Uncategorized

Sneaky E-mail Fraud Attempt

It’s bad enough I am mass deleting virus generated e-mails (there were 66 this morning, about 8 hours later than the cleansing last night) but I got one on my home e-mail account, all be-decked with formal looking graphics. It made me suspicious….

This is what supposedly “Earthlink” said:

From: Earthlink Team <verification@earthlink.net>
Date: Tue Jan 27, 2004 1:29:19 PM America/Phoenix
To: Xxxxxxxx <Xxxxxxxxx@earthlink.net>
Subject: Urgent notification for Xxxxxxxx

During one of our regular automated verification procedures we’ve encountered a problem caused by the fact that we could not verify the data that you provided to us. Please, give us the following information so that we could fully verify your identity. Otherwise your access to Earthlink services will be closed.

To verify your information please follow this link:
https://www.start.earthlink.net/track?billing.asp

Thanks for using Earthlink.

Sincerely,
EarthLink Team.

(I use Earthlink for dialup access when I travel, and use their e-mail address for throwaway tasks, etc.)

It looked almost legit, with the logos at the top, but the request sounded odd because (a) I have had an account there for at least 6 years and have never had to verify my info except through a secure log-in to their site; (b) I pretty much verify by paying a bill every month; and (c) I could not recall seeing Earthlink using *.asp URLs before.

So I put on my detective glasses and started looking at the raw HTML source of this message. I certainly had no intent on clicking on their link.

The email headers caught my eye first. Most e-mail software hides/compresses information and there is often a great deal of things to examine in the full e-mail header (see thiw great reference, Reading Email Headers, written in plain English.

From verification@earthlink.net Tue Jan 27 21:43:13 2004
Status: U
Return-Path: <verification@earthlink.net>
Received: from hotmail.com ([81.48.158.233])
by swallow (EarthLink SMTP Server) with SMTP id 1aLzOR7ty3NZFkNoM

Suggested that while it pretends to be from “verification@earthlink.net” it is coming from a hotmail account, and a traceroute on that IP runs across the Atlantic and disappears somewhere in France, where I doubt Earthlink is headquartered.

All of the images come from not an earthlink web server, but a numerical IP (unable to trace the source)

Farther down is the link they really thought I would click:

&lt;a href="https://start.earthlink.net/track?id=1o1fe84398a866372f999c983d8973e77438a993847183bca43d7ad47e
99219a907871c773400b83288987d87762c&#38;url=http://<strong>xxx.xxx.xx.xx</strong>
:90/billing/billing.htm?session_id=849578345908543o95364b892a898374aff8490001289384
add90e93448a839457582993cde90239a90459c3849aa8374f783477346723f38923
487dd8923847a892837f783746543ff89283a439823cd948399134452&#38;access_rights=1
&#38;mn_ord=yes&#38;session_id=849578345908543o9&#38;join_session_id=783457623894098
&#38;right_ip_ver=yes&#38;ssl_support=yes&#38;verificate=yes&#38;DB=no&#38;res=success"&gt;
https://www.start.earthlink.net/track?billing.asp&lts/a&gt;

(I have deliberately altered some of the session ID strings and the xxx.xxxx. is the numerical IP they are using to divert requests to). While I am not 100% sure of this, it appears to use a rather disturbing hole in Earthlink’s web design to start at a Earthlink site and divert information to a different URL, where it would be put to not so kind usage.

From what one can see on the Earthlink Support site all internal links are written to route them through one web script that must be tracking links, and then routes it to another URL that is clearly viewed in the link:

http://support.earthlink.net/track?id=1016970&#38;add=1&#38;url=http://webmail.earthlink.net

So one would hardly need a MIT PhD in programming to spoof a link that looks like it is going to EarthLink that is shuttled off elsewhere. Unless they have some way of tracking where the original link is coming from (likely in the session ID string stuff which the email link was also spoofing)

Anyhow, after forwarding the message and a sternly worded e-mail to Earthlink support I got a speedy response that stated:

We apologize for the confusion. We understand your concern regarding the email received.

The email you received and its corresponding web site are fraudulent, and are in no way associated with EarthLink.

We were made aware of this site recently and took immediate
steps to contact the host of the site, to have it removed from
service.

(Well not that direct- my first message to them resulted in an auto-reply which directed me to a web form for submitting complaints, the kind of form for people who have troubles with their modem or finding the START menu– I had to reply back with some more choice words, cc to a few other email addresses before getting a direct response)

Bottom line. Think, think, think before you click. I suspect most casual computer users would not be so skeptical. These fraud spinners are rather clever, and pie-in-the-sky dreaming is wondering what this world would be like if at least a handul of them would put that cleverness to positive works.

Profile Picture for Alan Levine aka CogDog
An early 90s builder of the web and blogging Alan Levine barks at CogDogBlog.com on web storytelling (#ds106 #4life), photography, bending WordPress, and serendipity in the infinite internet river. He thinks it's weird to write about himself in the third person.

Comments

  1. I am trying to respond to the urgent notice sent by earthlink. What info do you need to verify and what is the fastest way to cotact you.

    rey

  2. I have been unable to access http://WWW.start.earthlink.net/track?billing.asp

    There is apparently some question about billing my account. I suspect that it has to do with a new source for my payment. I am now using the following card no. for payment of my earthlink.net connection:

    M/C XXXXXXXXXXXX, exp XX/XX

    Thank you,

    Paul Aderson

    [blog editor note- Paul A actually posted his credit card number in this post, now replaced by xxxxxx! I am incredulous!!! Please, please, Paul, get a book quickly on internet personal safety!!!]

  3. Are you smoking crack? I do not work for Earthlink! How clear can I be about that!!!! I shared an experience I had with an attempt to defaud my Earthlink account by an email forged to look like it came from Eartthlink. DO NOT CLICK THAT LIINK! CONTACT EARTHLINK SUPPORT:

    http://support.earthlink.net/

    And for ***** sake do not post your credit card number on my blog!! I will attempt to delete your comment but I am so not liable if your card number is spread scross the net.

  4. My friend just fell for this earthlink account verification hoax. Apparently it’s been around since last summer (or maybe even earlier). Why in the world would Earthlink allow an email like this to get to the recipient? Would it be illegal for them to intercept the email and notify the recipient that it had been intercepted?? It certainly wouldn’t be hard for them to detect it. If someone were posing as my ISP in order to fraudulently get my personal info, I would be delighted to know that they intervened.

  5. I have been getting similar emails re Earthlink ever few weeks since October 2003 & have gone way up the ladder to voice my concerns. They speak a good game but are obviously unable or unwilling to stop this. I have received 2 Earthlink fake emails in the last week. Time to move to another ISP?

  6. Gaterwink asked “hy in the world would Earthlink allow an email like this to get to the recipient? Would it be illegal for them to intercept the email and notify the recipient that it had been intercepted?? It certainly wouldn’t be hard for them to detect it.”

    I’m not sure what you expect Earthlink to do- this e-mail do not originate from their network or their servers. E-mail is sent by a system of “gateways” that agree to pass on messges until it reaches the recipient. It would be an impossible task to analzye each piece of mail, and I really do not someone reading my mail.

    I would turn this around and say it is upon, you, me, and evveryone else to better educated and knowlegable about this things and not depend on a “big brother” to do that work for us.

    John asks if it is time to switch ISPs– and I would say non of them are immune to these things, but if you can deal with the hassle of changing your established identity, go ahead.

    Again, it is a technically infeasible task to expect 100% protection from this- unless uour new ISP’s network consists of tin cans connected with strings.

Comments are closed.