ANZ Phishing Scams

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

ANZ Phishing Scams

Post by ionet » Mon Mar 05, 2012 4:51 am

_


Here is another ANZ Bank phishing scam in this morning:


Subject: anz bank activation


Changes to our online banking site will affect your ANZ account

we have suspended your account until such time that it can be safely restored by you below:

activate your anz account



2012 ANZ Online Banking..

Link:

http://ehsmusic.fr/wp-includes/js/jcrop ... kmain.html" onclick="window.open(this.href);return false;

[NOTE -- Do Not Visit unless you know what you are doing ---- this is the Scammer's Phishing Site]


as picked up by -

PhishTank | Join the fight against phishingwww.phishtank.com/Cached - Similar
You +1'd this publicly. Undo
PhishTank is operated by OpenDNS, a free service that makes your Internet safer , ... 1381879, http://ehsmusic.fr/wp-includes/js/jcrop/www.anz.co.. onclick="window.open(this.href);return false;. sir1963nz

PhishTank > Details on suspected phish #1381879www.phishtank.com/phish_detail.php?phish_id=1381879You +1'd this publicly. Undo
8 hours ago – PhishTank is operated by OpenDNS, a free service that makes your ... http:// ehsmusic.fr/wp-includes/js/jcrop/www.anz.com/nz/inetbanking/



Message Headers:
Return-path: <juhanis@vhost2.norfello.com>
Envelope-to: xxxxxxx@nzinternet.user.nz
Delivery-date: Mon, 05 Mar 2012 08:27:35 +1300
Received: from Debian-exim by mx.internet.co.nz with local (Exim 4.69)
(envelope-from <juhanis@vhost2.norfello.com>)
id 1S4H5i-0001WM-F9
for xxxxxxx@nzinternet.user.nz; Mon, 05 Mar 2012 08:27:34 +1300
Received: from host136.norfello.fi ([194.100.64.136] helo=vhost2.norfello.com)
by mx.internet.co.nz with esmtp (Exim 4.69)
(envelope-from <juhanis@vhost2.norfello.com>)
id 1S4H5h-0001Up-8Q
for xxxxxxx@nzinternet.user.nz
; Mon, 05 Mar 2012 08:27:33 +1300
Received: by vhost2.norfello.com (Postfix, from userid 6062)
id 0F5FDDB0DE; Sun, 4 Mar 2012 21:25:05 +0200 (EET)
To: xxxxxxx@nzinternet.user.nz
From: <onlinebanking@anz.com.au>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <20120304192505.0F5FDDB0DE@vhost2.norfello.com>
Date: Sun, 4 Mar 2012 21:25:05 +0200 (EET)
Content-Transfer-Encoding: quoted-printable
X-DSPAM-Check: by XXXXXXXXXXXXXXXXXXX 05 Mar 2012 08:27:33 +1300
X-DSPAM-Result: Spam
X-DSPAM-Processed: Mon Mar 5 08:27:33 2012
X-DSPAM-Confidence: 0.4984
X-DSPAM-Probability: 0.9397
Subject: [SPAM] anz bank activation"
[headers addended for reciprient details]

M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Sun Mar 11, 2012 3:55 am

_


And the same lot of Scammers are at it again sending out the same message:


Subject Line: anz activation

Changes to our online banking site will affect your ANZ account

we have suspended your account until such time that it can be safely restored by you below:

activate your anz account



2012 ANZ Online Banking..


Link:

http://www.jmm.com.ve/libraries/openid/ ... kmain.html" onclick="window.open(this.href);return false;


[NOTE -- Do Not Visit unless you know what you are doing ---- this is the Scammer's Phishing Site]


Message Headers:


Return-path: <serveradmin@hawdale-associates.co.uk>
Envelope-to: xxxxxxx@nzinternet.user.nz
Delivery-date: Sun, 11 Mar 2012 16:36:13 +1300
Received: from Debian-exim by mx.internet.co.nz with local (Exim 4.69)
(envelope-from <serveradmin@hawdale-associates.co.uk>)
id 1S6ZZs-0005y6-Ia
for xxxxxxx@nzinternet.user.nz; Sun, 11 Mar 2012 16:36:12 +1300
Received: from n32.c09.mtsvc.net ([205.186.172.32])
by mx.internet.co.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.69)
(envelope-from <serveradmin@hawdale-associates.co.uk>)
id 1S6ZZs-0005x7-93
for xxxxxxx@nzinternet.user.nz; Sun, 11 Mar 2012 16:36:12 +1300
Received: from hawdale-associates.co.uk by n32.c09.mtsvc.net with local (Exim 4.69)
(envelope-from <serveradmin@hawdale-associates.co.uk>)
id 1S6ZZq-0006HU-5d
for xxxxxxx@nzinternet.user.nz; Sat, 10 Mar 2012 19:36:10 -0800
X-MT-MESSAGEID: B3Ti9BLE4vQSxOL0E=
To: xxxxxxx@nzinternet.user.nz
From: ANZ Online Banking <onlinebanking@anz.com.au>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1S6ZZq-0006HU-5d@n32.c09.mtsvc.net>
Date: Sat, 10 Mar 2012 19:36:10 -0800
X-DSPAM-Check: by mx.internet.co.nz on Sun, 11 Mar 2012 16:36:12 +1300
X-DSPAM-Result: Spam
X-DSPAM-Processed: Sun Mar 11 16:36:12 2012
X-DSPAM-Confidence: 0.5495
X-DSPAM-Probability: 1.0000
Subject: [SPAM] anz activation"

