phishing attacks against ISPs (also with Google translations)
William Allen Simpson
william.allen.simpson at gmail.com
Wed Mar 25 13:16:14 CDT 2009
Gadi Evron wrote:
> The guy mentioned the concept of sending warning emails to customers to
> begin with. His opinion is that it is a mistake, and only causes
> confusion. On top of that it raises support desk costs as people call in
> for explanation, as well as to report new fraudulent emails they see
> while in the past they mostly just ignored them.
The earliest warning email we sent out to customers was:
# Date: Mon, 11 Aug 2003 15:34:43 -0500
# Subject: New Virus Warning
# There is a new virus spreading around the internet. It has a subject like
# "your account" and it has the following text in it:
# > I would like to inform you about important information regarding your
# > email address. This email address will be expiring.
# > Please read attachment for details.
I don't remember an uptick in support calls after that message, but there
were plenty of calls about the phish message itself, so we hoped that
sending a warning to everybody would reduce the problems.
We'd had a user taken over, and then the account was used for so much spam
that the bounce messages totally filled the incoming mail (filter) server.
> I appreciate your feedback, I had no idea ISP phishing goes all the way
> back to 2003..
Ha! Goes back much farther than that! The earliest I have at my
fingertips (saved email on this laptop only goes back to 1999):
# DATE: 27 Dec 00 7:43:14 PM
# SUBJECT: re: your account
That was a web phish at hxxp://vaginaonline.com/a.usertrack2781.75/5/
And they were obviously tracking exactly which users responded!
You'd think our customers would notice that domain wasn't us. ;-)
But even today, it's a security problem that users don't notice the URL
they're clicking, or pay attention to security warnings less subtle than
a big gray popup dialog box....
> although dictionary attacks may not be best defined that
> way. Definition discussions are boring though.
I meant that they tried every word in the dictionary for user names, maybe
every combination of letters and numbers.
Anyway, I was wrong about the most recent one that I'd saved. Who could
forget the especially virulent (976 Google hits):
# Date: Tue, 16 Mar 2004 10:59:13 +0100
# Subject: Important notify about your e-mail account.
Anyway, none of this helps you with researching non-English ISP phishing.
But it shows that this isn't a /new/ problem around here.
More information about the NANOG