register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

AOL - 'Verify your account'
23-Dec-2004

Summary
Email title: 'Verify your account'
Scam target: AOL customers
Sender:

Aol Billing Department <billing@aol.com>
Sender spoofed/hidden? Spoofed
Phish 'punch line' : '...It has come to our attention that your billing informations are out of order. If you could please take 5-10 minutes out of your online experience and update your personal records so you will not run into any future problems with the online service...'
Scam goal: Getting victim's bank account and credit card information, SSN
Phish link method URL link
Visible link: http://billing.Aol.com/
Link 'masked'? Yes
Actual link to http://64.23.10.36/AOL/
Phish website IP:

64.23.10.36
 
E-mail
 
Another AOL phish. This one is quite well designed, but shows some significant phishing clues. First - the message:
 
 
It surely does look nice, the sender is spoofed and the link is 'masked'. The AOL logo, however, spoils the picture a bit, and can be a source of suspicion.
 
Web Site
Visible link: http://billing.Aol.com/
Link 'masked'? Yes
Actual link to http://64.23.10.36/AOL/
Phish website IP:

64.23.10.36
 
When it loads up, the phish site surely looks nice - except the URL:
 
 

This first sceen is basically a placeholder. It is put there just to delay opening the phish page - emulating the delays ecperienced while establishing a HTTPS secured connection.

This initial screen will hold up for about 10 seconds, before the second one comes up:

 
 

Again, the page is well designed. Yet the large amount of information requested, the mentioned suspicious URL and the lack of browser indication of a secure HTTPS session point towards the connclusion that this is a phish.

After eventually collecting some onformation, the site displays the following pop-up:

 
 
This is also with the purpose of diverging attention and mimicking legitimate processes. After clicking OK, te victim would be redirected to the legitimate AOL.com
 
WHOIS information (for IP 64.23.10.36):

Location: United States - Maryland - Baltimore - Ronkonkoma Greenhouses Inc

Affinity Internet, Inc AFFINITY-64-23-0-0 (NET-64-23-0-0-1)
64.23.0.0 - 64.23.127.255
Ronkonkoma Greenhouses Inc SKWB-UURID-401 (NET-64-23-10-32-1)
64.23.10.32 - 64.23.10.47