register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Earthlink - 'EarthLink Account Expired - Update Now'
26-Oct-2004

Summary
Email title: 'Your membership will be cancelled'
Scam target: Earthlink customers
Email format: HTML email
Sender:

Earthlink Security <admin@earthlink.com>
Sender spoofed? No
Scam call to action: 'It has come to our attention that your EarthLink Billing information's records are out of date...Please click here to update your billing records'
Scam goal: Getting victim's credit card information, contact information (name, address, phone number, etc.) , earthlink.com username/pass.
Call to action format:

URL link
Visible link: 'http://manager-earthlink.com'
Called link :

'http://manager-earthlink.com'
Phish website IP: 64.74.96.244
 
E-mail
 

This phish is a part of a recent phish wave directed at Earthlink customers. It is quite probable that the whole campaign comes from a single source (a single group of people).

The phish message is a very plain one :

 
 
As you see, this does not really look like coming from earthlink.com officially. The sender is on earthlink.com, but the e-mail addresses on this domain are easily attainable. The URL link is not deceptive in any manner, but the URL itself is well chosen. And this phish, being aimed at the more unaware part of the users, does not need more.
 
Web Site
Visible link: 'http://manager-earthlink.com'
Called link :

'http://manager-earthlink.com' - phish URL is not hidden in any manner
Phish website IP: 64.74.96.244
 
The phish website looks really nice. The URL is not hidden here, either:
 
 

And it really is close enough to, let's say, 'manager.earthlink.com'. Something completely acceptable for most users. Remember, phishers do not try to fool computer gurus. The effort won't pay off. They are after the mass of the overly gullable ones.

After 'logging in', the phish site displays its main page:

 
 

It will run any validation check on what you enter (except the expiration date, and whether the CC fields are not empty), so it will accept any bogus information, as it accepted our bogus 'credit card'. The URL in the address bar remains the same. It is one of the two most important clues of phishing, along with the site not being a secure one.

A standard looking logout screen appears next:

 
 

This phish is a good illustration of the con-style phish - a URL closely matching the legitimate one is chosen, and the site is made generally believable.

Again, the two most important clues of phishing here are the mentioned URL and the lack of security on the site (indicated by the lack of a lock icon in the lower right end of the status bar in IE, for example).
 
Phish server WHOIS information:
WHOIS data (for IP 64.74.96.244)

Domain address: 64.74.96.244
Domain name: MANAGER-EARTHLINK.COM

Registrant Contact:
James Greenough (warlord@inorbit.com)
+1.2106795574
Fax: -
1716Creek Knoll
San Antonio, 78253
US