My next class:

Spot the Phish: Verizon Wireless

Published: 2012-06-14. Last Updated: 2012-06-14 17:16:12 UTC
by Johannes Ullrich (Version: 1)
16 comment(s)

We have seen a couple of reports recently of pretty well done Verizon Wireless phishing attempts. At this point, I haven't gotten one with the target site still up, so they may try to install malware instead of just asking for Verizon credentials. 

update: Paul just wrote in that he caught some of the links still active, and indeed they are trying to install malware and don't ask for credentials. And fellow handler Pedro notes that the malware is a blackhole exploit kit that will try to install Zeus.

See if you can spot the fake one. The answer is below the images (click to open image in new window at full resolution)

fake Verizon e-mailreal Verizon email

 

 

The left one is the fake. The only give away is that the fake e-mail doesn't include the partial account number, and typically indicates a large bill > $1,000 (at least large for me). I assume the large amount is supposed to cause panic clicking.

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: phishing verizon
16 comment(s)
My next class:

Comments

We've started getting phishing emails that are exact duplicates of legitimate marketing-type emails. A typical one is for those webinars that are really sales attempts.

The interesting thing is the emails really are a duplicate of the real one, except for the Unsubscribe link. That is the one that's booby-trapped. All of the other links go to the real site.

I got one and said to myself "Grrr. I already clicked your stupid Unsubscribe link last week. Pay attention this time!" And then I saw the mouseover of where it really was going, a .cn domain.

JJ

Jun 14th 2012
1 decade ago

You meant the LEFT one is FAKE - right?

DBoggs

Jun 14th 2012
1 decade ago

The right one, or the left one is the fake?

Steven

Jun 14th 2012
1 decade ago

Images are switched (the one on the right is legitimate)....

Dan

Jun 14th 2012
1 decade ago

Also, naming the images "fakeverizon.png" and "realverizon.png" makes it hard to actually take the test without already knowing the answer!

Anonymous

Jun 14th 2012
1 decade ago

I fixed the left vs right issue. Yeah, the name kind of gives it away ;-)

Dr. J.

Jun 14th 2012
1 decade ago

Holy cow, the phishers are finally are learning to copy/paste existing HTML messages? I can't believe it has taken them this many years to figure out....

Paul

Jun 14th 2012
1 decade ago

I would have to examine the two personally to be sure which is the fake.
We're seeing many phishing emails that are well crafted, pretending to be from numerous financial institutions, cable companies, and others. Often the links are the only give away.

Larry

Jun 14th 2012
1 decade ago

For those of you interested in digging deeper, here is a link to Wepawet analysis: http://wepawet.iseclab.org/view.php?hash=8361f063b424705ea3df42ed1fe9a5d9&type=js

Anonymous Paul

Jun 14th 2012
1 decade ago

I got this one early this morning. I am not a Verizon user, so I knew right off it was bogus, but in thunderbird, you can click on "view message source" (or just hit ^U) to see the unrendered source test,including the headers. When did Verizon start sending notices from Brazil?

Moriah

Jun 14th 2012
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives