraud, IFCC provides a convenient and easy-to-use reporting mechanism that alerts authorities of a suspected criminal or civil violation. For law enforcement and regulatory agencies at all levels, IFCC offers a central repository for complaints related to Internet fraud, works to quantify fraud patterns, and provides timely statistical data of current fraud trends.” Unfortunately, when I tried to submit my complaint, the system was down.

No worries. The Anti-Phishing Working Group is also “committed to wiping out Internet scams and fraud” and offers worthwhile consumer advice on how to avoid phishing scams. It’s a good idea to forward your bogus email to them; of course, the email address they give contains a typo so it bounces. It’s reportphishing@antiphishing.org not .com.

The Federal Trade Commission also accepts notification of unsolicited commercial emails, which is their sanitized name for this public menace. Forward any malicious emails to uce@fte.gov or spam@uce.gov, though I’ve read that the former email address bounces a lot.

And of course, contact the institution being spoofed. If, by chance, you realize belatedly that you have given out info that you shouldn’t have, contact all of your financial institutions as soon as possible. When forwarding spoofed messages, always include the entire original email and keep the header information intact. Remember, it’s a mad world. You gotta protect yourself before you wreck yourself.


Powered by

About mpho

  • freaking scary, man – phishing is really evolving into a bad bad thing

  • I got the same email.

    I canceled my WaMu account years ago. 🙂

  • Thanks for the heads up. Gotten a few myself. I have not clicked any of the “Washington Mutual” links, but went ahead and forwarded the emails to the addresses you listed regardless.

    Also, as blogcritics pops up on Google pretty easily, you’re doing everyone a favor with this post! Thanks.

  • on a related note, there have been two very recent startpage/search page hijackers, almost identical, that appeared on the web and have subsequently infected a number of pcs at work. I have been collecting info on what pages exactly they are trying to promote, luckily the guy/gal who “coded” the “virus” (it’s actually very simple and i wouldn’t be surprised if the person responsible just used some kinda template or virus construction kit) hasn’t hidden the URLs that well, or in some cases at all. They’re all pages from sites that have affiliate programs, my hope is that if i lean on the related sites (and name and shame them here) they’ll be sufficiently motivated to deal with the silly little spammer.
    I do admire the overall idea of this particular hijacker, it’s very simple and yet very effective. It’s probably already netted the person a reasonable amount of money (certainly, a good amount for the small effort involved in creating it and setting it up)
    The basic idea, as appears to be the case with most hijackers, is to have a web page packed into a .dll file, placed in a windows system folder (usually %windows root%/system32) and have the .dll run every startup, making sure Explorer’s start page (and usually search page) URL point to it. But the page itself has it’s local path encoded in hex, to throw off the undetermined admin. I’ll also post the URL of a hex decoder, very useful for situations like this, and more complicated URL decoders, used if it looks like a URL has been properly encrypted by certain programs.
    I would dearly like to see some special law passed here, to bring back the stocks JUST for convicted phishers/similar online scammers. Have them held in stocks for a week, a big container load of rotten fruit and veg delivered nearby every morning for four weeks, free for the public to splatter them. Heh.

  • The interesting thing about this case is that since the initial message–which almost pulled me in–I’ve been bombarded by increasingly obvious lures regarding my account. As is typical of many of these spoofs, the spelling and grammar are ridiculously bad. That’s one reason I almost fell for the first one–because it was meticulously bona fide looking. The rest, which have been coming almost daily now, are degenerating as if diseased. It’s actually kind of creepy.
    I did mention the whole affair when I went to the bank the other day, and they just gave me the song and dance about the fact that they’re aware of it, but it wasn’t a comforting conversation. I also eventually got a genuine email from WAMU in response to my second forward. Again, they went over the do’s and don’ts and said they’re working with “authorities” to put a stop to it, but the fact that I’ve received so many in such a short span of time doesn’t give me any faith in the process. The only other advice I can offer, is that you should forward each and every instance, even if you get several like I have. Likely you won’t get a response from the investigating agencies, but they use the info to detect patterns and eventually, hopefully, find the culprits.

  • Hillbilly

    Have you found out anything yet on this?

    IT’s Saturday morning here. March 5, and I myself have just received a message via my answering machine that my bank needed me to call them because of an emergency. Needless to say I tried the number and it redirected me to another number to call……none other than good old 1-900-918-TALK.

    So be careful….It’s not just emails.

  • Weird. I wonder what happens, besides losing $.69 if you really dial that number. No I haven’t received any more word from “the authorities,” but I continue to be astounded by the tenacity of the phishers. I’m still getting a few messages a week. Thanks for the warning on about non-email based attempts.

  • Phishers are tenacious for the same reason spammers are. It takes only a few victims falling for their scams to make a profit on the nearly zero cost of sending out millions of email messages.

    The banks and the governments in the developed world hate this stuff as much as we do, but massive amounts of it come from places like Russia and China, where the U.S. federal government has relatively little power to stop the criminals.

    So for now we all just have to be a little more street smart. No reputable bank sends email to ask you for your personal information. Responding to any email like that is the equivalent of handing over your credit card to a guy on the street in an ill-fitting leisure suit, claiming to be from your bank.

  • Andy

    I’ve been receiving varients of this scam for some time, which I always forward to the spoof at wamu.com address listed on the (real) Wamu site. Note: I’ve typed that address in a way robotic email address harvesters used by spammers have trouble decoding.

    I also did a little research regarding the source of the latest phishing attack this morning – and the company hosting the bogus Wamu website – through my SpamCop.net account. The site appears to be hosted in India. When I called Wamu with the results of my research, the support rep was unwilling to bump me up to a higher level tech or security agent. I hope the following info is interesting to readers of this thread. I will contact my local police department’s high-tech crimes division with this info.

