ACCOUNT UPDATE – Tricky Vonage Account Phishing Example

It’s kind of ironic that most of the email claiming to be about preventing fraud is actually sent in order to perpetrate fraud. In fact, treating every message that wants to “verify your account information” or otherwise “protect” you as dangerous is a good way to avoid identity theft.

Today’s phishing example is no stranger to irony but that’s the least interesting thing about it. This one has an unusual trick up its sleeve.

Here’s the text part:

Subject: ACCOUNT UPDATE

From: “Vonage Customer Care” <web@vonage.com>

Dear customer,

It has come to our attention that your online account access information needs to be updated.
This is a regular measure to prevent fraudulent activities via your account.
We therefore require a few minutes of your time to update your online information.

Please check the attachment in order to update your account information.

Assuming the lack of capitalization of “customer” in the salutation, the way it starts a new line for every sentence and the fact that the HTML part is in an attachment doesn’t bother you and you open the attachment this is what you’d see:

vonage phishing
Click for Larger Version

This is actually a pretty good copy of the Vonage login page at this URL:

https://secure.vonage.com/vonage-web/public/login.htm

Not surprising given that the attachment actually loads the CSS and images from Vonage.

Submitting the form is where it gets interesting. The form actually submits to a file on edureview.org which then, and this is the tricky part, redirects to the Vonage login page above after a second or two.

If you’re not paying attention you won’t notice that you went to vonage.com via edureview.org. (BTW, we don’t know anything about edureview.org so we’re assuming they’ve been hacked and the file planted on their site without their knowledge.)

Fortunately there’s an easy way to avoid this: never submit forms received in email messages. No legitimate organization with any regard for security will ask you to do this, instead they will suggest that you go to their web site and log in (like this LinkedIn password reset message does).

Unfortunately there are a few organizations that invite phishing because they care more about “convenience” than security. If they send you login links or forms in email messages we suggest you go to their websites and log in as well. Just to be sure.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: ,

Comments are closed.