Full Disclosure mailing list archives
Re: Phishing scam - yet another Paypal phishing scam!
From: Tobias Weisserth <tobias () weisserth de>
Date: Sun, 25 Jan 2004 03:35:59 +0100
Hi everybody, I just wanted to add another phishing scam to the "in the wild" list. A fake Paypal email is pointing potential IE victims to a modified URL: http://www.paypal.com%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01@211.54.126.187/f/ The host 211.54.126.187 is up and running, the email address of the administrator seems to be a fake, mail bounces immediately. The 211.54.126.187/f/ URL points to a dead page though, so maybe the admin has already taken action. This is the HTML source of the spam email: Note that the mail is actually using real elements from PayPal. Measuring the art of social engineering here, I'd say this one is pretty clever. What really is annoying here is that this bug already exists for several weeks in IE and it seems MS is not willing to do something about that. The simple minded user shouldn't use IE as long as this is still not fixed. ####################begin####################### <head> <!-- Script info: script: webscr, cmd: _login-run, template: p/gen/login, date: Fri May 23 00:45:53 2003 web version: 17.8-91 branch: live-178 content version: 17.8-82 branch: live-178 --> <title>paypal - verify your account information</title> <META http-equiv="DESCRIPTION" content="PayPal lets you send money to anyone with email. PayPal is free for consumers and works seamlessly with your existing credit card and checking account. You can settle debts, borrow cash, divide bills or split expenses with friends all without going to an ATM or looking for your checkbook."> <META http-equiv="KEYWORDS" content="Send, money, payments, credit, credit card, instant, money, financial services, mobile, wireless, WAP, cell phones, two-way pagers, Windows CE"> <link rel="stylesheet" type="text/css" href="http://www.paypal.com/css/pp_styles_111402.css"> <script src="/js/pp_main.js"></script> <link rel="shortcut icon" href="http://www.paypal.com/images/pp_favicon.ico"> </head> <body bgcolor="#ffffff"
<table cellSpacing="0" cellPadding="0" width="600" align="center" border="0"> <tbody> <tr> <td noWrap><a href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><img src="http://www.paypal.com/images/paypal_logo.gif" border="0" width="117" height="35"></a></td> <td class="pptext" align="middle" width="100%"> </td> <td class="pptext" noWrap align="right"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><span class="ppem106">Sign Up</span></a> | <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log Out</a> | <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_login-run">Help</a></td> </tr> </tbody> </table> <br class="h5"> <table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0"> <tbody> <tr> <td width="100%" background="http://www.paypal.com/images/tabs/bg.gif"> <table cellSpacing="0" cellPadding="0" align="center" border="0"> <tbody> <tr> <td><a href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><img alt="Welcome" src="http://www.paypal.com/images/tabs/P_off_welcome.gif" border="0" width="106" height="36"></a></td> <td><img src="http://www.paypal.com/images/pixel.gif" width="1" height="1"></td> <td><a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside"><img alt="Send Money" src="http://www.paypal.com/images/tabs/P_off_send_money.gif" border="0" width="110" height="36"></a></td> <td><img src="http://www.paypal.com/images/pixel.gif" width="1" height="1"></td> <td><a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/req/index-outside"><img alt="Request Money" src="http://www.paypal.com/images/tabs/P_off_request_money.gif" border="0" width="130" height="36"></a></td> <td><img src="http://www.paypal.com/images/pixel.gif" width="1" height="1"></td> <td><a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/mer/index-outside"><img alt="Merchant Tools" src="http://www.paypal.com/images/tabs/P_off_merchant_tools.gif" border="0" width="130" height="36"></a></td> <td><img src="http://www.paypal.com/images/pixel.gif" width="1" height="1"></td> <td><a class="pptabtext" href="http://www.paypal.com/cgi-bin/webscr?cmd=p/auc/index-outside"><img alt="Auction Tools" src="http://www.paypal.com/images/tabs/P_off_auction_tools.gif" border="0" width="118" height="36"></a></td> </tr> </tbody> </table> <img height="20" src="http://www.paypal.com/images/pixel.gif" width="1"></td> <td><img height="59" src="http://www.paypal.com/images/pixel.gif" width="1"></td> </tr> </tbody> </table> <img height="10" src="http://www.paypal.com/images/pixel.gif" width="1"><br> <p align="center"> <br> <table width="75%" border="0" align="center"> <tr> <td><font size="2"><b>Dear paypal user, We would like to inform you that we are upgrading our server to install a better protection software. So please <a href="http://www.paypal.com%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01@211.54.126.187/f/ ">click here</a> and fill in the registration form again to renew your account. Paypal Administration.</b></font> </td> </tr> </table> <p align="center"> <p align="center"> <p align="center"><font size="2"><b>Thank you for a using PayPal!</b></font><br> <table cellSpacing="0" cellPadding="0" width="600" align="center" border="0"> <tbody> <tr> <td class="ppfooter" align="middle"><br> <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/about-outside">About</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside">Accounts</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fees-outside">Fees</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside">Privacy</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/security-main-outside">Security Center</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/ua-outside">User Agreement</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/intro-outside">Developers</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/logos-outside">Referrals</a> | <a href="http://www.paypal.com/cgi-bin/webscr?cmd=_shop-ext">Shops</a><br> <br> <img alt src="http://www.paypal.com/images/ebay_co.gif" width="100" height="12"><br> <br class="h10"> Copyright 1999-2003 PayPal. All rights reserved.<br> <a href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fdic-outside">Information about FDIC pass-through insurance</a></td> </tr> </tbody> </table> <!-- end footer --> </body> </html> #####################end######################## kind regards, Tobias W. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Phishing scam - Obfuscated url help please Zach Forsyth (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)
- Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
- Re: Phishing scam - Obfuscated url help please Matthias Benkmann (Jan 23)
- Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
- Re: Phishing scam - yet another Paypal phishing scam! Tobias Weisserth (Jan 24)
- Re: Phishing scam - yet another Paypal phishing scam! Valdis . Kletnieks (Jan 24)
- RE: Phishing scam - yet another Paypal phishingscam! Bill Royds (Jan 24)
- RE: Phishing scam - yet another Paypal phishingscam! Tobias Weisserth (Jan 25)
- <Possible follow-ups>
- RE: Phishing scam - Obfuscated url help please Leif Sawyer (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)