Billing update must be performedExperienced users will immediately recognize warning signs (the generic "Dear AOL Member" salutation, the fact that AOL is not a "banking service," the lack of a special AOL logo next to the e-mail in your inbox if you use the Web-based AOL Mail site, etc.). However, it is quite troubling that AOL still does not always filter phishing scam e-mails that mimic AOL's formatting and links. The phishing link embedded in the e-mail even contained a directory /bill.aol.com/ which should have immediately caused this message to be blocked by AOL's phishing filter, but shockingly it didn't.
Dear AOL Member,
Our records indicate that your account hasn't been updated
as a part of our regular account maintenance.Our new SSL
servers check each account for activity and your information has
been randomly chosen for verification. AOL Member Services strives
to serve their customers with better and secure banking service.
Notification: Failure to update your account information may
result in account limitation at shopping on our portal.
Update your information
To re-secure your account, just confirm your personal information.
Sincerely,
AOL Member Services
Please note that this email address cannot accept replies.
Incidentally, back in 2009 I received a copy of a legitimate e-mail from AOL's billing department that appeared at first to be fake (see the screenshots below). Since the company has a history of not catching AOL phishing scam e-mails, and since AOL also has previously sent actual billing e-mails that look like they could be phishing scams, AOL users should be extremely cautious about opening any e-mails that claim to have been sent by AOL.
Official AOL e-mails are supposed to appear with a special symbol in your inbox if you use the Web-based AOL Mail (as opposed to an e-mail client program like Apple Mail or Windows Live Mail, for example). Following is a screenshot showing the symbol that AOL currently uses in the beta version of AOL Mail:
I have previously recommended using the AOL Mail beta URL — https://beta.mail.aol.com — which provides SSL encryption of the e-mail session rather than just the login page.
For those who may be interested, here's the Web of Trust rating page for the domain hosting the phishing scam page:
https://www.mywot.com/en/scorecard/themostcreativebuildingintheworld.com
For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.
No comments:
Post a Comment
Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)