Vonage Account Security Phish – A Perfect 10

This is one for the record books.

The other day we intercepted several copies of a phishing email that, in conjunction with a fake web page, attempts to acquire your Vonage phone number and password.

Subject: Important – Vonage Account Security Information

From: “donotreply@vonage.com” <donotreply@vonage.com>

The body contains this image file:

vonage phish
Fake Vonage Survey Request

In and of itself this phish is not particularly outstanding. The image file above looks like it could be from Vonage but actually links to a forged version of a Vonage sign-in page. The web site is not even a very good forgery.

What is outstanding is the URL of the fake web site . . .

One of the ways that phishing email try to trick you is by using URLs (web addresses) that look like they go to the phishing target’s web site but that really go someplace else. This trick takes advantage of the Domain Naming System’s policy of allowing domains to be responsible for their own sub-domains.

A Short Domain Lesson

The domain name hierarchy reads from right to left so the least important part is at the left. This is useful to phishers because many languages, in particular English, read from left to right.

There are a limited number of top level domains. The top level domains are the part at the far right end of a domain name (.com, .net, .org and so forth). Technically there’s a final dot all the way to the right indicating the root of the hierarchy but this is assumed by all software so you never see it.

Top level domains are not for sale.

What we normally think of as a domain name is actually a sub-domain of a top level domain (e.g. whatever.com). These are called second level domains.

Both top level and second level domains are controlled by the Internet Corporation for Assigned Names and Numbers (ICANN).

Sub-domains are added by adding more dots to the left of a domain. The term sub-domain usually refers to an extra name to the left of a second level domain (e.g. something.whatever.com).

Management of sub-domains of second level domains is up to the domain owner so sub-domains at this level can be named whatever the owner of the parent domain wants. This is also useful to phishers.

Using Sub-Domains In Phishing URLs

citibank.com.sign-in.whatever.com

is a valid use of sub-domains for whatever.com. The controlling domain in this example is whatever.com but since the potential victims of this type of trick are likely to read English (or German or French or Spanish) they will automatically be biased toward the left and will only see citibank.com.

This technique is actually a second layer of fraud. Less savvy victims will just click the link without looking at where it goes.  Smarter, but not quite smart enough, victims will actually check to see where the link goes but only read enough of the domain name to see what they expect to see.

Sub-Domain Overkill

The domain name in the email we’re featuring today is:

http://secure.vonage.com.vonage.web.public.login.htm.1jk9s0bnsjh88jkskka99shjs.v0lage.com/

Wow! This one is so outrageously long it won’t fit in our layout. The part that hangs off into the background (v0lage.com) is the part that matters. The rest is just misdirection.

The phisher starts out with secure.vonage.com and if that doesn’t get you they add vonage.web for good measure. And just be extra sure you’re fooled they continue with public.login.htm which kind of looks like a file name. (File names are added to the right of the domain name so after .com you often see a slash and then a path to a file like: /public/login.htm.)

And that’s not all! In today’s extra special domain name you’ll also receive a special random tracking sub-domain, 1jk9s0bnsjh88jkskka99shjs, so they’ll know it’s you when you click the link. (We clicked the link and were warned by both our anti-virus software and our browser that the link goes to a known phishing site.  Like we couldn’t tell by the ridiculously long domain name.)

A Perfect 10

On a scale of one to ten we give this phishing attempt about a three. But the domain name is a perfect ten. Ten dots that is. Count ’em. We did. There really are ten.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , ,

One Response to “Vonage Account Security Phish – A Perfect 10”

  1. Kathy M says:

    I received this on July 26th — it was converted to plain text by our system.
    I don’t even HAVE a Vonage account.
    -KRM
    ====================================================

    “Vonage Statement Ready for viewing”
    PLEASE DO NOT REPLY TO THIS E-MAIL. THIS E-MAIL ADDRESS IS USED BY VONAGE AUTOMATED SYSTEMS AND IS NOT MONITORED.

    Dear Vonage Member,

    Your July, 2010 Vonage billing statement is ready for viewing. To view your bill, go to My Account . Enter your Username or 10-digit phone number and Password, and from the next screen select GO from the VIEW YOUR BILL option.

    If you would like to discontinue receiving a hard copy billing statement in the mail, you may do so by selecting the UPDATE STATEMENT METHOD link once you have logged into your account. From there, simply select the option for Electronic Statement Only.

    Sincerely,
    Vonage Customer Care

    You received this e-mail because you enrolled in the Vonage My Account feature. If you no longer wish to receive these e-mails, you will need to cancel your enrollment. To cancel your enrollment, please log in to your account and from the Update Profile screen, select the cancel link from the bottom of the page.