register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Verizon - 'Billing Error'
20-Sep-2004

Summary
Email title: 'Billing Error'
Scam target: Verizon account holders
Email format: HTML e-mail (the code of the message can be found here)
Sender:

"Verizon Team" <help@verizon.com>
Sender spoofed? Yes
Scam call to action: 'The credit card we have on file for your Verizon Internet service was declined when we attempted to bill you on 09/15/2004 for your most recent service fees. For this reason, your service could be suspended. Please visit our Account Information pages... and update your credit card information as soon as possible.'
Scam goal: Getting victim's credit/debit card information, SSN, contact information (name, phone number, address, etc.)
Call to action format: URL link
Visible link: http://account.verizon.com
Called link :

http://24.232.147.238/verizon-wireless.com/cgi-bin/session.id=4839485434839384850603923384958493928594=mail_address_display_billing_information =485949328458493920034945869543098654309865943098/
Phish website on IP: 24.232.147.238
 
E-mail
 
Verizon customers have joined the phishers' target list. This phish is not the most dangerous out there, but not the most harmless one either. The e-mail you recieve is simple and believable :
 
 
The sender and the real URL behind the link are spoofed, so you don't have a great chance in exposing it at this stage (unless you look a the HTML source code of the message).
 
Web Site
Visible link: http://account.verizon.com
Called link :

http://24.232.147.238/verizon-wireless.com/cgi-bin/session.id=4839485434839384850603923384958493928594=mail_address_display_billing_information =485949328458493920034945869543098654309865943098/
Phish website on IP: 24.232.147.238
 
The phish site login screen looks nice. It does link to the legitimate Verizon website with all the links except the 'next' button:
 
 
The main phish page does demand a lot of information from the potential victim, which should be suspicious. The URL in the address bar also looks phishy:
 
 
You may try to enter a bogus CC number, but the phish will tell you it is not valid. This could make you believe this is a legitimate transaction. In fact, the rules for CC number validation are available to the public. This means that a phisher can check whether the entered number is within the valid range of numbers. It, however, CAN NOT check if the number is the given person's CC number. You are safe as long as you don't enter your real CC number.
 
More info on credit card number validation can be found here : http://www.beachnet.com/~hstiles/cardtype.html
 
This scam is hosted on a server in an IP range designated to the 'Latin American and Caribbean IP address Regional Registry' . This shows a most probably a South American host - we believe more scams will come from there in the near future.
 
WHOIS data:

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY

ReferralServer: whois://whois.lacnic.net

NetRange: 24.232.0.0 - 24.232.255.255
CIDR: 24.232.0.0/16
NetName: LACNIC-24-232-0-0
NetHandle: NET-24-232-0-0-1
Parent: NET-24-0-0-0-0
NetType: Early Registrations, Transferred to LACNIC
Comment: This IP address range is under LACNIC responsibility for further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or check the
Comment: WHOIS server located at whois.lacnic.net
RegDate: 2003-05-13
Updated: 2003-06-18