The nice folks at Mirabilis want to know my ICQ password

Isn’t it a fundamental truism of internet security that no service provider should EVER ask you for the password that you use to access your account with them? I received this email:

The fonts didn’t come through here as they were in the email, but the text alternates randomly between 2 different font sizes, and generally looks a little goofy.

The impressive thing is that there is a box for me to type in my UIN and password, and a “send!” button as if it was the application itself asking my to validate my identity! Even being the naturally suspicious type that I am I was still tempted to respond with my tippy-top-secret password.

The rest of the email looks authentic, with the ICQ.com homepage links copied at the bottom, and the originating address is “support@icq.com”.

I forwarded the email to abuse@icq.com feeling that they should already know who is & isn’t using their account. If I log on at my PC, then I’m using it (duh).

Is there ever any legit reason why a service provider might need to ask you what your password is?

They don’t need your password, it’s some sort of scam. If they really needed to do something like this, they would surely mention it on their website, so that people would know it was legitimate. Probably the support@icq.com address is actually redirected to a different account linked in the code, or some other unscrupulous trick. Good job forwarding it to abuse, cause that’s all it is.

It’s even easier than that to be unscrupulous with e-mail addresses.

Here’s a way to look at it. The “From:” field in an e-mail message is pretty much like a return address on a snail mail envelope. The sender can put whatever they want to there.

Would you think that a snail mail was legit if its return address was “US Government” but it came in a nasty old envelope with a postmark in Tijuana? That’s essentially what the senders of your e-mail have done.

There is no reason whatsoever to believe the “from” “sender” or “reply-to” boxes in an e-mail message.

-mok

Furthermore, the place that the form sends the information to is not necessarily the same as the return address. This is definitely, absolutely, 100% certainly a scam. You could learn more by viewing the full headers or the source code of the e-mail, but since you’ve already forwarded it to the authorities at Mirabilis, there’s no need to do more: They’ll know to take whatever steps are necessary.

Is this one still doing the rounds?

From the ICQ homepage Never give anyone your ICQ password! ICQ staff will never ask you for it.

A variation of this scam is the “we need to verify your account information” where you are asked for your personal info and credit card #. Just to add to the stress level, the message might also insist that you respond within 24 hours or they’ll have to close your account.

E-mail headers are easy to forge. If you know how to decode them, I bet you’ll find the e-mail didn’t come from Mirabilis.

I’m normally on the watch for scams & not easily duped, but this one had a built-in GUI for me to punch in my UIN & password… somebody spent some time putting that thing together. I don’t really think I ever gave it a thought, except for “hey- you guys said you’d NEVER ask me for my password!”.

It was the look & feel of the interface that impressed me.