[headers addended for reciprient details]




M

_
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Sun Apr 08, 2012 4:16 am

_


The Phishing Scammers seem to like ANZ for some reason & have been hard out sending further phishing emails trying to scam account log-in details:


Received - 30-Mar-2012

anz alert

Your ANZ Bank Account Has Been Blocked

For your security, your ANZ Bank account has been locked
due to inactivity or because of many failed login attempts.


Click Here to Re-activate your ANZ Bank account


© 2012 Australia and New Zealand Banking Group Limited(ANZ).

LINK NOTE - THIS SCAMMERS SITE MAY STILL BE LIVE


http://blogmaquinariaconstruccion.camac ... kmain.html" onclick="window.open(this.href);return false;


Received - 3-Apr-2012

anz update

ANZ Online Banking E-Mail Address Change Notification.
To Verify Your Identity, click : "INTERNET BANKING"
and confirm your account balance here: "ACCOUNT BALANCE".

LINK NOTE - THIS SCAMMERS SITE MAY STILL BE LIVE


http://www.onlinecafe.si/www.anz.com/nz ... kmain.html" onclick="window.open(this.href);return false;




Received - 4-Apr-2012

anz message

Your ANZ account has been temporary suspended.
To confirm your ANZ online account status please "LOGIN"

LINK NOTE - THIS SCAMMERS SITE MAY STILL BE LIVE

http://www.web2shop.es/wp-content/langu ... kmain.html" onclick="window.open(this.href);return false;



Received - 8-Apr-2012

account statement

Your new ANZ Online statement is available.

To view and verify your transaction on your account, click below:

ACCOUNT STATEMENT ONLINE



ANZ Online Banking All rights reserved.

LINK NOTE - THIS SCAMMERS SITE MAY STILL BE LIVE

http://taction.tk/www.anz.com/nz/inetba ... kmain.html" onclick="window.open(this.href);return false;


The last phishing site has been reported to dot.tk Abuse Section & hopefully will be killed soon ;-)



The Phishing Scammers do appear to be communicating a whole heap better than ANZ presumably
are even able to manage with their own Customers ;-)


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: ANZ Phishing Scam

Post by Foggyone » Sun Apr 08, 2012 7:31 pm

All four phishes show in Firefox as Web Forgery pages.

All four sites have shut down the offending pages when viewed by an alternate browser. The final one tickled my fancy by reporting:

"Phish terminated"
Google, the answer to so many questions!
-----------------------------------------------------

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Mon Apr 09, 2012 1:21 am

_

And another

Received - 9-Apr-2012

anz notice


Please Note, To Protect Your ANZ Online Account and Internet Banking. Please "LOGIN" Now.


LINK NOTE - THIS SCAMMERS SITE MAY STILL BE LIVE


http://koby.ro//wp-includes/js/jcrop/ww ... kmain.html" onclick="window.open(this.href);return false;


Interestingly enough a Romanian site, and dont smile sweetly quite so fast yet TM - Was it not the very large holes in your site security that was the largest contributing factor to Scammers putting together their NZ Scamlists/Spamlists in the first place - for which the victims have still not been compensated for the Scammers getting their information and for release of their email addresses ? ;-)

some may consider that there is a very huge Debt owed by TM to all NZ Internet users courtesy of TM's questionably slow & ineffective actions (if not continuing negligence) in effective efforts to combat and contain scammers coming onto the site, which has only contaminated most of the NZ Internet Community and will continue to do so for years to come unless the scammers are firmly dealt to & all lists taken off them ;-)

Wonder when the matter of those large chapters of security breeches over many years will see action through the Courts and large Compensation Orders for all affected members ? ;-)

The Banking Industry may have interest in where a source of the information leak and root cause of some of their Losses actually can be traced back to, the banks having been the sector hit financially by phishing efforts, using a spamming database which was generated from where & how ? ;-)

Try explaining where the Scammers got such a large database of NZ email addresses in such a short time ? it must have been a significantly large organisation they hacked or could it have been ? It cant have been Old Martha's NZ Snail Breeding & Handcrafts site they hacked, because they may be lucky to see 50 bods in over a month ;-)

Anyone in doubt about the long running Security Breaches and efforts of Romanian Scammers freely hijacking TM accounts over many years need only refer to thread under

viewtopic.php?f=3&t=2189" onclick="window.open(this.href);return false;

;-)


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Tue Apr 10, 2012 5:25 am

_

And off we go again for some more ANZ phishing:


Subject Line: activate your account
Activate Your ANZ Bank Account.
To activate, click on the "ACTIVATE"
tab and then click on "BANK UPDATES" for more informations.


