Password phishing emails originating from West Africa

[FrumpyBB]

From: Email Administrator <temitopecod@gmail.com>
Subject: WARNING: ACCOUNT TERMINATION
To: undisclosed-recipients:;

Dear Valued User,

We received a message from you requesting for your account termination, please ignore this message if the request was from you. Your account would be deleted from our system in the next 24hrs.

(Note: All mails in your inbox, spam, draft, and sent items would be terminated, and access to your account would be denied.)

Click on the cancel request if the message wasn't from you.



CANCEL REQUEST ow.ly/hFLN300C0bP <= evil link, means: no clicky no!! Don´tcha click this!

Cancel the termination request to keep enjoying Yahoo!

Thanks,
Yahoo

[FrumpyBB]

Unexpected Sign-In Attempt!!! ™
Return-Path: <gabija@permanentinis-makiazas.lt>
Received: from [79.98.27.100]
From: Yahoo! <gabija@permanentinis-makiazas.lt>
To: custormer_verification@yahoo.com
Subject: =?UTF-8?Q?Unexpected_Sign-In_Attempt!!!_=E2=84=A2?=
Reply-To: custormer_verification@yahoo.com
Mail-Reply-To: custormer_verification@yahoo.com
X-Sender: gabija@permanentinis-makiazas.lt
User-Agent: Roundcube Webmail/1.1.4
X-Sender: gabija@permanentinis-makiazas.lt

Dear Yahoo Mail User.
Please Your Yahoo Mail has exceeded the storage limit is 1 GB, which is defined by the administrator, you are running at 999.8 gigabytes and you can not send or receive new messages until you re-validate your mailbox.

To renew the mailbox: Click Here .redwine2jugzy.ga/Verify/Verification/index.html <= eek! No clicky no!

Privacy Policy | Customer Support
©2016 Yahoo! Inc. All Rights Reserved.


WARNING! Protect your privacy. Log-out when you are done and completely exit your browse.


IP: 79.98.27.100
Hostname: liepa.serveriai.lt
ISP: UAB Interneto vizija
Continent: Europe
Country: Republic of Lithuania
State/Region: Vilnius County
City: Vilnius

"evil linky" top level domain (.ga) is Gabun (West Africa)

[coolbreeze1975]

Secure Message Regarding Account Security

From USBANK chasemorgan9874@outlook.com

header = Return-Path: <chasemorgan9874@outlook.com>
Received: from BLU004-OMC2S36.hotmail.com (blu004-omc2s36.hotmail.com [65.55.111.111])

email

According to the new security system, We would like to inform you that :



The new security updates found some errors on your online file . We have temporarily suspended your access to all of your online information.

We will take reasonable measures to ensure that your account information is available and secured,

but we are not liable for system failures or temporary service disruptions that cause Account Information to be unavailable.

We are not liable for any inaccurate or incomplete information with respect to transactions which have not been completely processed or posted using any other third party.



Please, Follow the link below in order to restore your access :




Click Here






Thank you for being a valued U.S. Bank Client



==================================

This is an automated E-mail Address . Please, Do Not reply

© 2016 U.S. Bank.

[coolbreeze1975]

USAA Account Resolution Required

From USAA emmatn11@ad.unc.edu

IP not in RS DB, will post to MF

104.47.32.208

header

Return-Path: <emmatn11@live.unc.edu>
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01hn0208.outbound.protection.outlook.com [104.47.32.208])

email


USAA® logo













WE'RE READY TO SERVE YOU.

USAA offers financial solutions designed to help you meet your goals throughout life.








Upon intensive reviews on your profile. We have noticed that you
need to resolve important security issues on your account to
prevent temporal deactivation. It is therefore recommended that
you complete this process. Your security is important to us.

Please click on the reference link below to resolve this issue:

https://www.usaa.com/inet/ent_logon/Logon







USAA® logo


We know what it means to serve®


Insurance Banking Investments Retirement Advice


Please do not reply to this e-mail. To contact USAA, visit our secure contact page.

