The gold standard for incompetent robbery is the guy who wrote his holdup note on one of his personalized deposit slips. It would be hard to match that online, but this, received Saturday morning in my email, comes close:

Dear Chase OnlineSM Customer,

We noticed invalid login attempts into you account online from an unknown IP address .
Due to this, we have temporarily suspended your account.
We need you to update your account information for your online banking to be re-activated
please update your billing information today by clicking

http://fs-gw-3g.ucd.ie/chase.html

Just verify the information you entered is correct.
Sincerely,

P.S. The link in this message will be expire within 24 Hours . You have to update your payment information

2012 JPMorgan Chase & Co. All rights reserved.

——————————————–
Atlas Cycles (Haryana) Ltd, Sahibabad, India

!– Virus-Free Mail Using AntiVirus for PostMaster Enterprise & QuickHeal Engine –!

Message header does in fact say from atlascycles.co.in.

Recent email, verbatim:

Your e-mail account should be upgraded to our new DGTFX Secure Anti-Virus 2012 version for damages prevent your important files.

Click on your reply, provide the details below or your e-mail account will be terminated immediately to prevent spread of the virus into our webmail log.

Email Address:
Email Password:
Date of Birth:

1024-bit RSA keys for password security to prevent unauthorized users
Technical Support Team
C 1998-2012 Cox Communications, Inc

This is obviously a phishing attempt, and a lame one at that. Then again, it is very likely true that damages prevent your important files.

Incidentally, the ostensible sender of this tissue of organic fertilizer is named “Sueprdave.” And nearly as weirdly, the Reply-To address given is updatecox@qatar.io. .IO? .IO. (It’s off to work we go.)

For today’s scam, we have a fake reservation confirmation:

You should check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After that, all you need to do is print your boarding pass and head to the gate.

Confirmation code: 329679

Check-in online: Online reservation details

According to the “details,” which conceal a link to a site in Chile, I’m booked on US Airways Flight 7952, scheduled to leave DCA (Reagan National) at 10 pm Thursday. As it happens, US Airways does have a Flight 7952, but it’s a West Coast route, from SFO (San Francisco International) to BUR (Bob Hope Airport, Burbank).

And I’m still fuzzy on how I’m supposed to check in and then print my boarding pass.

Once in a while Windows Live Mail calls out an obvious phish, though it’s not unfailingly reliable at spotting the non-obvious ones. Still, this one, purporting to be from American Express, was rather easily detected:

Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account.

So we have decided to put an extra verification process to ensure your identity and your account security.

Please click on continue to the verification process and ensure your account security. It is all about your security.

There’s even a (possibly unconscious) punchline:

Thank you. Open In Internet Explorer Only.

I have to figure that anyone who closes some other browser and then opens up IE as directed probably deserves to be phished. Because, you know, it’s all about your security.

As it happens, I do use SquirrelMail, so I did actually read this one:

Due to the package compromise of 1.4.11, 1.4.12 and 1.4.13, we are forced to release 1.4.15 to ensure no confusions. While initial review didn’t uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim’s server. This could grant the attacker the ability to deploy further code on the victim’s server.

Which is actually sort of plausible, except for a couple of minor considerations:

• What, no 1.4.14?
• Version being used at the mail server is 1.4.21.

Oh, and here’s why no 1.4.14:

On May 27, 2008 the SquirrelMail Team announced that, while the latest released version of their software was 1.4.13, a spammer was sending unsolicited email messages to various recipients about a 1.4.14-rc1 release candidate version which didn’t really exist. The messages (usually titled “Internet Users Email Upgrade (IUEU)”) urged recipients to upgrade immediately (because of supposed security issues) and contained a web link for users to do so. However, that web link pointed to a page where the spammer was collecting email addresses and passwords. Beside the fact that end users are not responsible for upgrading such software, that the “upgrade” page was merely a mock SquirrelMail login page made it clear that this was a Phishing attack. The “upgrade” page has been hosted on various compromised systems across the Internet and the attack has continued at least through July 2009.

As a result, the SquirrelMail team skipped version 1.4.14 and its next release after 1.4.13 was 1.4.15.

For “July 2009,” read “July 2011.”

Incidentally, 1.4.22 was released last week.

Received in yonder inbox, the following pathetic phishing attempt:

Your federal Tax payment (ID: 843614468293), recently sent from your bank account was canceled by the your financial institution.

Tax Transaction ID:
843614468293

Return Reason
See details in the report below

FederalTax Transaction Report
tax_report_843614468293.pdf.exe (self-extracting archive, Adobe PDF)

Oh, yeah. Sure. Incidentally, the link under that URL goes to a shortener that I was not aware existed: omf.gd. Nice to know the thief has a sense of humor.