LINK NOTE - THIS SCAMMERS SITE MAY STILL BE LIVE

http://confusionsoft.org/wp-includes/js ... kmain.html" onclick="window.open(this.href);return false;


Received: from vz16.stone-is.net (vz16.stone-is.net [87.238.162.149])
by smtp.stone-is.be


Received at 10.30 AM NZ Time, headers record - Mon, 9 Apr 2012 22:27:35 +0000 (UTC)
Received: by vz16.stone-is.net

M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Mon Apr 16, 2012 4:47 am

_


And off we go again for today's chapter of this Scammer's ANZ phishing efforts:

ANZ Notification


An attempt to access Online Banking was denied 30mins ago:

Please verify your accout transaction if you do not remember trying to access Online Banking below:

Click here for ANZ ACCOUNT VERIFICATION


ANZ Bank Security Services.


Link:

http://agmc.in/wp-includes/js/jcrop/www ... kmain.html" onclick="window.open(this.href);return false;


[NOTE -- Do Not Visit unless you know what you are doing ---- this is the Scammer's Phishing Site and may still be Live ]


Original Message Headers:

Return-path: <web1735@s2.elin.hu>
Envelope-to: xxxxxxxxxx
Delivery-date: Mon, 16 Apr 2012
Received: from Debian-exim by web.co.net.nz with local (Exim 4.69)
(envelope-from <web1735@s2.elin.hu>)
id 1SJbyL-0000LB-LG
for xxxxxxxxxxx; Mon, 16 Apr 2012
Received: from s2.elin.hu ([94.125.250.36])
by mx.web.co.net.nz with esmtp (Exim 4.69)
(envelope-from <web1735@s2.elin.hu>)
id 1SJbyL-0000Kh-5l
for xxxxxxx; Mon, 16 Apr 2012
Received: from localhost (localhost [127.0.0.1])
by s2.elin.hu (Postfix) with ESMTP id 99FC761041
for <xxxxxxxxx>; Mon, 16 Apr 2012 (CEST)
X-Virus-Scanned: Debian amavisd-new at s2.elin.hu
X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D
hex): From: ANZ Online <anzservices@anz.com.au>\r
Received: from s2.elin.hu ([127.0.0.1])
by localhost (s2.elin.hu [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id OQ8j+ehmxTIE for <xxxxxxxxxxx>;
Mon, 16 Apr 2012 (CEST)
Received: by s2.elin.hu (Postfix, from userid 6116)
id 635FEA0581; Mon, 16 Apr 2012 (CEST)
To: xxxxxxxxxxx
From: ANZ Online <anzservices@anz.com.au>
Message-Id: <20120416023958.635FEA0581@s2.elin.hu>
Date: Mon, 16 Apr 2012 (CEST)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Mon Apr 16 2012
X-DSPAM-Confidence: 0.5163
X-DSPAM-Probability: 0.9987
Subject: [SPAM] ANZ Notification"

and headers for the second spam:

Return-path: <apache2@grupopaodeacucar.com.br>
Envelope-to: xxxxxxxxxxx
Delivery-date: Mon, 16 Apr 2012
Received: from Debian-exim by nzweb.co.net.nz with local (Exim 4.69)
(envelope-from <apache2@grupopaodeacucar.com.br>)
id 1SJdaM-0004MC-Us
for xxxxxxxxxx; Mon, 16 Apr 2012
Received: from relay.paodeacucar.com.br ([200.192.172.139])
by nzweb.co.net.nz with esmtp (Exim 4.69)
(envelope-from <apache2@grupopaodeacucar.com.br>)
id 1SJdaM-0004Iu-Eb
for xxxxxxxxxxx; Mon, 16 Apr 2012
Received: from gpa-wdlamp01.grupopaodeacucar.com.br (unknown [10.151.4.107])
by relay.paodeacucar.com.br (Postfix) with ESMTP id AE8841BC52
for <xxxxxxxxxx>; Mon, 16 Apr 2012 (BRT)
Received: by gpa-wdlamp01.grupopaodeacucar.com.br (Postfix, from userid 500)
id 02C43B0DCC; Mon, 16 Apr 2012 (BRT)
To: xxxxxxxxx
X-PHP-Originating-Script: 500:main.php
From: ANZ Online <anzservices@anz.co.nz>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <20120416041536.02C43B0DCC@gpa-wdlamp01.grupopaodeacucar.com.br>
Date: Mon, 16 Apr 2012 (BRT)
Content-Transfer-Encoding: quoted-printable
X-DSPAM-Check: by nzweb.co.net.nz on Mon, 16 Apr 2012
X-DSPAM-Result: Spam
X-DSPAM-Processed: Mon Apr 16 2012
X-DSPAM-Confidence: 0.5527
X-DSPAM-Probability: 1.0000
Subject: [SPAM] ANZ Notification"


