phishing attacks against ISPs (also with Google translations)

William Allen Simpson william.allen.simpson at
Wed Mar 25 18:16:14 UTC 2009

Gadi Evron wrote:
> The guy mentioned the concept of sending warning emails to customers to 
> begin with. His opinion is that it is a mistake, and only causes 
> confusion. On top of that it raises support desk costs as people call in 
>  for explanation, as well as to report new fraudulent emails they see 
> while in the past they mostly just ignored them.
The earliest warning email we sent out to customers was:

# Date: Mon, 11 Aug 2003 15:34:43 -0500
# Subject: New Virus Warning
# There is a new virus spreading around the internet. It has a subject like
# "your account" and it has the following text in it:
# > I would like to inform you about important information regarding your
# > email address. This email address will be expiring.
# > Please read attachment for details.

I don't remember an uptick in support calls after that message, but there
were plenty of calls about the phish message itself, so we hoped that
sending a warning to everybody would reduce the problems.

We'd had a user taken over, and then the account was used for so much spam
that the bounce messages totally filled the incoming mail (filter) server.

> I appreciate your feedback, I had no idea ISP phishing goes all the way 
> back to 2003.. 

Ha!  Goes back much farther than that!  The earliest I have at my
fingertips (saved email on this laptop only goes back to 1999):

# DATE: 27 Dec 00 7:43:14 PM
# SUBJECT: re: your account
That was a web phish at hxxp://

And they were obviously tracking exactly which users responded!

You'd think our customers would notice that domain wasn't us. ;-)

But even today, it's a security problem that users don't notice the URL
they're clicking, or pay attention to security warnings less subtle than
a big gray popup dialog box....

> although dictionary attacks may not be best defined that 
> way. Definition discussions are boring though.
I meant that they tried every word in the dictionary for user names, maybe
every combination of letters and numbers.

Anyway, I was wrong about the most recent one that I'd saved.  Who could
forget the especially virulent (976 Google hits):

# Date: Tue, 16 Mar 2004 10:59:13 +0100
# Subject: Important notify about your e-mail account.

Anyway, none of this helps you with researching non-English ISP phishing.
But it shows that this isn't a /new/ problem around here.

More information about the NANOG mailing list