register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

AOL - 'Confirm AOL billing info'
20-Jul-2004

Summary
Email subject: 'Confirm AOL billing info'
Scam target: AOL customers
Distribution format: HTML email, AIM message
Sender (for the email):

Various webmail senders, mostly a number combination @ server.

Sender spoofed? No
Scam call to action: 'AOL billing information is out of date. Please spend several minutes and update your billing records... Please update your billing information now...'
Scam goal: Getting victim's credit/debit card information, personal information
Call to action format: Image link
Visible link:

http://www.aol.com in the status bar/tooltip
Called link: http://211.51.39.101:6180/
Phish site on : 211.51.39.101, also various other IPs, within the 'Asia Pacific Network Information Centre' range (210.0.0.0 - 211.255.255.255)
 
E-mail
 
This phish has become wide-spreaded in the past few days. As far as we know, it is also the firsh phish message distributed also through instant messaging (AIM). The entire message is a single image link. It uses a special trick to hide the real target URL from your status bar/tooltip. This technique is not new, but is effective in hiding the real target URL from plain sight. The legitimate AOL URL (aol.com) is displayed instead.
 
 
Web Site
Visible link:

http://www.aol.com in the status bar/tooltip
Called link: http://211.51.39.101:6180/
Phish site on : 211.51.39.101, also various other IPs, within the 'Asia Pacific Network Information Centre' range (210.0.0.0 - 211.255.255.255)
 
The site looks quite nice and legitimate:
 
 
The URL in the address bar, however, is not hidden - and this is a major clue of phishing:
 
 
Then, after 'logging in', the phish demands personal information :
 
 
And then, credit card information :
 
 
The entire time the only strong clue of being phished is the URL in the address bar. Still, this should be enough to raise the alarm. When the information is entered, a confirmation screen opens:
 
 
WHOIS data:

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: DNS1.TELSTRA.NET