1 Multiple product savings do not apply in all states or to all situations. Savings subject to change. Restrictions apply.

2 USAA Bank refunds up to $15 in other United States domestic banks' ATM usage fees each month and does not charge a fee for the first 10 ATM withdrawals. The ATM fee refund does not apply for the month in which the account is closed. Subsequent transactions will be charged $2.00 each. Transactions at ATMs located outside of the United States may not be eligible for ATM usage fee refunds. A 1% foreign transaction fee applies to withdrawals outside the United States. No ATM usage fees will be charged at USAA Preferred ATMs pursuant to an agreement with the ATM network/owners to not charge an ATM fee for USAA Bank ATM debit cards.

Bank products by USAA Federal Savings Bank, Member FDIC.

This advertisement brought to you by USAA, 9800 Fredericksburg Rd., San Antonio, TX 78288.


© 2016 USAA. 206966-0416

Please consider the environment before printing this email. Please consider the environment before printing this email.

[coolbreeze1975]

Your Account Options Have Changed

From Marty Flagler

email addy = check.now@resourcecomplexity.com

IP not in RS DB - Will post to MF
205.162.41.52

header =

Return-Path: <check.now@resourcecomplexity.com>
Received: from mailsrv4152.o-mx.com (mailsrv4152.o-mx.com [205.162.41.52])

email

Thank you for your continued interest in a new checking account.

The account options enclosed give you the opportunity to find the right fit for you and your spending habits. These accounts are designed to assist individuals in any financial situation.
Image

201W-LakeSt. Suite-111 | ChicagoIL-60606

To unsubscribe, Click Here

[coolbreeze1975]

About Your Navy Federal Account

From Navy.Federal

email addy = sendttc-online@seconlinenav.com

ip not in rs db will post to mf

General IP Information

IP: 87.253.233.135
Decimal: 1476258183
ISP: Mailjet SAS
Assignment: Static IP
87.253.233.135

header

Return-Path: <2985553e.AEEAD6EgRR8AAAAAAAAAAAMyz0kAAAABJEsAAAAAAAbYFABXeKR0@bnc3.mailjet.com>
Received: from o135.p8.mailjet.com (o135.p8.mailjet.com [87.253.233.135])


email


Navy Federal Credit Union Security Update Notification
Home|Branches & ATMs|Contact Us

Navy Federal Security Zone

Dear Customer

It has come to our attention that your Navy Bank account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online banking experience and update your personal records you will not run into any future problems with the online service.


Log in NOW!





• Select accounts to suppress

• Access prior statements

• Receive email notifications


Products & Services • FAQs • Mobile Banking • Contact Us

Please do not reply to this email. This email is being sent from Navy Federal Credit Union at PO Box 3000, Merrifield, VA 22119-3000. For contact information, or if you have any questions about this email, please click here or call us at 1-888-842-6328.

Equal Housing Lender | APY= Annual Percentage Yield | APR= Annual Percentage Rate. © 2015 Navy Federal Credit Union. All rights reserved. Message and data rates may apply. Terms and Conditions are available. NFCU 31594-E (3-15) Federally insured by NCUA.


Unsubscribe | Privacy Policy Follow Us:

[coolbreeze1975]

New Message From Wells Fargo

From Wells Fargo

email addy = security.system1@comcast.net
header = Return-Path: <security.system1@comcast.net>
Received: from resqmta-po-05v.sys.comcast.net (resqmta-po-05v.sys.comcast.net [96.114.154.164])

IP: 96.114.154.164
Decimal: 1618123428
Hostname: resqmta-po-05v.sys.comcast.net
ISP: Comcast Cable
Assignment: Static IP
Blacklist: Blacklist Check
Country: United States us flag
State/Region: Oregon
City: Hillsboro

ip not in rs db - will post to mf

email

New Updates From Online Banking

Dear Customer,

Your Account Has been suspended due to suspicious Activities.

please verify Your Information to restore Your Account.



