Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Spot the Phish: Verizon Wireless - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spot the Phish: Verizon Wireless

We have seen a couple of reports recently of pretty well done Verizon Wireless phishing attempts. At this point, I haven't gotten one with the target site still up, so they may try to install malware instead of just asking for Verizon credentials. 

update: Paul just wrote in that he caught some of the links still active, and indeed they are trying to install malware and don't ask for credentials. And fellow handler Pedro notes that the malware is a blackhole exploit kit that will try to install Zeus.

See if you can spot the fake one. The answer is below the images (click to open image in new window at full resolution)

fake Verizon e-mailreal Verizon email

 

 

The left one is the fake. The only give away is that the fake e-mail doesn't include the partial account number, and typically indicates a large bill > $1,000 (at least large for me). I assume the large amount is supposed to cause panic clicking.

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3630 Posts
ISC Handler
We've started getting phishing emails that are exact duplicates of legitimate marketing-type emails. A typical one is for those webinars that are really sales attempts.

The interesting thing is the emails really are a duplicate of the real one, except for the Unsubscribe link. That is the one that's booby-trapped. All of the other links go to the real site.

I got one and said to myself "Grrr. I already clicked your stupid Unsubscribe link last week. Pay attention this time!" And then I saw the mouseover of where it really was going, a .cn domain.
Anonymous
You meant the LEFT one is FAKE - right?
Bullwinkle

4 Posts
The right one, or the left one is the fake?
Steven

1 Posts
Images are switched (the one on the right is legitimate)....
Steven
1 Posts
Also, naming the images "fakeverizon.png" and "realverizon.png" makes it hard to actually take the test without already knowing the answer!
Anonymous
I fixed the left vs right issue. Yeah, the name kind of gives it away ;-)
Johannes

3630 Posts
ISC Handler
Holy cow, the phishers are finally are learning to copy/paste existing HTML messages? I can't believe it has taken them this many years to figure out....
Paul

44 Posts
I would have to examine the two personally to be sure which is the fake.
We're seeing many phishing emails that are well crafted, pretending to be from numerous financial institutions, cable companies, and others. Often the links are the only give away.
Paul
7 Posts
For those of you interested in digging deeper, here is a link to Wepawet analysis: http://wepawet.iseclab.org/view.php?hash=8361f063b424705ea3df42ed1fe9a5d9&type=js
Paul
1 Posts
I got this one early this morning. I am not a Verizon user, so I knew right off it was bogus, but in thunderbird, you can click on "view message source" (or just hit ^U) to see the unrendered source test,including the headers. When did Verizon start sending notices from Brazil?
Moriah

133 Posts
Just got one of these and almost fell for it. The amount on the email was amazingly close to my normal monthly bill - within $10. My sub conscious said don't do it.... I checked the link in the email and sure enough it was trying to take me to a site that was obviously compromised. Another thing that should have been a dead giveaway to me (and I am embarassed to say I almost didn't catch it) the email was not sent to the email address that normally receives my Verizon bill. Just a heads up folks. The amounts are getting smaller - the one that I received was $201.21, a friend just called me and he said that his said that the bill was $48.96. (Probably pretty close to the amount of his actual monthly bill as he is an elderly single man that only has one phone on his bill.)
Deborah

278 Posts
ISC Handler
We got hit with these a few weeks ago. The more recent (last Thursday) attack was a ADP account debit notice email.
CBob

22 Posts
Lot of good points. Now to figure out how to protect the typical, not as attentive as we are, user. Do we assume 5% of our folks will bite and just have to accept the risk?
Dean

135 Posts
We actually just got hit with an updated version of this and it looks like they may have been reading this post as they changed both fields you originally flagged in the phishing sample. As previous posters have commented this version has a lower bill amount which was $46.62 in the sample I got. However, it also includes an account number "XXXX-XX001" which I didn't see in the first samples of this which I received. Kind of interesting that the sample you posted of the legitimate email had an account number ending in 001 which is what they used as well.
Mike M

5 Posts
We have received a large rash of these for UPS. They are specifically targetted to our users with First and Last names and email addresses in the emails. My guess is they're trolling public information (Facebook, Twitter, LinkedIn, etc.) and piecing together the info plus work email addresses. The difficult thing is that most of our users are typically expecting UPS packages, and other than a mouse-over, it looks very legit. With much of the email headers being forged to look like it comes from a UPS email server (of course the last hop before our server is not legit), and using semi-innocent looking link domains like hxxp://mobilemarketingsanjose.com/ they don't stand out.
Mike M
42 Posts
We have continue to receive more of these for UPS. Additionally, we have received a number of these exact Verizon Wireless scam emails. So far they have linked to 4 different domains, but all were dated Jun 20, 2012 9:14 AM PDT (GMT-7). Some are titled "Your Verizon wireless monthly statement." and some "Verizon wireless onlnie bill." Some appear to be using compromised Wordpress blogs to host content. Others are right off the base domain in /wless.html
Mike M
42 Posts

Sign Up for Free or Log In to start participating in the conversation!