    I encourage people who receive these phishing attacks to take advantage of SpamCop’s free reporting service and to forward their info to Wamu.


    Resolving link obfuscation (in other words, where the phishing site is really hosted):
       host = delhi-202.54.216-111.vsnl.net.in (cached)
    Tracking link:

    Resolves to
    Routing details for
    Cached whois for : ip.admin [at] vsnl.co.in ip.tech [at] vsnl.co.in
    Using abuse net on ip.admin [at] vsnl.co.in
    abuse net vsnl.co.in = postmaster [at] vsnl.co.in, ip.admin [at] vsnl.co.in
    Using best contacts postmaster [at] vsnl.co.in ip.admin [at] vsnl.co.in


    Here’s some Whois info regarding the firm in India which appears to be hosting the bogus site…

    inetnum: –
    netname: VSNL-IN
    descr: Videsh Sanchar Nigam Ltd – India.
    descr: Videsh Sanchar Bhawan, M.G. Road
    descr: Fort, Bombay 400001
    country: IN
    admin-c: IA15-AP
    tech-c: VT43-AP
    remarks: -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be modified by APNIC hostmaster
    remarks: If you wish to modify this object details please
    remarks: send email to hostmaster@apnic.net with your organisation
    remarks: account name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    mnt-by: APNIC-HM
    mnt-lower: MAINT-VSNL-AP
    changed: hm-changed@apnic.net 20040319
    source: APNIC

    person: IP Administrator
    nic-hdl: IA15-AP
    e-mail: ip.admin@vsnl.co.in
    address: 6th Floor, LVSB, VSNL
    address: Kashinath Dhuru marg, Prabhadevi
    address: Dadar(W), Mumbai 400028
    address: India
    phone: +91-22-56633503
    fax-no: +91-22-24320132
    country: IN
    changed: gpsingh@giasbm01.vsnl.net.in 20040312
    mnt-by: MAINT-VSNL-AP
    source: APNIC

    person: VSNL Tech
    nic-hdl: VT43-AP
    e-mail: ip.tech@vsnl.co.in
    address: 6th Floor, LVSB, VSNL
    address: Kashinath Dhuru marg, Prabhadevi
    address: Dadar(W), Mumbai 400028
    address: India
    phone: +91-22-56633503
    fax-no: +91-22-24320132
    country: IN
    changed: kapilkumar.jain@vsnl.co.in 20040312
    mnt-by: MAINT-VSNL-AP
    source: APNIC


    If indeed this company is hosting the bogus Wamu website, one wonders if Wamu is in contact with the FBI, Interpol and local law enforcement in India to shut it down and put the people responsible for it in jail for a long, long time.

  • RJ

    Honestly, these scum need to die.

    I wonder how many barely-cyber-literate old folks have accidentally given away their identities as well as their life savings due to these scams.


  • A quick check of the whois server at http://www.internic.net shows no such domain as “lynn-sanders.com”. Like spammers’ domain names, once someone reports a phishing attack, the domain will likely be shut down within days, if not hours.

    A couple of things that can help prevent this are if someone absolutely must use Internet Explorer, that person should use SpoofStick to make sure the site is who it purports to be, to front-end their e-mail client with something like MailWasher, which will let them see if an embedded URL is pointing to someplace other than it purports to be, and finally to read these e-mails carefully. Lots of phishing e-mails have poor English, a sure giveaway, and in any case, any such communication from a financial institution would be personalized.

  • Here’s a follow-up to my previous post (see above). I talked with several Wamu tech reps on the phone over the weekend regarding this phishing attack and received a phone call from Wamu’s Northridge California office this morning.

    [Side note… I’m afraid I had to go sorta ballistic during my final call late Saturday night… I’d lost an entire day trying to get through to someone in a position to actually help… I kept getting shuffled around and had to keep repeating the whole story over and over. My bureaucracy meter was overloading. In anger and blind frustration, I went off on the last rep I spoke with and screamed bloody murder about words like “trust” and “ethics.” Perhaps the squeaky wheel gets the grease. In any case, I think I might have punched through.]

    The woman I spoke with seemed genuinely interested and capable. She didn’t give me the standard “we’re working on it” line. I told her I had posted my research at a private, password protected, honeypot enabled page at my domain. I also faxed her a copy of my full report (16 pages of relevant stuff). We talked for about 30 minutes on two separate phone calls.

    I’ll post any worthwhile responses from Wamu on this thread (without giving away anything that might compromise Wamu’s ongoing investigation). Meanwhile, The Proprietor’s comments above are very useful… especially for people who still use Internet Explorer. I also suggest that Internet Explorer users seriously consider switching to a more secure browser, such as Firefox (for Mac or PC) or Safari (Mac only). You can Google the word “firefox” to access the Mozilla website and download a free copy of Firefox. It runs circles around Internet Explorer (aka ‘Internet Exploder’) in terms of user interface, security, and the way it handles online cookies. It’s a quick download and setup is simple and seamless. I tossed Exploder months ago and never looked back.

    Thanks, mpho, for posting this thread. It pops up near the top of the list in Google searches for Wamu spam and phishing. I hope it helps people protect their personal financial info from the thugs who are trying to steal it.

  • Jim

    I found this web sight when I did a Google search for “1-800-918-TALK”. I was inquiring about a trucking job that was in the local newspaper. When I called the 1-800 number it gave me this number to call, 1-800-918-TALK. It stated that I would be charged .99 a minute. I actually went to a pay phone to see what would happen. The original phone number, 1-800-225-5567 stated that the call could not be placed on a pay phone at this time. Now I’m wondering if the original number charged my account. I did not think that 1-800 numbers could charge for calls.