register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

AOL - 'You've Got (2) Pictures@AOL.com'
10-Jan-2005

Summary
Email title: 'You've Got (2) Pictures@AOL.com'
Scam target: AOL customers
Sender:

Mcs39@aol.com
Sender spoofed/hidden? No
Phish 'punch line' : 'Another AOL member has sent you (2) picures! Enter here to view your photo album'
Scam goal: Getting victim's AOL username/password
Phish link method 'Click here' type link
Link 'masked'? Yes
Called link http://search.aol.com/aolcom/redir?src=websearch&requestId=e244a572381a910e&clickedItemRank=3&userQuery=pictures&clickedItemURN=http://akfhdkfadsdfa.info/signin
Actual link to http://akfhdkfadsdfa.info/signin
Phish website IP:

200.176.136.136
 
E-mail
 

This AOL phish has been arround for quite a while now, in a few variations. It keeps a low profile by not demanding a lot of personal information, which makes it easier to slip by. It also uses a more original 'bait' then most of the phish out there:
 
 
The other interesting twist is the link used. It uses an AOL redirect rather than just plainly linking to the phish site. This makes the phish URL much harder to be spotted.
 
Web Site
Called link http://search.aol.com/aolcom/redir?src=websearch&requestId=e244a572381a910e&clickedItemRank=3&userQuery=pictures&clickedItemURN=http://akfhdkfadsdfa.info/signin
Actual link to http://akfhdkfadsdfa.info/signin
Phish website IP:

200.176.136.136
 
The phish site is well designed, but the URL in the address bar is clearly not AOL.com derivative:
 
 

It is also an 'http' URL, not an 'https' one - which is very suspicious, given it is a login screen.

After accepting the information entered, the site will redirect to a user homepage.

The phish server itself is located in Brazil. It hosts other phish scam sites, too.

 
WHOIS information (for IP 200.176.136.136):

IP Location: - Brazil - Rio Grande Do Sul - Porto Alegre

Domain ID:D7971593-LRMS
Domain Name:AKFHDKFADSDFA.INFO
Created On:27-Oct-2004 21:43:08 UTC
Last Updated On:10-Nov-2004 17:19:19 UTC
Expiration Date:27-Oct-2005 21:43:08 UTC
Sponsoring Registrar:R183-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C7294884-LRMS
Registrant Name:nancy jones
Registrant Organization:none
Registrant Street1:39 s crenshaw
Registrant City:beverly hills
Registrant State/Province:CA
Registrant Postal Code:90210
Registrant Country:US