New AOL Phishing Campaign in the Wild

Security researchers warn of a new phishing campaign targeting AOL users. Rogue emails claim that users need to update their personal and billing information in order to continue receiving services.

Sophos reports that these phishing emails are sent to everyone, but are particularly tailored to AOL paying customers. The messages read:

“Dear AOL Member,

   Sincerely, AOL Member Services”

The http://bill.aol.com link actually points to a fake website hosted on a domain previously associated with other phishing schemes. Further investigation by Sophos researchers of the IP addresses and WHOIS information used in this attack, revealed a different scam abusing Amazon's affiliate payment system.

“Some IPs associated with this attack are storing pre-populated WordPress SQL files containing all the wonderful fake comments about the products they purchased through this series of bogus blogs. All they need to do is search and replace a product name, import the SQL, and voilŕ, instant website,” Chester Wisniewski, a senior security advisor at Sophos Canada, explains.

The phishing page has elements of the real AOL website, but what stands out is the unusually high level of details users are asked for. This scam's victims will end up exposing their Social Security Number, date of birth, driver's license number and even their mother's maiden name, a piece of information usually required by security questions.

As far as billing details go, the form has fields for inputting the credit card number, expiry date, verification number (CVV2), card holder's name, ATM pin, bank name, bank telephone number – another piece of information regularly used for additional verification by some systems, as well as bank account and routing numbers. Submitting this form will send all the data to several Hotmail addresses, which at the time of writing this article, were still active.

You can follow the editor on Twitter @lconstantin