Results 1 to 9 of 9
2012-12-13, 16:23 #1
- Join Date
- Jan 2010
- Olympia, WA
- Thanked 0 Times in 0 Posts
Links may look real, but they might be false!
I write the following for anyone who might be unaware.
A few weeks ago I received the following e-mail: (Be careful, the link shown is active but false)
_______________ Copied message follows _____________________________________
Dear Comcast Member,
The credit card we have on file for your Comcast Internet service was declined when we attempted to bill you on 11/30/2012 for your most recent service fees. For this reason, your service could be suspended.
Please visit our Account Information page: http://comcast.com.account.pb6.biz/b...&r=comcast.net
Update your credit card information as soon as possible. Once your credit card information is updated, you will be charged immediately, as soon as payment is received. Thank you for your prompt attention to this matter. We look forward to continuing to serve you.
************************* E-mail ID: 2837462876 Online Session PID: 83473332 *************************
Sincerely, Comcast Customer Care
______________ End of copied message ______________________________________
Looking at the link it looks like it is a link to Comcast.com . But.. it isn't. Using an online service at
one soon learns that the actual domain you go to is pb6.biz , a domain owned by Horner Amy.
Domaintools.com also gives the following information:
Domain Name: PB6.BIZ
Domain ID: D52324187-BIZ
Sponsoring Registrar: EURODNS SA
Sponsoring Registrar IANA ID: 1052
Registrar URL (registration services): htwww.eurodns.com
Domain Status: clientTransferProhibited
Registrant ID: EDS_R9850753
Registrant Name: Horner Amy
Registrant Address1: 1991 W PHILADELPHIA AV
Registrant City: OLEY
Registrant Postal Code: 19547
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2202928288
Administrative Contact ID: EDS_A9850753
Administrative Contact Name: Horner Amy
Administrative Contact Address1: 1991 W PHILADELPHIA AV
Administrative Contact City: OLEY
Administrative Contact Postal Code: 19547
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.2202928288
Administrative Contact Email:
Billing Contact ID: EDS_BILLING
Billing Contact Name: Julien Franck
Billing Contact Organization: EuroDNS S.A.
Billing Contact Address1: 2, rue Leon Laval
Billing Contact City: Leudelange
Billing Contact State/Province: -
Billing Contact Postal Code: L-3372
Billing Contact Country: Luxembourg
Billing Contact Country Code: LU
Reverse Whois: "Horner Amy" owns about9 other domains
And there you have it. Sneaky, aye!
I forwarded the message on to firstname.lastname@example.org.
I guess the question becomes, If I can find the information regarding Horner Amy why don't the powers to be do the same, then under a court order monitor the activities of the perpetrator and if any illegal transfer of funds takes place slap them with a large fine, shut them down and announce that in the news. I realize that international boundaries are involved and it will take cooperation between governments. But, hey! Isn't Luxembourg a friendly nation? Plus, one can assume that Horner Amy is a real person living in Oley. Zip code 19547
As commented by mrjimphelps: "I rarely click on a link without first putting my cursor on it and see what shows up in the lower left corner of the browser window. "
scaisson: "I set up to view email in text view only. This way, I see the real http link, not the false one. "
Please note. The http link which showed up in the lower left corner of the browser is identical to the link I showed above. It included the comcast.com. You would think that the link points to comcast. It DOESN'T. By viewing the message in text only it would still be identical to the URL I gave above. That is the reason I titled my post, "Links may look real, but they might be false! " You cannot always trust the link shown in the status bar or in the text view.
Here is another link. It looks like a link to paypal. It is NOT. : ( I added spaces between the www and the .paypal to make the link non active )
http://www .paypal.com.serviceid.618856.fhow.dyndns-at-home.com/webscr/index==2Ephp?CliendID=3D030726773072129544&r=3D917 3918483
Last edited by z-rod; 2012-12-27 at 00:32. Reason: possible misunderstanding
2012-12-13, 17:06 #2
It's really slick the way they set up their web address: "//comcast.com.account.pb6.biz". The part you notice is "comcast.com". Most people wouldn't even have noticed that the actual URL is "pb6.biz".
I rarely click on a link without first putting my cursor on it and see what shows up in the lower left corner of the browser window. Still, I might not have caught this one.
Last edited by mrjimphelps; 2012-12-13 at 17:10.
2012-12-13, 17:44 #3
- Join Date
- Dec 2009
- Thanked 936 Times in 856 Posts
2012-12-14, 03:18 #4
- Join Date
- Apr 2011
- Thanked 134 Times in 115 Posts
You are absolutely right to report it, but as Ted says, I wouldn't hold my breath.
The address in Oley is genuine, but I don't know if the name is. The Luxembourg link is due to the registrar used (EuroDNS), which appears to be a genuine registrar. The host that pb6 [dot] biz resolves to is located in Texas, run by Westhost.
One interesting thing is the domain pb6 [dot] biz was registered on 30th November this year. If it, or the host, is used for malicious purposes there has been little time for anyone to react.
Interestingly, notwithstanding the expectation that Comcast may not react too swiftly, the url in your original post generates a 404 page error (when loaded on a virtual machine running linux). i.e. the page is not resolved - maybe somebody has taken action, or maybe, the bad guys fouled up in the first place.In God we trust; all others must bring data.
- William Edwards Deming. 1900 - 1993
2012-12-20, 08:11 #5
- Join Date
- Jan 2001
- Marietta, Georgia, USA
- Thanked 4 Times in 4 Posts
Life is too short to drink bad wine (or bad coffee!)
2012-12-20, 17:10 #6
- Join Date
- Mar 2010
- Thanked 39 Times in 30 Posts
I use Thunderbird email client. I set up to view email in text view only. This way, I see the real http link, not the false one.
It is human, at times, to overlook and click on the false http link. With text view only, it helps me to avoid that.
When I need to view it in html form, I have to do extra clicks, access the menu. I'm lazy as a habit. The extra work will 'wake' me up, when I'm absent minded.
2012-12-20, 19:17 #7
- Join Date
- Dec 2009
- California & Arizona
- Thanked 607 Times in 555 Posts
Easy to get fooled by one of those false Comcast emails, or any others for that matter.
It's always better to go directly to the site via your browser to logon, rather than click on an email link.DRIVE IMAGING
Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.
Build your own system; get everything you want and nothing you don't.
ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.
2012-12-21, 11:59 #8
2013-01-02, 09:13 #9
- Join Date
- Apr 2010
- Bath, UK
- Thanked 3 Times in 3 Posts
Probably the most common email scam, the False Link one.
Always check the end of the domain, just before the forward-slash (in this case .biz/) for the true domain.
Having a '.com' in the middle is an easy foil, but its the 'dot' AFTER the 'com' that also points to the fake domain ending.
Another trick (and more insidious) is a link with .com.zip in it, which points directly to a ZIP file which will execute directly on your machine.
Always check links thoroughly, and as another user said, Plain Text is a bit more secure (no hiding nasty code in pretty pictures).
And as another user said, never use links in emails, always manually go to the website to log in, even if the email is from a company you know to be ok.