Net Patroler Phil W. offers the following additional information and very interesting analysis of the Associated Bank phishing scam:
After reading your alert about Associated Bank, I recalled receiving a similar email, which I had put in the Junk Folder. After going back and checking, I noticed it wasn’t even actually to MY email address (bolded by me), even though I had received it. Using Find, I couldn’t even locate any reference to my correct email address. More interestingly, there is a paragraph in the Source Code that didn’t even show up in the spam email (bolded by me). It’s below the headings and starts with “As someone who has…” Pretty weird, not to mention the actual phishing spam.
I thought I would share the Source Code with you, which follows:
Mon Apr 25 06:13:21 2005
X-Account-Key: account1
X-UIDL:
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path:
Received: from mxsf13.cluster1.charter.net ([10.20.201.213])
by mtai01.charter.net
(InterMail vM.6.01.04.01 201-2131-118-101-20041129) with ESMTP
id <20050425123101.CMXH4930.mtai01.charter.net@mxsf13.cluster1.charter.net>;
Mon, 25 Apr 2005 08:31:01 -0400
Received: from mxip20.cluster1.charter.net (mxip20a.cluster1.charter.net [209.225.28.150])
by mxsf13.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id j3PCRR5Y022359;
Mon, 25 Apr 2005 08:31:01 -0400
Received: from unknown (HELO 209.225.8.224) (61.104.60.61)
by mxip20.cluster1.charter.net with SMTP; 25 Apr 2005 08:30:55 -0400
X-Ironport-AV: i=”3.92,127,1112587200″;
d=”scan’217,208″; a=”968702596:sNHT48817236″
Received: from oc7.austria.chocofan.com (tc3.badland.chocofan.com [88.80.103.160]) by su56.chocofan.com (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with ESMTP lAqbjq2-0000OS-00 for evaristo100@charter.net; Sun, 24 Apr 2005 20:31:37 -0500
Received: from profit.starr.chocofan.com ([140.160.255.160])
by ew1.intimater.chocofan.com (8.12.9p2/8.12.9) with ESMTP
<85434237307385.IHBZ43295.apm0.chocofan.com@chocofan.com>
for evaristo100@charter.net; Sun, 24 Apr 2005 23:32:37 -0200
Received: from 171.222.174.106 ([60.80.96.198]) by cabana.bounty.chocofan.com (gate SMTP Server) with SMTP hGOZSWO-00008K-00 for evaristo100@charter.net; Mon, 25 Apr 2005 02:29:37 +0100
Date: Sun, 24 Apr 2005 18:26:37 -0700
From: “Associated Banc-Corp Banking Support”
To: [email address]
Subject: Online Banking Account blocked
Message-id: <83232055.5875175078568.versus.colosseum@jcagop>
X-Antivirus: AVG for E-mail 7.0.308 [266.10.2]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=”=======AVGMAIL-426CECF1696E=======”
–=======AVGMAIL-426CECF1696E=======
Content-Type: multipart/alternative; boundary=———-uLDc28vfbMhzgM4F5LV4N
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
————uLDc28vfbMhzgM4F5LV4N
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
As someone who has worked developmental aid issues in Central America and East Africa, I’m extremely sympathetic with this view. He applauded the strong message sent to Syria when Secretary of State Condoleezza Rice and French Foreign Minister Michel Barnier held a joint news conference on London on Tuesday.
Kevin Drum at Washington Monthly recently opined that women aren’t well suited to blogging: Michael J. Falbo, CEO of State Financial, said, “We are very pleased to join forces with Associated. Associated’s customer-focused philosophy and their broad range of services and expertise will bring significant benefits to our customers. Moreover, in selecting a partner to sustain our growth going forward, we were delighted to connect with a Wisconsin organization that shares our commitment to customer service and community involvement.”
Is it wrong to talk about powerful women this way? I say no. Image, fashion, and beauty lummox aversion are all important. And we certainly didn’t refrain from talking about how the male candidates for President looked in 2004. We obsessed over their ties, their hair and their makeup, and the bulges under their clothes. So go ahead and spout your theories about the meaning of Condoleezza Rice’s high-heeled boots. Women with power easily unleash ideation about sex — and sex and power. If the woman can’t be contained by the thought twill excite that her powerfulness has removed her sexuality altogether, then the thought becomes that her sexuality has merged with her power. In the case of Condoleezza Rice, who has a high position of power and is distinctly attractive, she seems to become a strange new being — a superhero – like Neo in “The Matrix”!
Americans tend to be religious, and we also tend to be fat, so maybe turning dieting into a spiritual quest is not such a good idea. Even though eating too much is normally the stuff of sin –a sin with its own special name, gluttony– we can try to turn it into a virtue with some infusion of gourmet values. That’s what Mireille Guiliano tries to do with her book “French Women Don’t Get Fat.” In this theory, we’re fat because of our American attitude toward food. Instead of fearing the sin of overeating and atoning with dieting, we should, like the thin Frenchwoman, eat a joyous array of delectable, elegant foods. In fact, why don’t you start seeing yourself as sinful because you fail to appreciate the beauty of life you lack the French joie de vivre?
————uLDc28vfbMhzgM4F5LV4N
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Account Customer,=20
Associated Banc Corp.,=20is committed to supporting a=20secure=
environment=20for our account holders.=20To protect the confidence of you=
r account access,=20employs some of the most leading=20safety online syste=
ms in the world and our anti-fraud teams=20regularly screen the Bank syste=
m for fraud activity.
In accordance with Associated Bank, Member FDI=
C’s Holder Agreement=20and to insure that your account hasn’t been comprom=
ised,=20internet access to your account was blocked.=20Your online access =
will remain blocked until this question has been resolved.=20Online Servic=
e are remind you that on=20Apr. 25, 2005 our Account Review Team=20identif=
ied some uncommon activity in your banking account.=20If your account acce=
ss to stay limited for an extended period of time=20may result in further =
limitations on the use of your account and possible account closure.Bankin=
g Support advise you to log in and perform=20the steps requisite to return=
your account access immediatelly. Login to Limited Banking Account
you for your prompt attention to this problem. Customer Sup=
port apologize for any inconvenience.This is a safety measure meant to hel=
p protect you and your bank account.=20
Have a nice day,
Member FDIC Associated Banc Corp, Customer Support
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
I have received several of these as well, but I hadn’t even realized that they were phishing attempts, because my email client shows the text/plain part by default. Less sophisticated users would typically have an email client which shows the text/html part.
Mixing two completely different views in a multipart/alternative is an old spammer trick, of course, but using it specifically to divert the attention of knowledgeable readers from the phish is pretty ingenious, and in fact much more clever than using it in spam. Here I just move it to the “sheesh, more spam” folder instead of looking closer at it (as I ought to, as part of my job, even).
Receiving mail which doesn’t have your address anywhere in it is a completely run of the mill technique. Look at any mailing list you receive — they use exactly the same technique to send the same message to a loot of subscribers (except nowadays, many mailing lists use VERP, meaning each message is sent separately after all; this makes it easier for them to track bounces etc).