Steve ... Several factors here:
The e-mail address for the scammer is either already terminated, a data drop addy, or one that's just not ever monitored. I wouldn't ever encourage a previous victim to contact the scammer .. just saying that e-mail addy *is* valid. That gives the scammer a valid e-mail addy to play with and that's not a 'good thing.' And third, most of these victims don't have the computer knowledge to even begin to understand what's going on. I've contacted them and they don't even know what a 'phishing scam' is. There is a *HUGE* failure of the entire system/community in the field of consumer education. Most recent publications .. including those from the government and consumer advocate groups .. still say that 'https' is safe along with the little yellow lock. So .. the best I can do is notify the registrant and walk them thru all the specific 'credit protection' steps they need to follow. You can't leave any of them out. I also do the 'education' part of what to watch for in the future. But .. I can't save 'em all. I have worked with a few groups and am getting website info updated. The major players, tho,' are stuck in the mud. ew On 6 Jun 2007 at 16:41, Steve Pirk wrote: > I know this is probably illegal as all get out, but I just realized > that since the registrant info is forged, could someone not contact > the forged victim via email and have them say "ok" to a domain > transfer? I know this one is transfer prohibited, but on some domains > it may not be. > > Then again, maybe the "admin" could email Register.com and request a > deletion of the domain... Ok, Steve, time to shut up :-) > > -- > Steve > > On Wed, 6 Jun 2007 [EMAIL PROTECTED] wrote: > > > > > On these rockphish all the registrants are forged. They are the > > victims of a previous ID theft phishing scam. > > > > It's also true for domains registered expressly for the purpose of > > phishing .. as opposed to a hacked legit site. > > > > ew > > > > On 6 Jun 2007 at 14:43, John Holan wrote: > > > > > > > > Hi > > > Here comes the info > > > Look at the email address for techs. > > > > > > > > > Domain ID:D18267039-LRMS > > > Domain Name:MCMACCOY.INFO > > > Created On:05-Jun-2007 13:43:56 UTC > > > Last Updated On:05-Jun-2007 13:55:41 UTC > > > Expiration Date:05-Jun-2008 13:43:56 UTC > > > Sponsoring Registrar:Register.com (R140-LRMS) > > > Status:TRANSFER PROHIBITED > > > Registrant ID:6A01930D5CDF7C71 > > > Registrant Name:Colin McMillan > > > Registrant Organization:Colin McMillan > > > Registrant Street1:402SanchezStreet > > > Registrant Street2: > > > Registrant Street3: > > > Registrant City:SanFrancisco > > > Registrant State/Province:CA > > > Registrant Postal Code:94114 > > > Registrant Country:US > > > Registrant Phone:+1.4158124526 > > > Registrant Phone Ext.: > > > Registrant FAX: > > > Registrant FAX Ext.: > > > Registrant Email:[EMAIL PROTECTED] > > > Admin ID:6A01930D5CDF7C71 > > > Admin Name:Colin McMillan > > > Admin Organization:Colin McMillan > > > Admin Street1:402SanchezStreet > > > Admin Street2: > > > Admin Street3: > > > Admin City:SanFrancisco > > > Admin State/Province:CA > > > Admin Postal Code:94114 > > > Admin Country:US > > > Admin Phone:+1.4158124526 > > > Admin Phone Ext.: > > > Admin FAX: > > > Admin FAX Ext.: > > > Admin Email:[EMAIL PROTECTED] > > > Billing ID:6A01930D5CDF7C71 > > > Billing Name:Colin McMillan > > > Billing Organization:Colin McMillan > > > Billing Street1:402SanchezStreet > > > Billing Street2: > > > Billing Street3: > > > Billing City:SanFrancisco > > > Billing State/Province:CA > > > Billing Postal Code:94114 > > > Billing Country:US > > > Billing Phone:+1.4158124526 > > > Billing Phone Ext.: > > > Billing FAX: > > > Billing FAX Ext.: > > > Billing Email:[EMAIL PROTECTED] > > > Tech ID:6A01930D5CDF7C71 > > > Tech Name:Colin McMillan > > > Tech Organization:Colin McMillan > > > Tech Street1:402SanchezStreet > > > Tech Street2: > > > Tech Street3: > > > Tech City:SanFrancisco > > > Tech State/Province:CA > > > Tech Postal Code:94114 > > > Tech Country:US > > > Tech Phone:+1.4158124526 > > > Tech Phone Ext.: > > > Tech FAX: > > > Tech FAX Ext.: > > > Tech Email:[EMAIL PROTECTED] > > > Name Server:NS6.1MAY-DAY.CN > > > Name Server:NS3.1MAY-DAY.CN > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > Name Server: > > > > > > > > > John Holan > > > > > > IS Analyst > > > > > > > > > -----Original Message----- > > > From: Steve Pirk [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, June 06, 2007 10:52 AM > > > To: [email protected] > > > Subject: [phishing] Washington Mutual Bank US : Urgent Banking > > > Service Email(fwd) > > > > > > WaMu phshing site (soon?) at: > > > > > > http://treasury.wamu.com.ibswamu.ssid23pyfnxrooebhd.mcmaccoy.info/ > > > conf ir m/cmserver/welcome/default/verify.cfm > > > > > > whois does not return anything for mcmaccoy.info, so it could be a > > > new domain being set up, or it has already been taken down. -- > > > Steve > > > > > > ---------- Forwarded message ---------- > > > Return-Path: <[EMAIL PROTECTED]> > > > Received: from amd-dfmtil7kjsn > > > (200.161.62.58.broad.gz.gd.dynamic.163data.com.cn > > > [58.62.161.200] > > > (may be > > > forged)) > > > by mail.pirk.com (8.13.7/8.12.0.Beta19) with SMTP id > > > l56DIEMc023124 > > > for <[EMAIL PROTECTED]>; Wed, 6 Jun 2007 06:18:15 -0700 > > > Message-ID: <[EMAIL PROTECTED]> > > > From: "WaMu Bank US Treasury & Cash Management'2007" > > > <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Subject: Washington Mutual Bank US : Urgent Banking Service Email > > > Date: Wed, 06 Jun 2007 21:17:09 +0900 MIME-Version: 1.0 > > > Content-Type: multipart/related; > > > type="multipart/alternative"; > > > boundary="----=_NextPart_000_0016_01C7A880.0AAB57B0" > > > X-Priority: 3 > > > X-MSMail-Priority: Normal > > > X-Mailer: Microsoft Outlook Express 6.00.2900.2180 > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > > > > > > [IMAGE] > > > > > > Dear WaMu Treasury Management client! > > > > > > Our Technical Unit is running a scheduled software upgrade. > > > > > > By clicking on the link below you will start the procedure of > > > the client details confirmation: > > > > > > > > > http://treasury.wamu.com.ibswamu.sess23pyfnxrooebhd/confirm/cmserv > > > er/w el come/default/verify.cfm > > > > > > These directions are to be mailed and followed by all > > > Commercial Treasury Services members of the WaMu . > > > > > > WaMu USA does apologize for the inconveniences caused to you, > > > and is very grateful for your help. > > > > > > If you are not user of the Washington Mutual US please delete > > > this notice! > > > > > > Copyright (c) 2007 WaMu : All Rights Reserved. > > > _______________________________________________ > > > phishing mailing list > > > [email protected] > > > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > > > > > > > > > _______________________________________________ > > phishing mailing list > > [email protected] > > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > > > _______________________________________________ > phishing mailing list > [email protected] > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
