newest phishing scam, how do they do that?

So I get a verizon email, saying there is a problem with my account and they want me to click on a verizon link to correct. First clue, the grammar is poor, obviously not written by a native USA resident. But when I click on the link, it very briefly comes up with a link that says something containing ~mike.index, etc., but then the web address is quickly replaced by a www22verizon etc., listing which looks legit. Of course they then ask for you account number including pin, credit card info etc.

Before when I had clicked on the paypal scam links, although the page might look legit, the web address was not a paypal.com listing so I'm wondering how this particular verizon phising scam come up with what appears to be a valid verizon web address?

geepondy said:

So I get a verizon email, ... the web address is quickly replaced by a www22verizon etc., listing which looks legit. ... so I'm wondering how this particular verizon phising scam come up with what appears to be a valid verizon web address?

Click to expand...

Easy. Somebody sat down and tried registering Verizon1.com, Verizon2.com, Verizon3.com, and kept on going until they found a combination that has "Verizon" in the address but the actual company never bothered to register. They register it, put up a clone of a real Verizon page, fiddle with it to suit their needs, and out go the emails.

If they're good, they will have sent a copy to every real Verizon address there is, they only need a few suckers to profit. I've noticed phishers like to use weekends and holidays to run these things, probably because the big ISPs are running with minimal staff, so the fake site will stay up longer before they do something about it.

For another example look at:

http://www.candlepowerforums.net/

Some webscum have set up a fake Candlepower forums to take advantage of people looking for the real forum.

yup, they combined the www and versign without the period, so what you're really entering is:

www.www22verisign.com

when you put it that way, it's quite obvious that it's fake, but you can leave the www off almost any address now, so you might now realize that you were visiting a fake address if you didn't know that.

The important thing to take away from all this is that if there is a link to click to log on, it's a phishing scam. There are no 2 ways about it. If they have a "click here" link, it's fake. Always, 100% of the time.

Ok, I grabbed the first link before it changes.

http:FAKE!//64.31.129.6:81/~mike/index.html
Edited and put fake in there so nobody would access by accident but maybe somebody knows how to identify the origin of site.

Can anybody identify where that originates?

James, I don't see any verisign, to to me it initially appears as a legit site. Here is the address after the mike one listed above, it quickly translates to.

http://(FAKE!)www22.verizon.com.update.billverizon.net/welcome/bill_form.html

I just edited and put fake in the address so nobody would access by accident.

With these fake web addresses, I would think they must originate from some sort of legit ISP with a registered user, why can't they trace these out and prosecute the originator?

They usually don't hunt them down because they are paid for with stolen credit cards and faked addresses. They only need to work for a few days to be effective.


Daniel

That fake address traces back to Telcove in Coudersport, PA. Try sending an email to the owner of the IP Block at [email protected].

The link actually transalates to:

http://...billverizon.net/...

The rest up front is to confuse the user into thinking that they are on a real verizon server "www22.verizon.com...."
Created on .............Sun Dec 24 01: 33: 08 2006
Expires on .............Mon Dec 24 01: 33: 08 2007
Record last updated on .Sun Dec 24 01: 31: 42 2006
Status .................LOCK Create, spam, get money, scram... ASAP.

-Bill

I have been recieving e-mails from my banks requarding new federal requirements concenring https and secure connections. I have noticed when logging in to paypal and such the address bar is yellow colored. Maybe this is a new way to battle this phishing scam. Actually all of my account login pages have a yellow address bar. I think it is called advanced secure sign-in.

IE7 does have an option to report bogus or phishing internet addresses also.

It looks like his site has been taken down now.

light_emitting_dude said:

I have been recieving e-mails from my banks requarding new federal requirements concenring https and secure connections.

Click to expand...

...and have been receiving e-mails from banks where I have no accounts. :green: I wonder if they'd let me make a withdrawal... :lolsign:

The once shiny and free internet is now a dirty and rotten place. :green:
And it summons anger and the will to do things to humans that are best left unspoken.

It's interesting what people will do to each other when not face to face.
Not too many of these phishers, or scammers would do well in a boxing ring imho. :touche:

The site is still up! I had a chance to test Norton Internet security anti phishing feature, it immediately showed a fradulent website sign on the browser. cool!

AlexGT

I accidently clicked the link, .... and what i see is the image below....

Now...One more reason to use FireFox 2.0

Finally, back in the land of broadband after visiting relatives in 28.8k dial up country....

I just clicked on the link again and did not get the suspected forgery message. Then I looked at my Firefox security settings and under the "tell me if the site is a suspected forgery" setting, the default check off was "check using a downloaded list of suspected sites". I unchecked that and checked the other option "check by asking Google about each site I visit". Then it displayed the same message that Viren just posted. Is the "check by using google" option indeed better then "check using a downloaded list" option? But yeah the site is still up.

Rando, your post has been removed. We do not wish to engage in a dispute with an authorized domain holder, simply because their domain differs at the top domain level and involves a similar topic.

The philosophy that governs the use of whois data includes the following conditions.

By submitting a Whois query, you agree to abide
by the following terms of use: ..................The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign.

Click to expand...

As somebody who is always worried about privacy--I am not keen on uploading all of my URL's to Google to check.

I did use this site www.siteadvisor.com for awhile with the FireFox plug-in (ranks on spaminess website, drive by downloads, etc.)--worked pretty well (Siteadvisor is now owned by McAfee)--but I eventually decided my privacy was worth more.

They also have a FAQ on the issues of Internet search engine results and the "safety" of the links provided:

Search Result Safety

As you can guess, adult searches give about 2x the amount of questionable websites... And certain searches will give about 50% results for problematic links:

Search Term % Red/Yellow Results
1 bearshare 53.3%
2 rotten.com 53.1%
3 free screensavers 53.0%
4 winmx 52.0%
5 screensavers 48.2%
6 limewire 46.2%
7 kazaa 45.8%
8 free ringtones 44.3%
9 ringtones 43.8%
10 lime wire 42.7%

Click to expand...

-Bill

Geepondy, still working on it....

pw