De : <support@usbank95160147.com>
Répondre à : <support.4176582.85739.20147834@notify.usbank.com>
Envoyé : lundi 1 mai 2006 06:02:18
À : <admin edit - removed personal address for protection>
Objet : RE: message! - 9896284443

| | | Boîte de réception

MIME-Version: 1.0
Received: from wave ([222.252.70.181]) by bay0-mc3-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 4 May 2006 08:25:15 -0700
Received: (qmail 6602 by uid 318); Mon, 1 May 2006 12:02:18 +0700
Received: from wave (222.252.70.181) by wave with SMTP;
Received: (qmail 6602 by uid 318); Mon, 1 May 2006 12:02:18 +0700
X-Message-Info: txF49lGdW421yJw8Zvv7kgBrc8oPlTbTVz0FBW1cNxA=
Delivered-To: <admin edit - removed personal address for protection>
Return-Path: <admin edit - removed personal address for protection>
X-OriginalArrivalTime: 04 May 2006 15:25:15.0905 (UTC) FILETIME=[F1C75710:01C66F8E]


Dear Member USBank

This is your official notification from company that the service(s)

listed below will be deactivated and deleted if not renewed immediately.

Previous notifications have been sent to the Billing Contact assigned to

this account. As the Primary Contact, you must renew the service(s) listed

below or it will be deactivated and deleted



EXPIRATION: May 6




https://www.usbank.com/InternetBanking/RequestRouter?requestCmdId=DisplayLoginPage


Sincerely,


============================================================ ====

This Alert was sent according to your settings (<admin edit - removed personal address for protection>). ============================================================ ====



Need help? Use "Site Helper" or call customer service at 1.800.576.7645.

Please do not "Reply" to this Alert.

©2006 Financial Group. All rights reserved

US Bank is based in California, I believe. There have been some recent spoof sites of US Bank, and I suspect this is probably fraudulent as well. The link at the bottom of the page is possibly a phishing link.

Be wary of any email that threatens to close, deactivate, or charge you a fee if you don't click a link and "confirm" or "login" or "enter some personal/billing data". That's a sure sign of phishing. Real merchants/banks may remind you that the credit card you have on file with them is due to expire, but they don't threaten to close your account over it. And banks you have accounts with have your phone number and snail mail address, they don't need to threaten.

Strangley enough the web site appears legitimate and the link doesn't redirect to something like another site entirely. The domain is owned by US Bank and has been since 1995. There are three things that are fishy about it that I see. One is that it looks like a typical phishing email. Two, the return address is to a free email provider, not usbank.com. Three, the 800 phone number as far as I can tell is not listed.

The link probably did redirect to some other place, but that didn't stay when it was copied into the forum.

Could be a phisher got sloppy and forgot to change the URL so it would redirect to the actual phishing site, which I've seen once or twice.

Additionally, if that was an HTML email and it's copied/pasted here, you wouldn't be able to see the redirect here in the forum. Just when you hover your mouse over it in the original mail. In the original mail, it might look more like this.

<a href="http://www.evilphishingserver.com">https://www.legitbanklinkhere.com</a>

What you would see (and copy/paste) would be the legit bank link. If you visited it from the HTML mail by clicking the link, you would go to the phishing site.

Hopefully I'm making some sense there...

The link probably did redirect to some other place, but that didn't stay when it was copied into the forum.
WHEN I RECEIVE A SCAM MAIL I PUT IT ON THE FORUM AS SOON AS I OPEN MY MAIL BOX TO CHECK MY MAIL.

I found the actual redirect link in a newsgroup:

http://www.customers-usbank.com/internetBanking/RequestRouter%2525frequestCmdId%3DDisplayLoginPage

customers-usbank.com is not US Bank in spite of it's similarity. It seem to be shut down. Can't find a whois listing, perhaps because it's too recent.

Classic phishing scam.