PHISHING SCAM: "Upgrade your Comcast Account now!"
May 21, 2013
PHISHING ALERT FOR COMCAST CUSTOMERS
If you are a Comcast Internet service customer and use a Comcast email account, you too may receive a targeted email scam similar to the one I received tonight, with the subject: "Upgrade your Comcast Account now!" The important portion of the body text follows.
Service UpdateDear Comcast Customer,
You are required to update your Comcast Account by subscribing to our Security Center.
v
If you not perform the update now (sic), your account will be placed on hold.In order to update your account click here.
There is a hyperlink around the words click here that go directly to a compromised web hosting account where one will find images and words stolen from a real Comcast login page. There is a login form that asks Comcast customers to type in their Comcast user name and password to confirm their identity. Anybody doing so will be handing over their Comcast Internet and Xfinity credentials to cybercriminals in Europe. This will allow them to login to your account and gain access to everything you have inputted, including personally identifiable information and billing details.
This appears to be a targeted attack against Comcast.net email account holders. I have many other domain accounts and none of them has received this scam message. I pray that this information gets in front of your eyes before the phishing email does and stops any of you from mistakenly thinking this is a legitimate message from Comcast.
Savvy email recipients will quickly notice two things that are very wrong with this email. They should cause your antennas to raise up, like they did for me.
- Mistake #1: The salutation is "Dear Comcast Customer" rather than addressing you by your person first and last name, as you gave when you signed up for Comcast services. It would be the same name that appears on your monthly bill.
- Mistake #2: If you not perform the update now,... A professional Internet, cable TV and phone service company does not release email messages with such grammatical mistakes. But, spammers and phishers in foreign, non-English speaking countries commonly make these spelling and grammar mistakes when scamming us.
HTML Tricks used
Unbeknownst to most recipients of this email scam, there are two huge sections of invisible text that has been inserted into the message body in an attempt to fool anti-spam filters. The text is a long excerpt from a document pertaining to a data transfer limit of 250 gigabytes that Comcast had imposed on certain residential customers a couple of years ago, but has since suspended. It is hidden from view by appending it to a horizontal rule tag, in such a manner that it is not displayed in the message. However, all HTML code, including purposely hidden text, is detectable to any tool that is able to read the source code in plain text.
Most email clients are capable of displaying the source code, by means of some option. In my case, I screen all incoming email with MailWasher Pro, before downloading anything to my desktop email client, Windows Live Mail. As soon as my bullshit detectors noticed the two aforementioned foobars, I switched from email preview to source code. After scrolling down past the hidden text in the horizontal rule element, I found the link that led not to Comcast, or Xfinity, but to a strange (Turkish) domain; kaancelikkapi.com. Inputting this domain and the sub-directory and file names I copied from the email revealed a Comcast credentials phishing page. I have reported it to the web host via SpamCop.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.