Sponsored by..

Thursday 26 February 2009

Strange Tripod phish

Why anyone would want to phish for a Tripod account is beyond me, but for some reason webmail accounts seem to be a target. This phish for Tripod credentials has (so far) the following subjects:

Subject: For Tripod user
Subject: Important information from Tripod Team
Subject: Tripod Confirmation Form

The rest of the email is similar to the following:

From: "Tripod Customer Service" support@support.lycos.com


Dear Tripod user!Due to technical issues, the new Tripod software release is
currently on hold. However, a series of enhancements have been made. The new
client-server protocol is one of them. Now you need to complete Tripod Confirmation
Form to update your Tripod account.Please use the link below to access Tripod
Confirmation
Form:http://www.tripod.lycos.com/adm/redirect/www/form/tripodcf.aspx?[redacted]

Sincerely,
The Tripod Team
This message has been automatically generated.
Please do not reply to this message.
For information about the Lycos Privacy Policy Please see:
http://info.lycos.com/privacy
For information about the Terms and Conditions of this service Please see:
http://info.lycos.com/legal
The "http" link is fake, underneath the real URLs are www.tripod.lycos.comttlfile.eu/adm/redirect/www/form/tripodcf.aspx?=[redacted] and www.tripod.lycos.comproftd.tw/adm/redirect/www/form/tripodcf.aspx?=[redacted]. (I have redacted tracking information).

Oddly, the .eu and .tw hosts in question do not resolve at the moment, presumably these will be registered later. A trick that spammers sometimes use is to send out the spam and THEN register the domains, in order to trick spam filters.

It's probably a phish, it could be a drive-by download. In any case, best avoided and if you HAVE entered details into one of these phishing accounts then you should change your Tripod password and the password on any other site that uses the same username / password combination.

No comments: