AOL users conned for credit data

An email scam sends users to a faux internal AOL site that asks for credit card numbers.

3 min read
America Online (AOL) members who responded to a forged email may have inadvertently given out their credit card numbers to thieves disguised as AOL officials.

It is impossible to know how many consumers, if any, responded, but the scam comes as the latest example of how sophisticated ploys to swipe private information are getting.

Tatiana Gau, AOL's vice president of integrity assurance, said she was familiar with such scams.

She said that AOL investigates the many ruses people use to extract information, from passwords to credit card numbers, and informs legal authorities whenever possible. But Gau could not supply any estimate on how many members have divulged either their passwords or credit card numbers because of scams, or how much money AOL loses as a result of them.

"We don't track that at all," she said. She added that it is very difficult to find out how many people have inadvertently given out passwords because they would have no reason to report the security lapse, unless someone used their accounts for illegal activities or to purchase items offered by AOL through pop-up screens.

According to one report on MSNBC, AOL loses "millions of dollars per month" due to hacking of AOL. Gau called the report "completely inaccurate" but wouldn't elaborate.

In the case of the latest scam, the email was authentic-sounding, signed by "AOL Member Services." It instructed members to click on a link in order to upgrade their billing plans. The person who registered the hyperlinked Web site did so with an individual who could not be reached for comment.

Written in a style similar to an AOL bulletin, the letter clearly played off of the ignorance of some AOL members, who tend to be newer to the online world than users of most other services.

"To the unsophisticated AOL member, when they click on a hyperlink they do not necessarily notice they're being taken off AOL," Gau said of such scams.

The letter discussed AOL's upgrades and the company's need to once again revamp its billing system, echoing in parts actual letters written by chief executive officer Steve Case.

The link in the email brought users to a Web page disguised as an internal AOL page, complete with AOL graphics and the same picture of Case that accompanies his member updates, said Michael DeVivio, an AOL member who received the email yesterday.

It presented users with several different payment plans and, at the bottom of the form, asked for credit card numbers. "It was very legitimate-looking," DeVivio said.

DeVivio said the site was taken down today after he contacted the Internet Service Provider hosting the site.

Gau said this kind of scam is one of the latest trends being seen on AOL. AOL members, especially those who frequent chat rooms, are constantly bombarded by people trying to extract information from them.

Would-be thieves use various methods, mostly in pursuit of passwords. In one scenario they send programs to unwary users that are loaded with Trojan horse programs. The programs keep track of a user's key strokes then mail the information back to the perpetrator, who can then use the information to extract passwords.

By far the most popular way to extract passwords is the low-tech method of "phishing," in other words, going on a fishing expedition for passwords.

The culprits, who for the most part seem to be teenage boys, usually send Instant Messages to people who hang out in chat rooms. They say they're an AOL officials and then invent some plausible reason for needing a member's password.

Today, for instance, someone sent the following message: "Hi There. My Name is Steve Case and I am the CEO here at AOL. We have misplaced your billing information. Please state your password at this time so we can retrieve your lost billing information. Thank You."

AOL is constantly reminding its members that no one in a legitimate capacity will ever ask for passwords or other information, Gau said.