Click Here to Unlock Your Account


We are here to assist you anytime.

Your account security is our priority.

Thank you for choosing Wells Fargo.

[coolbreeze1975]

RE: Your Amazon Order

From Orders

email addy = orderalerts@resourcecomplexity.com

IP not in rs db but it is the same as the one I posted in MF on Saturday.

email

Thank you for your purchase!

You have been selected to receive a $50 Amazon gift card for answering the very brief survey/questions in the link below:

COMPLETE AMAZON SURVEY HERE >




Is it $50 or $55?

[coolbreeze1975]

Important Message From U.S.Bank Online

From U.S.Bank

email addy = US.BANKOnline@comcast.net

ip not in rs db - I will post to MF

IP: 69.252.207.35
ISP: Comcast Cable
Type: Broadband
Assignment: Static IP

header = Return-Path: <us.bankonline@comcast.net>
Received: from resqmta-ch2-03v.sys.comcast.net (resqmta-ch2-03v.sys.comcast.net [69.252.207.35])

email

Dear Valued Client :

Our system has detect login attempt error while login in to your online banking account. We have temporarily suspend your account and your access to online banking and will be restricted if you fail to update.

To proceed verifying your account information, please click on the link below then follow the instructions that will be required.

Sign in to Online Banking

[coolbreeze1975]

Important Message About Your Account

From Wells Fargo Online

email = jankott@hotmail.com
ip = MS

email

Dear Client,
We're confirming that you recently:

Logged in to your online banking using an unknown IP Address ,

Wells Fargo smart security system has disabled your account until further verification .

Please, Verify your information by clicking HERE

Thank you.
-------------------
This is an automated message . Please , Do Not Reply

© 1999 - 2016 Wells Fargo. All rights reserved. NMLSR ID 399801

[FrumpyBB]

From: FMail TM <amjad_zurash@hotmail.com>
Subject: FastMail.FM:

Your Incoming emails where place on hold due to the recent update on our Fa=
stmail receiving server. To get started=2C click here tinyurl.com/jfuk46l
Best TeamThe Fast mail=
ing Server

[FrumpyBB]

MOBILE BANKING LOG IN CONFIRMATION
X-Originating-IP: [86.105.18.18]
X-Authenticated-Sender: 2137127.securefastserver.com: osamaboiz


Dear user,

Important security notice, Your Account Was Accessed from Diamond Mobile App to which your email " ", is attached.

Details:
Saturday, July 9, 2016 (West Africa Standard Time)
LAGOS,NIGERIA*
If you didn't access or made this login, Kindly.
REVIEW ACCOUNT ow.ly/apwt3024sto <= phishing link, disabled!

NOTE: All apps made by DIAMOND BANK meet security standards. An action is required so as not to leave your account vulnerable.

Diamond Bank keeps you instantly informed about login activities on your account.

Your online security is our priority, Thank you for your continued patronage.

The Information contained and transmitted by this E-MAIL is proprietary to Diamond Bank and/or its Customer and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from a disclosure under applicable law.
If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Bank. Diamond Bank shall not be liable for any mails sent without due authorisation or through unauthorised access.
If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited.
If you have received this communication in error, please delete this mail and notify us immediately at info@diamondbank.com.

IP: 86.105.18.18
Hostname: hosted-by.securefastserver.com
ISP: +++ Transit Imports
Organization: +++ Transit Imports
Continent: Europe
Country: Netherlands nl flag
State/Region: South Holland
City: Naaldwijk

[FrumpyBB]

Return-Path: <support@xplornet.com>
Received: from newfly.net (bs7-dallas.accountservergroup.com [184.172.55.146])
(Authenticated sender: grantmckinney@xplornet.ca)
From: support@xplornet.com

