9th January 2004
Important Security &
text with one
genuine link and
which opens a fake
Earthlink web page
Spoofed Web page/site?
forged Earthlink web
page with web form
address, credit or
debit card and ATM
Web page/site origin
Identity Theft method
is captured by the
a fake password
Bank Email Scam
See our guide to
See our guides to
Important Security & Fraud Alert From Earthlink.net - Email Scam
9th January 2004
This Earthlink Security & Fraud Alert email is
a very convincing scam ...
With the suggestion that someone has attempted unauthorised
access to your Earthlink account, together with the genuine Earthlink
graphics (called from their own servers), this represents a very convincing
The email includes a link
and a 'Continue' button (see image below). The first link to Earthlink
is a genuine one, but the 'Continue' button is not, and it will open
a forged Earthlink page with a spoofed
URL (web address shown in the
browser address bar). This means that your browser will display http://myaccount.earthlink.net in
the address bar, but the true URL of that forged Earthlink page is 126.96.36.199/
traces back to a Korean ISP. The email itself also shows Earthlink
Security Dept. as the sender,
but this has been coded with a rocketmail address - email@example.com.
Of-course, Earthlink do not use rocketmail for their email.
All in all, the email and forged pages have been professionally composed
The forged page consists of a web form for you to
enter your Earthlink email address, Credit or Debit card number and ATM
PIN. The data entered and submitted is then captured using PHP script.
informed of the latest Spoof Email Phishing Scams with either of our FREE alert services...
Add your email address to our email alert service...
Tap into our Scam Alert service using your News Reader or Aggregator (including
Scam Alert News Feed
You can even put the latest alerts on your own web
Also, once the form is submitted another forged Earthlink page appears.
This is a password change form, which requests that you give your new
password. And then after that page, you will see a forged password
changed page. These two pages do not employ URL Spoofing and will show
the true URLs (http://188.8.131.52/password/change.htm and http://
you have received and fallen for this scam, you should immediately notify
Earthlink so that they can secure your account. Contact their 'Livechat'
support for an immediate response at http://support.earthlink.net/
If you have received this email, please remember
is very common for these email scams to be redistributed at a
later date with only slightly different content or the same but with the fake
page(s) hosted by a different provider. Also, once you have received one of
these hoaxes, it is also common place to receive at least another one
and usually a day or two after the first, although not necessarily from
the same apparent sender.
a good look at the following images, because this email scam may be coming
to an inbox near you!
The Email ...