Phishing Bad Examples
I harped on this during my talk at RSA on phishing, and so did Aaron Emigh of Radix Labs (but he had way cool screenshots, so his ranting was more effective). Phishing Bad Examples are e-mail and website communications from companies which are pretty much indistinguishable from phishing messages -- they contain ratholes of redirects, obfuscated links, SSL in the wrong places, and strange third-party cousin domains.
Today, I got what I think is a phishing e-mail. But, thanks to this current state of affairs, I can't be 100% sure. It claims to come from Cox Communications, my cable ISP provider, and it hit me today, which is in line with my billing cycle. Except it addresses me by the wrong name, and gives me a link to some crazy domain I've never heard of.
So, those are the marks against. But I can't tell for certain because while the web site is still there, it doesn't actually ask me for any account information (just tells me to call them), it doesn't attempt to deliver any malware or exploits or anything, and the site kind of looks like a legit mass-mailing marketing company.
The disturbing part is that it was addressed to my super-secret e-mail address that I use for paying ebills through my bank, instead of my normal address or any of my spam-collection addresses. (I get lots of spam these days.)
So, if it's real, it's a terrible Bad Example of how not to do e-mail updates. If it's fake, it's probably a polling message to determine liveness of e-mail addresses (it comes with a web bug to confirm reciept, too) to phish me later, and the attacker in this case is working with insiders or has otherwise compromised Cox's operational security.
I've already informed Cox. We'll see how it turns out. If you'd like to check out the web site, it's at:
The URL above is wrapped on purpose, so you'll have to cut and paste. The info there is a real hash identifier -- substituting random values gives an error-ish response. Note that this site may well be operated by the Mafia, so don't go there unless you know what you're doing and you're properly sandboxed and all that.
Today, I got what I think is a phishing e-mail. But, thanks to this current state of affairs, I can't be 100% sure. It claims to come from Cox Communications, my cable ISP provider, and it hit me today, which is in line with my billing cycle. Except it addresses me by the wrong name, and gives me a link to some crazy domain I've never heard of.
So, those are the marks against. But I can't tell for certain because while the web site is still there, it doesn't actually ask me for any account information (just tells me to call them), it doesn't attempt to deliver any malware or exploits or anything, and the site kind of looks like a legit mass-mailing marketing company.
The disturbing part is that it was addressed to my super-secret e-mail address that I use for paying ebills through my bank, instead of my normal address or any of my spam-collection addresses. (I get lots of spam these days.)
So, if it's real, it's a terrible Bad Example of how not to do e-mail updates. If it's fake, it's probably a polling message to determine liveness of e-mail addresses (it comes with a web bug to confirm reciept, too) to phish me later, and the attacker in this case is working with insiders or has otherwise compromised Cox's operational security.
I've already informed Cox. We'll see how it turns out. If you'd like to check out the web site, it's at:
http://sdm3.rm04.net/servlet/Mail
View?ms=NDY5NTcwS0&r=MjM0MTYwMjUyOQS2&
j=MTA2ODAxMDQS1&mt=1
The URL above is wrapped on purpose, so you'll have to cut and paste. The info there is a real hash identifier -- substituting random values gives an error-ish response. Note that this site may well be operated by the Mafia, so don't go there unless you know what you're doing and you're properly sandboxed and all that.
posted by todb at 4:23 PM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home