register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Comcast - 'Comcast account reactivation'
07-Apr-2005

Summary
Email title: 'ATTENTION: Comcast account reactivation !!! ID: <some random letters here>'
Scam target: Comcast customers
Sender:

SebastianMareygrossness@comcast-support.biz
Sender spoofed/hidden? No
Scam goal: Getting victim's Comcast username/password, credit cad information, address.
Phish link method a 'Click Here' type link
Link 'masked'? Yes
Visible link: 'To update your account click here'
Actual link to: http://comcast-database.biz/
Phish site IP : 66.113.136.225
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
This attack uses a dangerous combination of clever spam tactics in the email and 'social engineered' domain name.
 
E-mail
 
The email looks quite plain - there are no logos or legit material:
 
 

The informal look's purpose is to trivialize the event, and make the eventual victim less concerned.

The smart things in the email are two: first, the ID part in the subject simply conceals some random text. And second, there is some 'invisible' (with background color) text in the message itself. It shows up when a selection window is opened above it:

 
 
All this is done to break up the message text and make it harder for a spam filter to block.
 
Web Site
Visible link: 'To update your account click here'
Actual link to: http://comcast-database.biz/
Phish site IP : 66.113.136.225
 
The site itself uses a domain name with strong relation to 'comcast.com'. Yet, the lack of a security certificate and a HTTPS session is a visible clue of something wrong going on:
 
 
After the initial 'log in', two separate pages will consequentially ask for information. First, the contact information:
 
 
And then, the credit card information:
 
 

The credit card number will be checked using a publicly available formula, used in initial CC validation. It will refuse random bogus number, but will accept a bogus number that complies with the formula.

After that, a logout screen will be displayed:

 
 
WHOIS data (for IP 66.113.136.225) :

Sponsoring Registrar: AAAQ.COM, INC.
Sponsoring Registrar IANA ID: 451

Registrant ID: HW5862055SS
Registrant Name: Scott Schoenfeld
Registrant Address1: 15 Orsaf Lane
Registrant City: bayville
Registrant State/Province: NJ
Registrant Postal Code: 08721
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7322691076

Name Server: B.DNS.HOSTWAY.NET
Name Server: A.DNS.HOSTWAY.NET
Created by Registrar: AAAQ.COM, INC.
Domain Registration Date: Wed Mar 30 20:32:33 GMT 2005
Domain Expiration Date: Wed Mar 29 23:59:59 GMT 2006