received / sent twice - between 2 & 3 pm and again between 4 & 5 pm today NZT


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: ANZ Phishing Scam

Post by Foggyone » Mon Apr 16, 2012 7:31 am

Reporting as a web forgery in Firefox.

Reporting in another browser as page not found. Taken down!
Google, the answer to so many questions!
-----------------------------------------------------

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Mon Apr 23, 2012 11:52 pm

_

And an ANZ phishing email in today:

Subject line: customer message



Your ANZ account has been temporary suspended.
To confirm your ANZ online account status please "LOGIN"

Be careful - this Phishing site could still be live:

http://flori.beregoi.info/wp-includes/j ... kmain.html" onclick="window.open(this.href);return false;




M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Tue May 08, 2012 4:17 pm

_

And another ANZ phishing email in 4 May 2012:

Subject Line: anz online statement

A new statement is available.
To view, click on the "ACCOUNTS"
tab and then click on "Statements" to verify your transaction

Be careful - this Phishing site could still be live:

http://www.energymonitoring.org.uk/wp-i ... kmain.html" onclick="window.open(this.href);return false;


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: ANZ Phishing Scam

Post by Foggyone » Tue May 08, 2012 7:08 pm

The site is now reporting as a web forgery in Firefox. The site has been disabled when viewed in another browser.
Google, the answer to so many questions!
-----------------------------------------------------

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Mon May 21, 2012 4:52 am

_

Today's ANZ phishing attempts from the Scammers


Each message has two phishing sites linked as under


Sent from a dummied up sender email addy: suspension (at) anz.com.au


Subject Line: account suspension


Your ANZ Online Banking account has been temporary suspended.
To confirm your ANZ account status please "LOGIN"
and you can click on "Activities" to review recent transactions



Phishing Links:


NOTE: Be careful - these Phishing sites could still be live:


LOGIN http://gac-outsourcing.fr/afrikara/site ... kmain.html" onclick="window.open(this.href);return false;

Activities http://checkyourcompass.org/libraries/o ... kmain.html" onclick="window.open(this.href);return false;


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Fri Jun 08, 2012 12:23 am

-


Today's effort from the Phishing Scammers received mid morning 'alert at anz.co.nz':


Subject Line: anz update

An attempt to access ANZ online was denied 30mins ago:

If you do not remember trying to access online banking, please select:

That was NOT me


Phishing site Link:

http://data.pushkinlibuko.kz/js/www.anz ... kmain.html" onclick="window.open(this.href);return false;

[NOTE -- Do Not Visit unless you know what you are doing ---- this is the Scammer's Phishing Site]


M
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Fri Jun 15, 2012 11:36 am

_


And today's Phishing Attempt from the Scamming Noddies:



Subject Line: account notice

ANZ Sign-In Protection Alert

An attempt to access ANZ online was denied on Friday, 15 June 2012, 06:38:25 EDT.

If you do not remember trying to access Online Banking on the above date and time, please select
That was NOT me.

You will then be prompted to safeguards your account.
2012 ANZ Online Banking.

Sure giveaways to a phish:

Lower case Subject line and "06:38:25 EDT"



Link to the Scammer's Phishing Site:

http://doctordigital.nl/wp-includes/js/ ... kmain.html" onclick="window.open(this.href);return false;


[NOTE -- Do Not Visit unless you know what you are doing ---- this is the Scammer's Phishing Site]


M

_
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

ionet
Members
Posts: 2160
Joined: Fri Feb 18, 2005 2:33 pm
Location: Hawkes Bay

Re: ANZ Phishing Scam

Post by ionet » Tue Jun 19, 2012 5:32 am

_


And this afternoon's effort at an ANZ Phish:

Subject Line: anz message


Your ANZ Online Banking account has been temporary suspended.
To confirm your ANZ account status please "LOGIN"
and you can click on "Activities" to review recent transactions.

Link to the Scammer's Phishing Site:

http://octet-sapporo.sakura.ne.jp/mailf ... kmain.html" onclick="window.open(this.href);return false;


[NOTE -- Do Not Visit unless you know what you are doing ---- this is the Scammer's Phishing Site]


M

_
Ultimate Auction Security: Kick 'em in the pants & sweep them under the carpet fast before anyone sees & hope they go away.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests