Saturday, March 29, 2008

Beware of "false warnings" from ISP's: a new kind of "phishing"

There is a new kind of “phishing” scam that readers should know about. This affects individuals who have hosting accounts and domains (where they own the domain name) on any number of larger hosting companies: Network Solutions, Yahoo!, Verio, etc. It’s possible that the scheme may focus on those who also have AOL mail.

An email arrives claiming that the target person’s account has had unusual activity and has been “locked down”. It uses a lot of industry jargon (POP) and is likely to talk about undeliverable emails. It gives a link to reactivate your account and a phone number, and claims to have called the account owner.

This appears to be another scheme to get personal information and credit cards. Furthermore, it may be an attempt to get access to the person’s hosting account and use it for illegal purposes, for which the person could be legally responsible. The email may have link that still appears legitimate when pre-testing with a cursor.

Although these sorts of emails claiming to be from banks and the IRS are well known and common, this is the first time I’ve seen spam emulating an ISP.

Anyone who owns a domain and uses a hosting account should first verify that the account really is locked. It’s advisable to check the functionality of the site and view the email queues, as well as bandwidth statistics (as with Urchin). It’s likely that the domain owner will not find any problems. In any case, the owner should not click on the link, but should call the ISP, which will probably direct the owner to forward the email to the abuse department for the ISP. The abuse department will be listed on the WHOIS entry for the account.

A possible theory, though speculative, is that an attacker could want to create hoaxes and "harass" an ISP or some of its subscribers, without doing "real harm". If so, doing so, while petty, would probably be a crime and still be prosecutable (at the federal level, in some cases a felony) under the CAN-SPAM of 2003, for sending multiple emails with falsified headers, that are commercial or appear to be commercial. A literal reading of the Act suggests that even a single such email can be cause for civil action, injunctive relief, and damages.

Here is a report Phishing Activity Trends from APWG, here. About 1.5% of phishing incidents in Dec. 2007 involved ISPs as the marks. There have been recent problems with persons trying to get personal information from AOL subscribers, and these emails somehow get past AOL's spam filters; there was also a problem like this back in the 1990s when AOL was the most conspicuous ISP.


Judith said...

Can you show me an example of such an email?

Bill Boushka said...

It would come from a domain name similar to your ISP but might be spelled differently (check the spelling on a "WHOIS" list like It might claim that your site has violated its AUP or had "unusual activity." It might claim that your site is locked down, but when you go to it, you find it is working normally (that's a real tip off). If might come in the middle of the night, and yet have an employee name of someone who would not be working a night shift. It might give a non-working phone number to call. There are a lot of "symptoms" to look for!