It's bad enough I am mass deleting virus generated e-mails (there were 66 this morning, about 8 hours later than the cleansing last night) but I got one on my home e-mail account, all be-decked with formal looking graphics. It made me suspicious....
This is what supposedly "Earthlink" said:
From: Earthlink Team <firstname.lastname@example.org>
Date: Tue Jan 27, 2004 1:29:19 PM America/Phoenix
To: Xxxxxxxx <Xxxxxxxxx@earthlink.net>
Subject: Urgent notification for Xxxxxxxx
During one of our regular automated verification procedures we've encountered a problem caused by the fact that we could not verify the data that you provided to us. Please, give us the following information so that we could fully verify your identity. Otherwise your access to Earthlink services will be closed.
To verify your information please follow this link:
Thanks for using Earthlink.
(I use Earthlink for dialup access when I travel, and use their e-mail address for throwaway tasks, etc.)
It looked almost legit, with the logos at the top, but the request sounded odd because (a) I have had an account there for at least 6 years and have never had to verify my info except through a secure log-in to their site; (b) I pretty much verify by paying a bill every month; and (c) I could not recall seeing Earthlink using *.asp URLs before.
So I put on my detective glasses and started looking at the raw HTML source of this message. I certainly had no intent on clicking on their link.
The email headers caught my eye first. Most e-mail software hides/compresses information and there is often a great deal of things to examine in the full e-mail header (see thiw great reference, Reading Email Headers, written in plain English.
From email@example.com Tue Jan 27 21:43:13 2004 Status: U Return-Path: <firstname.lastname@example.org> Received: from hotmail.com ([18.104.22.168]) by swallow (EarthLink SMTP Server) with SMTP id 1aLzOR7ty3NZFkNoM
Suggested that while it pretends to be from "email@example.com" it is coming from a hotmail account, and a traceroute on that IP runs across the Atlantic and disappears somewhere in France, where I doubt Earthlink is headquartered.
All of the images come from not an earthlink web server, but a numerical IP (unable to trace the source)
Farther down is the link they really thought I would click:
(I have deliberately altered some of the session ID strings and the xxx.xxxx. is the numerical IP they are using to divert requests to). While I am not 100% sure of this, it appears to use a rather disturbing hole in Earthlink's web design to start at a Earthlink site and divert information to a different URL, where it would be put to not so kind usage.
From what one can see on the Earthlink Support site all internal links are written to route them through one web script that must be tracking links, and then routes it to another URL that is clearly viewed in the link:
So one would hardly need a MIT PhD in programming to spoof a link that looks like it is going to EarthLink that is shuttled off elsewhere. Unless they have some way of tracking where the original link is coming from (likely in the session ID string stuff which the email link was also spoofing)
Anyhow, after forwarding the message and a sternly worded e-mail to Earthlink support I got a speedy response that stated:
We apologize for the confusion. We understand your concern regarding the email received.
The email you received and its corresponding web site are fraudulent, and are in no way associated with EarthLink.
We were made aware of this site recently and took immediate
steps to contact the host of the site, to have it removed from
(Well not that direct- my first message to them resulted in an auto-reply which directed me to a web form for submitting complaints, the kind of form for people who have troubles with their modem or finding the START menu-- I had to reply back with some more choice words, cc to a few other email addresses before getting a direct response)
Bottom line. Think, think, think before you click. I suspect most casual computer users would not be so skeptical. These fraud spinners are rather clever, and pie-in-the-sky dreaming is wondering what this world would be like if at least a handul of them would put that cleverness to positive works.blogged January 28, 2004 07:11 AM :: category [ web bad dog ] :: TrackBack