Sophos Cloud Optix
As a security researcher, I occasionally get some interesting goodies in my old AOL inbox. This morning I received a couple of phishing scam emails purporting to be from “Norton Symantec.” The fraudulent emails claimed, in part:
"Your e-mail address was successfully upgraded with the latest Norton Antivirus update. In order to ensure your account remains active and protected to continue sending and receiving new messages, you will be required to immediately sign in again."
If a recipient of this phishing e-mail fell for the scam and clicked on the link, he or she would be taken to a page that looks like this:
Hmmm, this email claims to be from Norton, but it takes me to an AOL login screen? An AOL login screen hosted on what appears to be a hacked domain instead of at at aol.com? On an unencrypted connection instead of over HTTPS? This seems more than a little suspicious.
And what exactly does it mean for an “e-mail address [to be] upgraded with the latest [antivirus] update” anyway?
Another thing that may draw suspicion from savvy AOL users is that AOL has a partnership with McAfee, not Norton.
I have to wonder whether every recipient of these phishing emails is being redirected to a fake AOL login page. Could it be that the fake AOL link is only being sent those who received the scam email at an @aol.com address?
Out of curiosity, I browsed to the parent directory on the hacked domain hosting the fake AOL login. Here’s what I found:
Aha! There’s another directory named Norton. Let’s see what it contains:
Now that’s closer to what I had expected to see in the first place from an email claiming to be from Norton.
Both forms – the fake AOL login and the fake Norton login – appear to collect a victim’s email address and password via a PHP script and then redirect the user to AOL or Norton’s homepage.
If you have fallen for this scam, be sure to change your email password immediately. If you use the same password across multiple sites, be sure to change your password at all other sites as well.
Is there somewhere else we can send spam to, that will get it onto "the list". I send it to spam@uce.gov, but is there somewhere else I should also send it. I get 20 a day, and it seems that a lot of it is repeat offenders. For whatever reason, my work address is inundated with Nigerian money scams trying to transfer money from their rich uncle who has died…. Yeah! What else can be done to stop them besides out SPAM stop, and reporting them to the FTC?
Re: What else can be done to stop them
This solution may not be helpful for your work address, but I’ll share my story. Your results may vary.
Our company moved to Gmail for email domain hosting services with Google Apps for Business a while ago. Although we barely take advantage of the Apps part of the deal, the email service is solid. We noticed a drastic drop in spam.
One consultant explained it to us as: Gmail handles so many millions of emails per hour/minute or such that when it notices grand patterns of thousands of emails all saying the same thing, it recognizes that and marks it as spam. To us (a small company), that benefit alone justifies the email hosting cost per user per year. We saved time, and get on with work.
Nice job… joshmeister!!!
Jeffrey "Mr Fixit" DuBrul
BIT (Bay Information Technology)
I always forward the ones that do get through my filters to spamcop.net since I use their block list (as well as a few others)