New Comcast Phishing Scheme

The NJCCIC recently informed of an Xfinity/Comcast phishing campaign in which the email message states that access to the user’s mailbox and stored data may be permanently discontinued if the user does not update their email. Threat actors behind this campaign attempt to create a sense of urgency by stating, “If you do not complete this update by December 15, 2025”. Additionally, this threat group employs actions legitimately taken by some email providers to delete inactive accounts. However, these emails have several red flags that could alert the recipient to their invalidity, such as the use of an aol[.]com sender email account, while the recipient email is a web[.]com account.
The link included leads to the above webpage which requests the user to submit their account credentials to log in. The password field is not obfuscated when submitting password characters.
The user is then prompted to provide their billing information, including credit card details, without explanation of why that information is required.
If this information is submitted, the user is redirected to the legitimate Xfinity login page, in an effort to wane user suspicion.
Recommendations
  • Users who submitted any information to these webpages are advised to:
    • immediately change their password,
    • enable multi-factor authentication if not already used,
    • contact banking institutions to cancel their payment card and identify fraudulent purchases, and
    • report the phishing email to Xfinity.
  • Avoid clicking links and opening attachments in unsolicited emails.
  • Users should only submit account credentials on official websites.
  • Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

New Comcast Phishing Scheme

The NJCCIC recently informed of an Xfinity/Comcast phishing campaign in which the email message states that access to the user’s mailbox and stored data may be permanently discontinued if the user does not update their email. Threat actors behind this campaign attempt to create a sense of urgency by stating, “If you do not complete this update by December 15, 2025”. Additionally, this threat group employs actions legitimately taken by some email providers to delete inactive accounts. However, these emails have several red flags that could alert the recipient to their invalidity, such as the use of an aol[.]com sender email account, while the recipient email is a web[.]com account.
The link included leads to the above webpage which requests the user to submit their account credentials to log in. The password field is not obfuscated when submitting password characters.
The user is then prompted to provide their billing information, including credit card details, without explanation of why that information is required.
If this information is submitted, the user is redirected to the legitimate Xfinity login page, in an effort to wane user suspicion.
Recommendations
  • Users who submitted any information to these webpages are advised to:
    • immediately change their password,
    • enable multi-factor authentication if not already used,
    • contact banking institutions to cancel their payment card and identify fraudulent purchases, and
    • report the phishing email to Xfinity.
  • Avoid clicking links and opening attachments in unsolicited emails.
  • Users should only submit account credentials on official websites.
  • Report malicious cyber activity to the NJCCIC and the FBI’s IC3.