A few days ago, America Online, or AOL, confirmed that their mail service – AOL Mail – had been hacked, with the email addresses (allegedly only 1% of their entire customer base) either compromised and/or spoofed to send spam with links leading to phishing pages. We combed through the Internet to look for samples of the phishing spam being sent, and they popped up readily in our searches.
Figure 1. AOL Mail spam sample
Figure 2. Second AOL Mail spam sample
The spammed messages themselves are simple and to the point – just a sentence or two, written to seem like a casual, quickly-written email by the recipient’s contacts. The link is presented right after the bait text, typed out in full. When clicked, they lead to fake pages pertaining to online health magazines as well as online cooking recipe websites, which then lead to a landing/phishing page. The phishing page masquerade as a sign-up form that asks for the user’s personal information – their phone number, email address, and so on.
Figure 3. Final landing and phishing page
Using data gathered from the Trend Micro Smart Protection Network, we saw that 94.5% of the users who visited the final landing page came from the United States. Other top countries affected include Japan, Canada, France, and the United Kingdom. Analysis also shows that these phishing pages are hosted in different countries, including Russia, the United States, Hong Kong, and Germany.
While this may seem to be a relatively minor attack as far as hacking attacks go – with the compromised mails only used to send spam messages leading to phishing websites rather than something more obviously damaging, such as sending malicious files or mining the email address itself for personal information – the fact is that the culprits could easily have done so is enough for this to be a serious security incident.There’s also the fact that even if only 1% of AOL Mail’s 24 million total user base was indeed compromised – that’s still 240,000 emails under the control of cybercriminals, to do with whatever they want.
A day after the attack itself was revealed, AOL came out with another announcement, saying that they’ve modified their DMARC policy to combat the spoofed mail spam.This modification ensures that all mailbox providers will reject bulk AOL mail if it doesn’t come from an AOL server.
While this does alleviate the spoofed email spam issue somewhat, it does also affect bulk AOL mail that has been previously authorized, and does not really begin to address the compromised emails. For that, AOL has linked victims to their Mail Security page, instructing users how to secure their hacked accounts as well as to recognize scam/spam emails.
We once again remind users to always be vigilant when it comes to their mail, whichever email service you use. Always think before you click that sent link. Verify first before doing anything.
Trend Micro security offerings already detect and block all the spammed mails and phishing URLs related to this attack.
With additional analysis from Gideon Hernandez, Paul Pajares, and Ruby Santos.