Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


Spot the Phish: Verizon Wireless

Published: 2012-06-14,
Last Updated: 2012-06-14 17:16:12 UTC
by Johannes Ullrich (Version: 1)

16 comment(s)

We have seen a couple of reports recently of pretty well done Verizon Wireless phishing attempts. At this point, I haven't gotten one with the target site still up, so they may try to install malware instead of just asking for Verizon credentials. 

update: Paul just wrote in that he caught some of the links still active, and indeed they are trying to install malware and don't ask for credentials. And fellow handler Pedro notes that the malware is a blackhole exploit kit that will try to install Zeus.

See if you can spot the fake one. The answer is below the images (click to open image in new window at full resolution)

fake Verizon e-mailreal Verizon email

 

 

The left one is the fake. The only give away is that the fake e-mail doesn't include the partial account number, and typically indicates a large bill > $1,000 (at least large for me). I assume the large amount is supposed to cause panic clicking.

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: phishing verizon
16 comment(s)
Top of page

Top of page

Comments

We've started getting phishing emails that are exact duplicates of legitimate marketing-type emails. A typical one is for those webinars that are really sales attempts.

The interesting thing is the emails really are a duplicate of the real one, except for the Unsubscribe link. That is the one that's booby-trapped. All of the other links go to the real site.

I got one and said to myself "Grrr. I already clicked your stupid Unsubscribe link last week. Pay attention this time!" And then I saw the mouseover of where it really was going, a .cn domain.
posted by JJ, Thu Jun 14 2012, 16:53
You meant the LEFT one is FAKE - right?
posted by DBoggs, Thu Jun 14 2012, 16:55
The right one, or the left one is the fake?
posted by Steven, Thu Jun 14 2012, 16:58
Images are switched (the one on the right is legitimate)....
posted by Dan, Thu Jun 14 2012, 16:58
Also, naming the images "fakeverizon.png" and "realverizon.png" makes it hard to actually take the test without already knowing the answer!
posted by Anonymous, Thu Jun 14 2012, 17:10
I fixed the left vs right issue. Yeah, the name kind of gives it away ;-)
posted by Dr. J., Thu Jun 14 2012, 17:16
Holy cow, the phishers are finally are learning to copy/paste existing HTML messages? I can't believe it has taken them this many years to figure out....
posted by Paul, Thu Jun 14 2012, 18:18
I would have to examine the two personally to be sure which is the fake.
We're seeing many phishing emails that are well crafted, pretending to be from numerous financial institutions, cable companies, and others. Often the links are the only give away.
posted by Larry, Thu Jun 14 2012, 18:21
For those of you interested in digging deeper, here is a link to Wepawet analysis: http://wepawet.iseclab.org/view.php?hash=8361f063b424705ea3df42ed1fe9a5d9&type=js
posted by Anonymous Paul, Thu Jun 14 2012, 18:31
I got this one early this morning. I am not a Verizon user, so I knew right off it was bogus, but in thunderbird, you can click on "view message source" (or just hit ^U) to see the unrendered source test,including the headers. When did Verizon start sending notices from Brazil?
posted by Moriah, Thu Jun 14 2012, 19:26
Just got one of these and almost fell for it. The amount on the email was amazingly close to my normal monthly bill - within $10. My sub conscious said don't do it.... I checked the link in the email and sure enough it was trying to take me to a site that was obviously compromised. Another thing that should have been a dead giveaway to me (and I am embarassed to say I almost didn't catch it) the email was not sent to the email address that normally receives my Verizon bill. Just a heads up folks. The amounts are getting smaller - the one that I received was $201.21, a friend just called me and he said that his said that the bill was $48.96. (Probably pretty close to the amount of his actual monthly bill as he is an elderly single man that only has one phone on his bill.)
posted by Deborah, Thu Jun 14 2012, 20:15
We got hit with these a few weeks ago. The more recent (last Thursday) attack was a ADP account debit notice email.
posted by cbob, Fri Jun 15 2012, 02:36
Lot of good points. Now to figure out how to protect the typical, not as attentive as we are, user. Do we assume 5% of our folks will bite and just have to accept the risk?
posted by dsh, Fri Jun 15 2012, 14:34
We actually just got hit with an updated version of this and it looks like they may have been reading this post as they changed both fields you originally flagged in the phishing sample. As previous posters have commented this version has a lower bill amount which was $46.62 in the sample I got. However, it also includes an account number "XXXX-XX001" which I didn't see in the first samples of this which I received. Kind of interesting that the sample you posted of the legitimate email had an account number ending in 001 which is what they used as well.
posted by Mike M, Mon Jun 18 2012, 17:51
We have received a large rash of these for UPS. They are specifically targetted to our users with First and Last names and email addresses in the emails. My guess is they're trolling public information (Facebook, Twitter, LinkedIn, etc.) and piecing together the info plus work email addresses. The difficult thing is that most of our users are typically expecting UPS packages, and other than a mouse-over, it looks very legit. With much of the email headers being forged to look like it comes from a UPS email server (of course the last hop before our server is not legit), and using semi-innocent looking link domains like hxxp://mobilemarketingsanjose.com/ they don't stand out.
posted by Jason R, Tue Jun 19 2012, 19:22
We have continue to receive more of these for UPS. Additionally, we have received a number of these exact Verizon Wireless scam emails. So far they have linked to 4 different domains, but all were dated Jun 20, 2012 9:14 AM PDT (GMT-7). Some are titled "Your Verizon wireless monthly statement." and some "Verizon wireless onlnie bill." Some appear to be using compromised Wordpress blogs to host content. Others are right off the base domain in /wless.html
posted by Jason R, Wed Jun 20 2012, 16:44

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Announcement!

IPv6 Support Added

Our iptables client now supports submitting IPv6 firewall logs.

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

e-netprotections.su ? - by: Daniel Wesemann (2013-05-17)

SSL: Another reason not to ignore IPv6 - by: Johannes Ullrich (2013-05-17)

Cisco TelePresence Supervisor MSE 8050 Denial of Service Vulnerability - by: Joel Esler (2013-05-16)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute