register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Earthlink - 'Verify your billing information at Earthlink.'
11-Oct-2004

Summary
Email title: 'Verify your billing information at Earthlink.', various other subjects.
Scam target: Earthlink customers
Email format: HTML email, containing a single image linking to the phish site.
Sender:

EarthlinkAccounting Supporting <27790@rotario.com>
Sender spoofed? No
Scam call to action: 'We've encountered a problem due to the fact that we could not verify the data that you provided... To verify your information please follow the link...'
Scam goal: Getting victim's Earthlink username/password, credit card and bank account information, SSN.
Call to action format: Image link
Visible link: https://start.earthlink.net/track?billing.asp
Called link :

http://218.22.141.202/2/index.html
Phish website hosted on : 218.22.141.202
 
E-mail
 
This phish is getting spreaded both as an email and IM message. They both are essentially an image linking to a phish site:
 
 
So this is not a text and graphics message, but a single image linking to the phish site. The sender is not spofed - some hijacked email address is used instead. This should raise suspicion.
 
Web Site
Visible link: https://start.earthlink.net/track?billing.asp
Called link :

http://218.22.141.202/2/index.html
Phish website hosted on : 218.22.141.202
 
The phish site, though it looks nice, has some weak spots in it. First off - no login screen. The phish site asks directly for your information. And it is a lot of information:
 
 
As you see, the sheer amound of personal financial details demanded is disturbing. Another clue is the contents of the address bar:
 
 
This is not hidden from you in any way, and the fact that it has nothing to do with earthlink.com is quite intimidating.
 
Phish server DNS/WHOIS information:
WHOIS data (for IP 218.22.141.202), 'Asia Pacific Network Information Centre' (apnic.com) database:

inetnum: 218.22.0.0 - 218.23.255.255
netname: CHINANET-AH
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-AH
status: ASSIGNED NON-PORTABLE
changed: hostmaster@ns.chinanet.cn.net 20010528
changed: hm-changed@apnic.net 20040927
source: APNIC