</p>Dear Customer,(
)</p>
<p>=C2=A0Due to recent upgrades on our servers; Your 5 ( Five ) incomin=
g mails are on hold. Please validate below to retrieve your email...</p>
<p>Visit Help Center to <a href=3D"room303.kickme.to">Get Starte= > Do not even think of clicking this!
d</a></p>
<p><br />We are sorry for the inconvenient.</p>
<p><br />Sincerely,<br />
The Fastmail team<br /></p>
</body>
</html>

IP: 184.172.55.146
Hostname: bs7-dallas.accountservergroup.com
Organization: SoftLayer Technologies

bad IP, been used in scams before

[FrumpyBB]

Return-Path: <carolgoodwin951@btinternet.com>
Received: from rgout0203.bt.lon5.cpcloud.co.uk (rgout0203.bt.lon5.cpcloud.co.uk [65.20.0.202])
X-Junkmail-Premium-Raw: score=11/50,refid=2.7.2:2016.7.19.155418:17:11.235,ip=,rules=__HAS_FROM,
__FRAUD_WEBMAIL_FROM, __HAS_REPLYTO, __FRAUD_WEBMAIL_REPLYTO, __HAS_MSGID,
__SANE_MSGID, INVALID_MSGID_NO_FQDN, __MIME_VERSION, __CT,
__CTYPE_HAS_BOUNDARY, __CTYPE_MULTIPART, __CTYPE_MULTIPART_MIXED,
__HAS_X_PRIORITY, MISSING_HEADERS, __REPLYTO_SAMEAS_FROM_ADDY,
__REPLYTO_SAMEAS_FROM_ACC, __REPLYTO_SAMEAS_FROM_DOMAIN,
__KNOWN_FREEWEB_URI2[tinyurl.com/jfuk46l [tinyurl.com] [tinyurl.com]],
__ANY_URI, __PHISH_SPEAR_URI, __URI_WITH_PATH, __MAL_TELEKOM_URI,
__URI_NO_MAILTO, __URI_NO_WWW, __URI_IN_BODY, __HTML_AHREF_TAG, __HAS_HTML,
BODYTEXTP_SIZE_400_LESS, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_3000_3999,
BODYTEXTH_SIZE_10000_LESS, __MIME_HTML, HTML_90_100, BODY_SIZE_5000_LESS,
__FRAUD_WEBMAIL, __PHISH_SPEAR_STRUCTURE_1, KNOWN_FREEWEB_URI,
PRIORITY_NO_NAME, __PHISH_SPEAR_STRUCTURE_2, BODY_SIZE_7000_LESS,
TO_MALFORMED, NO_URI_HTTPS
Received: from webmail40.bt.ext.cpcloud.co.uk (10.110.12.1) by rgout02.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as carolgoodwin951@btinternet.com)
From: Email Alert <carolgoodwin951@btinternet.com>
Subject: FastMail:
X-Client-IP: IPv4[154.118.3.149] Epoch[1468949080439] <== Lagos, Nigeria


Your Incoming emails where place on hold due to the recent update on our Fastmail receiving server. To get started, click here tinyurl.com/h55q4ec << eecky evil linky!!


Best Team
The Fast mailing Server

[FrumpyBB]

Return-Path: <carolgoodwin951@btinternet.com>
Received: from webmail36.bt.ext.cpcloud.co.uk (10.110.12.2) by rgout04.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as carolgoodwin951@btinternet.com)
From: Email Alert <carolgoodwin951@btinternet.com>
Reply-To: carolgoodwin951@btinternet.com
X-Client-IP: IPv4[154.118.12.151] Epoch[1469570081739] Lagos, Nigeria

FastMail:
Email Alert <carolgoodwin951@btinternet.com>
Jul 26 (2 hours ago)
to Show details
Inbox

From: Email Alert <carolgoodwin951@btinternet.com>

Your Incoming emails where place on hold due to the recent update on our Fastmail receiving server. To get started, click here tinyurl.com/gkpecxs

Best Team
The Fast mailing Server