And since said thief claimed to be Donny_Rutledge at irs.gov, I am happy to tell Donny to STFU.

This was titled “Update Your Account!!”, with both exclamation points, a dead giveaway before I even got around to looking at the body of the message. But it got worse:

We are bringing to your notice that our customer service will be damaging down some account users in our data base, due to the high number of different accounts that has been violated by our account policy, terms and conditions we are destroying down some email users.

if you still choose to maintain your account with us.
Provide us with the below info :

E -mail:
Password:
Birth date:

send all informations to: update55@qatar.io

Account owner that refuses to maintain his or her account after 2-3 working days of this notification will loose account permanently from our site. NOTE !!! account user that refuses to maintain his/her account will have account permanently removed from our data base for email violation.

© 1998-2011
Cox Communications

This buttinski has several rungs to ascend before he can consider himself even a script kiddie.

Subject line: “ACH transaction cancelled.”

A glitch in the Automated Clearing House? No, just a phisher out dangling his bait. Here’s the text:

The ACH transaction, recently sent from your bank account (by you or any other person), was cancelled by the Electronic Payments Association.

Please click here to view report.

I opted not to view the “report,” which goes to transferstnow.info.

Semi-amusingly, this spam was “signed” by “Raymundo Andrews, Fraud Department.” Nice to know that Fraud has its own freestanding department these days.

An email asking “Are You Dead Or Alive” in the subject line is almost certainly dubious — if I haven’t updated in a couple of days, you can probably assume I’m dead, or at least that they’re throwing me onto the cart — but I looked at this one anyway, and it’s dazzling in its inanity.

“Miss Donna Story” writes:

We received an Email from a Lady called, Mrs Carol Cage, she called us this morning with this telephone number: +1909275xxxx, Informing us that you died three days ago, She said that we should send your ATM CARD to her, Mrs Carol Cage, home Address: Watertown, Wi 53094, usa. and also she provided this bank details for the transfer:

Bank details and part of phone number redacted. Incidentally, the number in question seems to be located, not in Watertown, Wisconsin, but in Fontana, California.

“Miss Story” continues:

She stated that she is your next of kin beneficiary, and she also told us that you instructed her to claim your properties including your fund that is in this office in case you are not there to be found on earth.

She said that you told her that there is transfer charge she will pay in other to receive the fund, that I should let her know the cost for her to pay, Please let us know if this is true or not because we are confused now about this claim because she requested that we should send to her the Name and Information to pay the required delaying fee to enable us transfer your fund to her.

“Delaying fee”? (“There’s a late charge for the late Mr. Hill.”)

Anyway, to avoid this presumably-unpleasant situation, I must send them a whole crapload of personal data. Of course.

As for Donna Story herself, evidently she really gets around.

Being careful to specify the trademark registration for the financial institution you’re pretending to be should theoretically help enhance your credibility as you attempt to steal people’s personal information, but this line has other problems:

PayPal Account® Posible Fraud – Notification

For one, ® should modify “PayPal,” not “Account”; for another, you misspelled “Possible.”

Oh, and serwicse@payspal.com isn’t fooling anybody.

Download Squad reports:

Adobe has found a new critical zero-day vulnerability in Flash, Reader and Acrobat. This can be exploited to run malicious code on the victims’ computers.

Affected are Flash Player 10.1.85.3 and earlier on Windows, Mac, Linux and Solaris; Flash Player 10.1.95.2 and earlier for Android; Adobe Reader 9.4 and earlier 9.x versions for Windows, Mac and Unix-based operating systems; Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Mac.

Coincidentally (yeah, right), a few hours before Adobe made their announcement, the following landed in my inbox:

Dear Customers,

Adobe is pleased to announce new version upgrades for Adobe Acrobat 2010.

Advanced features include :

- Collaborate across borders
- Create rich, polished PDF files from any application that prints
- Ensure visual fidelity
- Encrypt and share PDF files more securely
- Use the standard for document archival and exchange

To upgrade and enhance your work productivity today, go to:

http://www.adobe-acrobat-new-download.com

I need hardly point out that this URL is highly bogus, and anyway, Acrobat versions are numerical, not chronological, so “Acrobat 2010″ is by definition nonexistent.

But this is what really gave it away, right near the bottom:

Copy rights © Adobe Acrobat 2010 – All Rights Reserved

The least you slobs could do is copy it right.

