register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

America Online - 'Notice : Your account will be suspended !'
03-Dec-2004

Summary
Email title: 'Notice : Your account will be suspended !'
Scam target: AOL users
Email format: HTML email
Sender:

AOL <support@aol-inc.com>
Sender spoofed? No
Phish 'punch line' : '...your AOL® account information needs to be updated...If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service'
Scam goal: Getting victim's AOL username &password, credit card information, bank account information
Phish link method URL link
Visible link: http://update.AOL.com
Actual link to http://olyscos.com/shop/prodspics/aolcomsupport.htm
Phish website:

The phish page is located on a legitimate domain - olyscos.com. The presumption is that the phishers have used some kind of malware to gain remote access to this domain.

 
E-mail
 

This phish attack illustrates a new technique being used by phishers - 'hijacking' a legitimate domain to host the phish page on. This is mainly used to make the phish email slip through the URL blacklist spam filters.

The term ‘hijacked' is used with the presumption that the phishers have used some malware (a virus or a trojan) to gain remote access to the legitimate enterprise domain.

The phish message itself is quite plain - no AOL logos or the typical legal header and footer. The sender is not spoofed, either - the domain the message comes from is close to aol.com, but it's not it. The URL link is 'masked' - so the real URL the link takes to is not clearly visible:

 
 
Web Site
Visible link: http://update.AOL.com
Actual link to http://olyscos.com/shop/prodspics/aolcomsupport.htm
Phish website:

The phish page is located on a legitimate domain - olyscos.com. The presumption is that the phishers have used some kind of malware to gain remote access to this domain.

 
The phish webesite demands quite a lot of information from the potential victim, but it is well designed and could be convincing:
 
 

Two things are to be noted:

  • There is no login screen;
  • The page is not a secured one (indicated by the missing lock icon in the status bar)

The URL in the address bar is also peculiar (as mentioned in the begining):
 
 
After the information is 'phished', the page redirects to the legitimate aol.com.