Comcast users phished by Constant Guard spam lure

Comcast Constant GuardNaked Security reader Simcha Jessel sent us a tip about a new phishing scam targeting customers of Comcast XFINITY cable internet service.

Jessel became aware of the scam after the scammers used his Gmail address to send the scam to their intended victims. It is unclear whether his Gmail was hacked or just forged in the email headers, both are common practices for phishers.

The emails read in part:

"Dear Comcast Customer,
The Constant Guardâ„¢ service has updated the Online Security of Comcast Users. To link your account to our new update you just need to re-login your account using the secure link bellow. The link will redirect you to our update login page. Simply login your account and the account will automaticly be updated."

The link pointed at a TinyURL which redirected victims to a compromised higher education institution website in India. Like many other sites that are compromised to host phishing pages, this one appears to have been compromised through vulnerable FrontPage server extensions.

Yes, I said FrontPage. The old Microsoft Office package used for building and publishing web sites. Microsoft discontinued support for FrontPage publishing extensions in 2006 and they have been the source of many web site vulnerabilities over the last 15 years.

The fake page is an identical copy of the real Comcast XFINITY login page, and surprisingly includes a fully functional TRUSTe logo which may lend further credibility to the site.

XFINITY phishing page

I’ve highlighted issues with services like TRUSTe before and even contacted the company for comment on what they are doing to limit fraud and ensure its seal means something. It has been over five months and I have yet to receive a reply from the company.

Always be suspicious of unsolicited emails you receive asking you to login and verify information, especially if they contain links to the site in question. If you believe it may be legitimate, be sure to open a new tab in your browser and visit the site directly to confirm the veracity of the message.