Anti-Phishing Working Group - Stop Phishing and Email Scams

Anti-Phishing Working Group

Home

Phishing Archive

APWG News

Membership

Contact Us

APWG Sponsors:

AOL - "AOL Billing Center"
10-Mar-2004

Summary

Email title:	na (Note - this phish reported via website discovery by Internet Identity)
Scam target:	AOL customers
Email format:	na
Sender:	na
Sender spoofed?	na
Scam call to action:	"Please follow these 4 quick steps to validate your information, then click "Submit Information""
Scam goal:	Getting victim's identity, credit card, ATM pin, and AOL account information
Call to action format:	Web form
Visible link:	http://www.aol-billing.net
Website:	http://www.aol-billing.net - still active as of 14-Mar-04

E-mail

This phishing attack was not identified via an email attack
It was identified as the result of scanning for trademark-infringing website and domain names

Web Site

Visible link:	http://www.aol-billing.net
Resolved URL:	http://www.aol-billing.net - still active as of 14-Mar-04
Webform data sent to:	http://www.alia.org.au/cgi-bin/mail.pl

Very professional site - it opens with a security statement popup
The web form used to capture identity, credit card, and account information is very professional, providing the kind of detail that one would normally expect from AOL
Once information is submitted, it is sent to http://www.alia.org.au/cgi-bin/mail.pl. This site is owned by the Australian Library Information Association, and returns an error message saying use of this script is not permitted from an external site
Note that there is phishing attack against eBay that uses the identical web form, branded with eBay rather than AOL - check it out

Visible link:

http://www.aol-billing.net

Resolved URL:

http://www.aol-billing.net - still active as of 14-Mar-04

DNS Lookup:
aol-billing.net ALL record

Domain	Type	Class	TTL	Answer
aol-billing.net	NS	IN	172800	yns1.yahoo.com
aol-billing.net	NS	IN	172800	yns2.yahoo.com

WHOIS info:
aol-billing.net

AOL-BILLING.NET

Server Type:
Website Status: Active
Reverse IP: Web server hosts 66142 websites (reverse ip tool requires free login)
IP Address: 66.218.79.170 (ARIN & RIPE IP search)
IP Location: United States - California - Sunnyvale - Yahoo!
Record Type: Domain Name
Monitor: Monitor or Backorder
Wildcard search: 'aol-billing' or 'aol billing' in all domains.
Other TLDs: .com .net .org .info .biz .us X X X X X X
Name Server: YNS1.YAHOO.COM YNS2.YAHOO.COM
ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created: 16-sep-2003
Expires: 16-sep-2004
Status: ACTIVE

Domain Name.......... aol-billing.net
Creation Date........ 2003-09-16
Registration Date.... 2003-09-16
Expiry Date.......... 2004-09-16
Organisation Name.... Colleen Perkins
Organisation Address. 1801 beach street
Organisation Address. centralia
Organisation Address. 98531
Organisation Address. WA
Organisation Address. UNITED STATES
Admin Email.......... zum@zum-cs.net

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

WHOIS info:
zum-cs.net

ZUM-CS.NET

Website Status: not active
Record Type: Domain Name
Monitor: Monitor or Backorder
Wildcard search: 'zum-cs' in all domains.
Other TLDs: .com .net .org .info .biz .us X [5 available domains]
Name Server: DNS9.REGISTER.COM DNS10.REGISTER.COM
ICANN Registrar: REGISTER.COM, INC.
Created: 10-sep-2003
Expires: 10-sep-2005
Status: REGISTRAR-HOLD

WHOIS results for alia.org.au

Domain Name: alia.org.au
Last Modified: 14-Aug-2002 02:13:33
UTC Registrar ID: R00013-AR
Registrar Name: Enetica
Status: ok

Registrant: Australian Library Information Association
Registrant ID: OTHER N/A

About Us | Contact Us