Paypal Scam

[LostStraw]

This is the first scam/phish topic that I've posted -- I normally wouldn't post something like this because they often suck. But this one is different, it's pretty slick. Following is a description and some screen shots.

 

As the norm, I get an email telling me I needed to update my PayPal account, well I don't have an account -- that tipped me off right there, but I decided to follow the link anyway.

 

Here's a screenshot showing the fake website:

 

 

Here's a screenshot of the real website for comparison:

 

 

 

Note the strange URL on the fake website.

 

I didn't link the page because I don't know if the site contains spyware/viruses.. be careful if you decide to look at it for yourself. All the links on the fake page redirect to the official Paypal pages except the "Log In" button. The "Log In" takes you to a page asking you to fill out some information (credit cards, etc..) no matter what is typed in the email/password fields.

[Pop]

Uh... yeah. Always check the url. This happens with a lot of password-protected sites. I believe Myspace has had a lot of problems with this.

 

I don't really understand why you would willingly explore the email if you knew it was malicious. It could be loaded with teh warez!

[Darque]

Thread relocated to a more appropriate forum.

[LostStraw]

As watchful as ever Darque :">

 

I browse with a lot of software designed to block the bad things.. I really should have done it in a VM though. I'm surprised that they made it look so good, but not quite perfect... it's like putting a lot of effort into something and then stopping near the end.

[Oerwinde]

When these first started going around I knew they were fake right off the bat from the bad URLs and sending the emails to the wrong email addresses and such(I got the phishing site emails in one address, while my account is registered with another) and wondered how anyone could fall for them. Then lots of people started falling for them.

[Nartwak]

[Tigranes]

To be fair, they're very good at finding stolen credit cards.

[Diamond]

Hmmm, interesting. The site is in Brasil, Montevideo.

 

It is a rooted linux server. If you go to .../icons/, directory index is available, and PHP Shell Offender is installed (php.cgi) so anyone can execute remote commands in the web shell. I think the owners of the server have to be notified that their server is owned.

[metadigital]

But ... Montevideo is the capital of Uruguay.

[6 Foot Invisible Rabbit]

NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!

 

Not Uruguay?!?!? :'(

[Calax]

But ... Montevideo is the capital of Uruguay.

<{POST_SNAPBACK}>

It was also blown to pieces by Vandal Savage during JLA 1 million.

[Diamond]

But ... Montevideo is the capital of Uruguay.

<{POST_SNAPBACK}>

OK, I've got it wrong somewhere.

 

Edit: the site has a Brazilian domain name and IP address is registered in Brazil, but IP address registry is in Uruguay.

 

 

Good news: phishing site is down, but the shell is still there.

Edited September 20, 2006 by Diamond

[Fenghuang]

You didn't...

[Diamond]

I didn't? But Montevideo is indeed in Uruguay.

[Fenghuang]

Thought you were implying you took it down though questionable means. Nevermind.

[Diamond]

I admit, it was very tempting to do so. I'd delete the shell php file as well if I was doing that.

But no, I just emailed website owners.

[metadigital]

What did you email the website owners?

[Diamond]

Ummm... "your site has been owned"?

[metadigital]

Ah. As long as it wasn't an email bomb ... "

[Fenghuang]

Because y'know. That wouldn't be nice.

[6 Foot Invisible Rabbit]

Being nice to scammers? That seems so wrong.

[Diamond]

Actually being nice to a Brazilian government organization, if you missed that.

[6 Foot Invisible Rabbit]

Even better! DO IT!

[mkreku]

Russians scare me

[Diamond]