This page contains a single entry from the blog posted on March 4, 2009 9:34 AM. The previous post in this blog was "At some point it doesn't make sense". The next post in this blog is Need medical help?. Many more can be found on the main index page or by looking through the archives.

E-mail, Feeds, 'n' Stuff

Wednesday, March 4, 2009

Probable phish alert

I got a pretty convincing phish message in yesterday's e-mail that purported to be from Comcast, our internet provider. It looked like this:

I foolishly clicked on the link, which sent me to a log-in page that looked pretty authentic:

I logged in, and then was directed to a page that asked for stuff like an address, a phone number, and a Social Security number. I actually started entering that data before it dawned on me that I might be being had. Fortunately I hadn't yet clicked on "Submit" or "Send."

Sure enough, retracing my steps, I noticed that the link I originally clicked on out of the e-mail message had as part of the URL address "mail.haining.gov.cn." That is an address in China. Maybe Comcast is operating out of China these days, but I doubt it. I hightailed it out of there and logged on to Comcast a different way. I changed my password and am hoping that's the end of it.

It sure doesn't seem legit.

Comments (26)

Well you better change your real log on name and password because they have that now.

oh you did,,,,,,,

You might want to file an IC3 complaint.


Someone is spoofing my email address for spam. The emails originate in Romania and other overseas places. I filed an IC3 complaint and also made a report to Interpol about one email which came from the computer of a Russian government agency.

You can cut and paste the email header into your complaint so that the real source can be identified.

Yup. In these HTML-ized emails, the link you're reading may not be the actual link you're going to.

Often that's legit (for click-counting purposes), but it can also be used to do phishing scams.

Most companies have now moved to a no-links policy when sending emails about people's passwords, finances, etc. They just tell you to visit their website - which means you'll have to type in the address yourself... ensuring your safety.

I'm surprised that you would be fooled by such an email!

Of course now you've learned your lesson, always CALL first before filling out anything like that!

It's the only growth industry left:

I got something almost identical supposedly from AT&T.

I hope you are all at least reporting and forwarding these emails to the purported senders so that they can put out warnings to their customers.


You know you should have phish on Fridays.

Curses foiled again !!!

My moderate republican associates and I will have to resort to the double super secret plan b.......

I got something similar from my "provider" recently. The rule is to never, ever give out your password. Any email asking for your password is bogus.

That was what was so tricky about it. It didn't ask for my password in so many words. It asked me to log in, and from a page that looked more authentic than most of these that I've gotten over the years.

Maybe Comcast is operating out of China these days...

Certainly not for the network services - they only like a government where they can put the fix in, not vice versa.

I get at least a dozen of those a day from banks, credit unions, the IRS, and other companies and agencies from all over the world. It is hit or miss: eventually they send one from somebody who I actually have an account with.

Rule of thumb: If an official-looking email doesn't mention your name in the text of the email, it is not from who it says it is from.


Just curious, had you had "several failed login attempts"

No, but the implication of the e-mail message was that someone else was trying to get into my account, and Comcast had blocked those attempts.

Alas, I fell for a similar phishing site. I thought I was logging-in to Wells Fargo, with the intent of doing some online banking.

The log-in site requested the usual log-in name and password (typical of the real Wells Fargo site), then I was told something like, "For the ongoing security of your online account, please type your PIN."
I just thought that it was a new layer of protection, so I typed my PIN.
It was after that when I realized that I'd been "had."
I called Wells Fargo, they filed a fraud investigation, and I had to go in to a branch office, establish a new account name, account log-in, and a new PIN. They then placed a "watch" on my account for any untoward activity.

And I thought I was computer savvy and careful. Sheesh!

___ora et labora___


No, actually I think Comcast IS relocated in and operating out of China these days.

Or think of it as China relocated and operating 2 blocks down the street from you these days. If that salves anxiety. Or self-medicate ... the very green 2008 vintage coast-valleys Pinot Noir already tastes like an entry-level investment sure to appreciate.

- -
Did you hear the reports that AIG has been the CIA mercenary infiltrated in China collecting (person-ID theft) 'intelligence' for several years now, under guise of "selling insurance" (read: phishing 1 billion addresses and which ones have 1 child)?

