REPORT SUMMARY
Date Reported
9th January 2004
Apparent Sender
Earthlink
Subject
Important Security &
Fraud Alert
From
Earthlink.net
Senders Address
(spoofed)
Earthlink Security
Dept.
(earthlink35400@
rocketmail.com)
Content
text with one
genuine link and
a 'Continue'
button
which opens a fake
Earthlink web page
(see image)
Spoofed Web page/site?
Yes
Web page/site
content
forged Earthlink web
page with web form
requiring
email
address, credit or
debit card and ATM
PIN number
Web page/site origin
SPOOFED URL
http://
myaccount.
earthlink.net
TRUE URL
http://
211.239.150.170/
password/
PasswordReset.htm
Identity Theft method
Web form
information
is captured by the
scammers using
PHP script
while
a fake password
change page
appears
More...
Latest
email
scam
Another
Bank Email Scam
See our guide to
phishing scams
Other
Resources...
See our guides to
Free Utilities...
List of
Auction Sites
Important Security & Fraud Alert From Earthlink.net - Email Scam
9th January 2004
This Earthlink Security & Fraud Alert email is a very convincing scam ...
With the suggestion that someone has attempted unauthorised access to your Earthlink account, together with the genuine Earthlink graphics (called from their own servers), this represents a very convincing scam.
The email includes a link
and a 'Continue' button (see image below). The first link to Earthlink
is a genuine one, but the 'Continue' button is not, and it will open
a forged Earthlink page with a spoofed
URL (web address shown in the
browser address bar). This means that your browser will display http://myaccount.earthlink.net in
the address bar, but the true URL of that forged Earthlink page is 211.239.150.170/
password/PasswordReset.htm which
traces back to a Korean ISP. The email itself also shows Earthlink
Security Dept. as the sender,
but this has been coded with a rocketmail address - earthlink35400@rocketmail.com.
Of-course, Earthlink do not use rocketmail for their email.
All in all, the email and forged pages have been professionally composed
using HTML, PHP and javascript.
The forged page consists of a web form for you to enter your Earthlink email address, Credit or Debit card number and ATM PIN. The data entered and submitted is then captured using PHP script.
Stay informed of the latest Spoof Email Phishing Scams with either of our FREE alert services...
Email
Alerts
Add your email address to our email alert service...
Subscribe
Privacy Policy
RSS
News Feed
Tap into our Scam Alert service using your News Reader or Aggregator (including
My Yahoo!).
Scam Alert News Feed
You can even put the latest alerts on your own web site.
FORWARD
YOUR EMAIL SCAMS
TO KU.OC.SELIMSRELLIM@FOOPS
and help us to
build awareness and
help others
Also, once the form is submitted another forged Earthlink page appears.
This is a password change form, which requests that you give your new
password. And then after that page, you will see a forged password
changed page. These two pages do not employ URL Spoofing and will show
the true URLs (http://211.239.150.170/password/change.htm and http://
211.239.150.170/
password/done.htm)
If you have received and fallen for this scam, you should immediately notify Earthlink so that they can secure your account. Contact their 'Livechat' support for an immediate response at http://support.earthlink.net/ support/LANDING/ livechat/survey.jsp
If you have received this email, please remember that it is very common for these email scams to be redistributed at a later date with only slightly different content or the same but with the fake page(s) hosted by a different provider. Also, once you have received one of these hoaxes, it is also common place to receive at least another one and usually a day or two after the first, although not necessarily from the same apparent sender.
Take a good look at the following images, because this email scam may be coming to an inbox near you!
The Email ...
The fake web page...
Please note that the URL (web address shown in the browser address bar) is spoofed and you will NOT be at the genuine Earthlink site at all...