No, it’s not Google. It’s someone pretending to be Google, and they sent out something called “Security Confirmation Code GUK/877/798/2010,” which means — well, nothing, actually.

Claimed email address is “Google@[24.210.55.233],” which seems unlikely, inasmuch as that particular IP resolves to a RoadRunner account in Columbus. I’m thinking the alleged “Google Promotion Award Team” pulled that number at random, since the actual email, assuming there’s anything at all believable in the header, originated from the Middle East.

And oh, there’s a 36k Word document attached, which I don’t think I’ll read.

I will, however, point you to “Google Eye,” a song about a fish (not a phish) written by John D. Loudermilk and recorded by the Nashville Teens (not teens, not from Nashville).

Twitter is known for a bird and occasionally a whale. Now it has a phish:

(Click to embiggen.) “You have 3 unread message(s),” indeed.

In last night’s email, something called “Facebook Password Reset Confirmation! Support Message.” Yes, complete with exclamation point.

Unpersuasive text:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
Your Facebook.

Said document is a 32k ZIP file which I am loath to open for perfectly obvious reasons.

Something claiming to be the “Federal Credit Bureau” — and wouldn’t that be lovely? — dropped the following on me:

Your Credit Score decreased to 600. You need to download your credit history file from Federal Credit Bureau website and carefully review it. Use your personal hyperlink.

Said hyperlink begins with www.fcb.org, but then dissolves into a whole string of stuff that goes, um, somewhere else.

And amusingly, this thing was addressed to “deborahn” at this domain. Now I never met a Deborah I didn’t like, but I’ve never been one of them.

Dear “Webmail Helpdesk Team”: If you’re going to attempt to sucker people out of the following information …

CONFIRM YOUR EMAIL IDENTITY BELOW
1. Full Email Address:________ 2. Password:________ 3. Country:_______ 4. Age:________ 5. Date of birth:______ 6. First name/Last name:____ 7. Security Question/Answer:______

… the take will likely be better if you actually provide them a bogus link for them to click on.

One year I made $1.26 interest on my checking account, which I duly reported to the Eternal Revenue Service.

So I was quite sure this curt little email notice was bogus:

Taxpayer ID: chaz-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

I am, of course, not crazy enough to click on said link, which starts with irs.gov but ends with a whole lot of misdirection, which means that “Fraud Application” is in fact correct, though not in the sense they’d like you to think. And how likely is it that the IRS would refer to me as “chaz,” anyway?

One of the first things you learn when you start looking for phishing attempts is divergence between the link you see on screen and the link you see in the status bar when you mouse over it.

Weirdly, I got one yesterday that had no such divergence, but was still bogus. Some of the text, for the benefit of searchers:

Dear Comerica Bank customer,

You have received this alerting message, as you are listed to be an Comerica Business Connect user.

We would like to inform you that we are currently carrying out scheduled maintenance of banking software, that operates customer database for Comerica Business Connect users. Customer database is based on a client-server protocol, so, in order to finish the update procedure, we need customer direct participation. Every Comerica Business Connect customer has to complete a Comerica Business Connect Customer Form. In order to access the form, please use the link below. The link is unique for each account holder and expires within a certain period of time. If you don’t fill in Comerica Business Connect Customer Form before your unique link expires, the system will automatically send you a new notification message.

The language, of course, gives it away; it’s only slightly better than someone trying to imitate American legalese with no tools but a French-to-Urdu phrasebook. All it lacks is a hovercraft full of eels.

But the link, ostensibly to “businessconnect.comerica.com,” for some reason showed exactly that when I tried mousing over it in my webmail client. Perplexed, I saved it as a file on the desktop and viewed it separately; Firefox did not catch the discrepancy. (I later downloaded it through POP3, and Outlook Express was not fooled.) The only anomaly I could see in the code was that they’d set what looked like a couple of hex bytes — 3D — between “<a href=” and the beginning of the real URL.

Eventually I determined that the destination of all clicks on this link was a Mexican domain, which prompts the following response from me: “Mi aerodeslizador está lleno de anguilas.”

Subject line: “E-ticket #4228953012.”

Here’s the dubious pitch:

Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:

Your login: redacted
Your password: pass3T3L

Your credit card has been charged for $477.86.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Sharron Jeffries
Northwest Airlines

Actually, attached to this message is a zip file of questionable provenance; I didn’t bother to open it.

And “Jeffries” is strangely apropos, since there are times I’d like to stuff a whole platoon of scammers into a Jefferies tube and flood it with a pathogen or three.

If you’re going to try to lure people with the promise of a Walmart gift card, please note: “Walmart” has only one L.

You’re welcome.