register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Earthlink - 'Earthlink payment is cancelled'
02-Dec-2004

Summary
Email title: 'Earthlink payment is cancelled'
Scam target: Earthlink customers
Email format: text email
Sender:

support@earthlink.com
Sender spoofed? Yes
Phish 'punch line' : 'Your automatic payment was declined by your bank or credit card company. You can update your billing information or make a one-time credit card payment by answering to this email by pressing REPLY or mailing your billing details...'
Scam goal: Getting victim's email address&password, credit card information
Phish link method email address
Visible link: invoice-apply@earthling.net
Actual link to invoice-apply@earthling.net
Phish website:

In this case - there is none. The phished information is retrieved from invoice-apply@earthling.net.
 
E-mail
 
This phish is a purely 'social engineering', con-style attempt. The potential victim would get a convincing plain text message with spoofed sender. The victim is then supposed to reply, filling a form with the important information. The catch is that the address the reply should go to is not exactly Earthlink:
 
 

As simple as it really is this phish is quite dangerous to the users lacking the proper, safe habits. And these people are the target group. If you are one of them - there are a few important things to remember:

  • A legitimate institution will not try to communicate any personal information via emails. This will be done through a HTTPS secure session instead;
  • A legitimate institution will reffer to you by your real name (by which you enrolled in their services), and not in any anonymous way;
  • Sending sensitive information via unsecured, unencoded email is open to any attack or infiltration.
 
Web Site
Visible link: invoice-apply@earthling.net
Actual link to invoice-apply@earthling.net
Phish website:

In this case - there is none. The phished information is retrieved from invoice-apply@earthling.net.
 
Earthling.com is just a mail server (no HTPP server, so no page opens at this address). It is probable that it is whether poorly guarded or trojanned by the phishers, so they can use the invoice-apply@earthling.net address.