So it isn't that AIG is "Too Big to Fail," but rather, "Knows Too Much to Lose" (the Classified Secrets for the taxpayers' checks illegally already cashed ... besides the federal crime prosecution for the illegal AIG participation, of course).

Wayne Madsen Report, March 2, 2009 -- AIG's new $30 billion handout to protect a U.S. intelligence operation

This just in from our intrepid source in Asia:

Maybe with now the Third Bailout, it's time to ask the hard questions about AIG.

The third bailout fund for AIG of 30 billion US dollars makes that insurance company the largest corporate recipient of federal funds, according to Bloomberg, which calculates its debt to the government at 70 billion dollars. AIG requested the third tranche, claiming that it could find no buyers for its Asian insurance operation, AIA.

This is patently untrue. In fact, China Life has shown strong interest in purchasing AIA's (AIG's Asian unit) assets in the Greater China region but, insurance industry insiders say, was rebuffed by AIG's asking price, which was astronomical considering the company's heavy debt burden. The transfer of AIA to the federal government, probably to protect sensitive private data that cannot be shared with foreign companies without igniting a major scandal, confirms suspicions long held about the 'revolving door' between AIG executives and the US intelligence agents.

Intelligence agencies in Japan, Indonesia and China have long suspected that AIG and its Asian unit, AIA, were heavily used as cover for placement of NOC agents, eavesdropping operations and for collecting private data unrelated to insurance matters on their nationals.

The links between the American International Group and the U.S. intelligence establishment were ...

Simple defense: always look at the message in plain text, or at least do so before clicking a link. If you lay your human eyes on the raw text, it takes almost no knowledge of HTML to spot a misrepresented link.

For me, that means I only use HTML e-mail when I really, *really* need it... maybe four messages a year out of thousands. The rest of the time, I send and view in plain text.

"Fortunately I hadn't yet clicked on "Submit" or "Send."

They could have been logging your keystrokes despite the presence of a submit/send button. The button is often window dressing to make the site look authentic.

"If you lay your human eyes on the raw text, it takes almost no knowledge of HTML to spot a misrepresented link."

Many phishing attacks spoof the url so viewing a "text" source is no guarantee.

"Many phishing attacks spoof the url so viewing a "text" source is no guarantee."

Well, true. But if they've compromised the DNS or the site's SSL you're pretty well screwed anyway. [shrug]

Alan's advice is very good. Most email clients have a "show original" or "show source" option.

There are also DNS services you can subscribe to (OpenDNS is free) that maintain lists of phishing domains and will provide a warning page whenever you try to load one. This is the best solution for tech-challenged folks.

In my experience a very small percentage of phishing attacks exploit bugs in your web browser to spoof the URL. And if you stay away from Internet Explorer you'll be safe from the large majority of those.

Here's an eye-opening presentation on SSL security flaws if anyone wants to see how the web security emperor has no clothes.


Dave C.: Every year after Black Hat I consider changing careers* and going off to live in a cave.

[*: Before I become the sysadmin equivalent of those flat-footed guys in the background of Michael Jordan posters watching him fly by to score on them.]

Comcast is a .com not a .net. First flag.

Companies never send out an "your account has been compromised" emails.

Never. Ever.

You find this out if / when you try to log in the next time.

These are never legitimate.

Never. Ever.

And if you ever wonder, ALWAYS look at the full header of the sender.


The "From" address looked pretty good: info@comcast.net. My own Comcast e-mail address ends in @comcast.net, and so it seemed o.k.

The key in my case would have been to roll over the link that they wanted me to click on, and be sure to look at the full URL, even though it was so long that in the e-mail display it had a "..." at the end of it. That's where the China address was.

"it was so long that in the e-mail display it had a "..." at the end of it. That's where the China address was."

Which of course was not at all accidental. The attacker knew that the user interface of your popular e-mail reader cuts off a long URL, and exploited that limitation to hide his attack. Reading in plain text is an effective countermeasure because it tells the program to never hide information in the mail body in a misguided attempt to be helpful. It is inconvenient at times, but it's much safer.

It's also worth mentioning that the "from" address on an e-mail means basically nothing. It's about as straightforward to fake as it is to write an incorrect return address on an envelope.

Clicky Web Analytics