register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Verizon- 'Update your Verizon billing profile'
28-Oct-2004

Summary
Email title: 'Update your Verizon billing profile'
Scam target: Verizon customers
Email format: HTML email
Sender:

custservice@verizon.com
Sender spoofed? Yes
Scam call to action: 'This is a repeat request, failure to reply will lead to termination of your the account and/or additional service fees... Please see the Billing Update page... and confirm your payment details instantly to prevent the occurence of additional service fees'
Scam goal: Getting victim's credit card information, contact information (name, address, phone number, etc.) , wamu.com username/pass.
Call to action format:

URL link
Visible link: http://www.verizon.com/us/cgi-bin/vzf.php?sid=FWVSs2Mm&jRJ=7175086&vid=Vze3j cdb
Called link :

http://200.114.156.78/us/cgi-bin/vzf.php?sid=FWVSs2Mm&jRJ=7175086&vid= Vze3jcdb
Phish website IP: 200.114.156.78
 
E-mail
 
This phish message is part of the last wave (mostly targeting Earthlink, MSN, etc.) which uses a pretty good address bar forgery. But for the e-mail message first:
 
 
The message does not come with any Verizon logo or legal footers, which is unlikely for a legitimate institution. The sender and the URL link, however, look quite nice - they are both spoofed.
 
Web Site
Visible link: http://www.verizon.com/us/cgi-bin/vzf.php?sid=FWVSs2Mm&jRJ=7175086&vid=Vze3j cdb
Called link :

http://200.114.156.78/us/cgi-bin/vzf.php?sid=FWVSs2Mm&jRJ=7175086&vid= Vze3jcdb
Phish website IP: 200.114.156.78
 

It is the phish website where the actual 'phishing' takes place. A strange thing is that no login screen is displayed. Also, the padlock icon is missing from the right part of the status bar - which contradicts with the 'https' in the address bar.

In fact, the address bar is forged - a tactic often used by phishers, because the strange URL in the address bar is the main clue of phishing. The forgery is implemented using a server-side program that 'overwrites' the address bar with another text window - containing a legitimately looking URL.

The way to defeat this tactic is to bring up the 'properties' page. The real URL is shown there, and it is nowhere close to verizon.com:

 
 
Another trick the phishers will use is to check whether the CC number you eventually enter is valid. This is not done via some access to real financial information, but using publicly available algorhytms for CC number validation. So it will not accept a random bogus number (unless you are very, very lucky). This could persuade the potential victim in the authenticity of the phish site.
 
Phish server WHOIS information:
WHOIS data (for IP 200.114.156.78)

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY

ReferralServer: whois://whois.lacnic.net

NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS2.DNS.BR
RegDate: 2002-07-27
Updated: 2004-03-18