Subject: [3076] Phishing Email - how to detect
Class,
I just got one of the best-designed phishing emails I have seen.
Look at http://www.csc.gatech.edu/copeland/jac/3076/info/secure-vonage-phish.html
I went to the normal Vonage Web site, and everything there about my
account looked in order.
I then expanded the email to see what the links in the source HTML
looked like: see
http://www.csc.gatech.edu/copeland/jac/3076/info/secure-vonage-phish.txt
The first link down loaded an image from vonage.com (the Vonage
Web site).
The second, when clicked, would open (modified to protect the
innocent):
http://offline4.secure-vonage.com/up-loads/vonageweb/public/login.html
At first glance "secure-vonage.com" seemed reasonable (not a .ru, .cn,
.kr, .br, ...).
The real story was revealed by doing a "whois" lookup on
"secure-vonage.com". See
http://www.csc.gatech.edu/copeland/jac/3076/info/secure-vonage-whois.txt
"secure-vonage.com" is hosted by
Domain Discreet
Avenida do Infante 50
Funchal, Madeira 9004-521
There are many Web hosting services in the world that cater to phishing
sites. This appears to be one of them.
--
John Copeland