 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Mon Jul 16, 2007 1:47 pm Post subject: your paypal account need (sic!) to be updated! |
 |
|
A rather moronic variant of the Paypal phish theme is that one here which hit my spamtrap few hours ago.
Headers:
| Quote: |
Return-Path: <onlines@paypals.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 15 Jul 2007 19:11:49 -0000
Received: from mail.orderwise.co.za (EHLO exchange.orderwise.co.za) [196.14.119.2]
by mx0.gmx.net (mx031) with SMTP; 15 Jul 2007 21:11:49 +0200
Received: from service ([66.112.62.161]) by exchange.orderwise.co.za with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 15 Jul 2007 21:10:49 +0200
Reply-To: onlines@paypals.com
From: PayPal Inc.<onlines@paypals.com>
Subject: your paypal account need to be updated!
Date: Sun, 15 Jul 2007 14:05:44 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 |
Sent via a compromised mail server in South Africa and with Cyrillic as character set (Windows-1251).
Mail body:
| Quote: |
Dear PayPal Member,
Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your Paypal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your information at this time, please visit our secure server webform by clicking the hyperlink below:
Click here to verify your Information [1]
If you choose to ignore our request, you leave us no choice but to temporarily suspend your account.
Thank you for your patience as we work together to protect your account. |
[1] denotes a link that goes to:
http ://mail.yoda.com.tw/lndex.html
The text is of course all made up: Randomly flagged, what does that entail? If there were a "flagging" procedure it would only make sense in connection with an actual cause.
mail.yoda.com.tw is a compromised system that resolves to 60.250.204.163:
| Quote: |
inetnum: 60.250.0.0 - 60.251.255.255
netname: HINET-NET
country: TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
admin-c: HN27-AP
tech-c: HN28-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-TW-TWNIC
mnt-lower: MAINT-TW-TWNIC
mnt-routes: MAINT-TW-TWNIC
changed: hm-changed at apnic.net
source: APNIC |
But wait, it's not the end of the chain. All this one page does is serve as redirector to the actual phish domain:
| Quote: |
[olliver@bunkiten ~]$ curl -A " " mail.yoda.com.tw/lndex.html
</HTML>
<HEAD><meta http-equiv="Refresh" content="0; URL=http ://www.muratdirin.com/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php">
</HEAD>
</HTML> |
So the actual phish is located at:
http ://www.muratdirin.com/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php
muratdirin.com is a site in Turkish that runs a php based content system, that may have been compromised via a vulnerability. It resolves to 213.186.33.19 which belongs to French OVH:
| Quote: |
inetnum: 213.186.33.0 - 213.186.33.255
netname: OVH
descr: OVH SAS
descr: Shared Hosting Servers
descr: http ://www.ovh.com
country: FR
admin-c: OK217-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered |
Experience showed they're not exactly responsive to complaints, so the phish will probably remain up for weeks.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
