Full Disclosure mailing list archives

RE: Paypal Phishing Again

From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 5 May 2005 08:09:10 -0500

I would guess that almost everyone on this list, can spot a phishing
e-mail. I reported one to Paypal yesterday, and another the day before
that. I would say that I can around 8-10 a week. Should I post them all
on FD? It doesn't help. The phishing site will be down in a matter of
days (perhaps hours)..and it will be put up on another zombie that is in
the botnet.

Report these to paypal and to the anti-phishing group. FD is a place to
talk about phishing, but not to report each e-mail...just my 2 cents.

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Jason Weisberger
Sent: Wednesday, May 04, 2005 9:33 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Paypal Phishing Again

Hello all,

Wasn't sure if anybody spotted this one, but here's another 
phishing attempt by someone looking for Paypal account information:

                                                              
                                                              
                                                              
                                                                     
X-Gmail-Received: a932e7e33d8a0c08683926a3e13e50d19a838c91
Delivered-To: jbdubbs () gmail com
Received: by 10.54.56.53 with SMTP id e53cs17538wra;
        Fri, 15 Apr 2005 10:10:20 -0700 (PDT)
Received: by 10.54.3.49 with SMTP id 49mr221139wrc;
        Fri, 15 Apr 2005 10:10:16 -0700 (PDT)
Return-Path: <service () paypal com>
Received: from 64.233.185.114 ([207.44.208.74])
        by mx.gmail.com with SMTP id 
11si1475393wrl.2005.04.15.10.09.44;
        Fri, 15 Apr 2005 10:09:45 -0700 (PDT)
Received-SPF: softfail (gmail.com: domain of transitioning 
service () paypal com does not designate 207.44.208.74 as 
permitted sender)
Received: from c37.s59mx.com (HELO 2r2z) ([45.126.141.83]) by 
64.233.185.114 SMTP id 2HvwA26lxKtCAL; Fri, 15 Apr 2005 14:06:47 -0400
Message-ID: <gdd0tl-fa-zf28-z2w9r@qx0r2d>
From: "PayPal" <service () paypal com>
To: <jbdubbs () gmail com>
Subject: PayPal Account Security Measures
Date: Fri, 15 Apr 05 14:06:47 GMT
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="02FA_603B..9_"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

--02FA_603B..9_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

</style>
</head>

<BODY><TABLE><TR><TD bgcolor=3D"#ffffff"> <table 
width=3D"600" cellspacing=3D"0" cellpadding=3D"0" 
border=3D"0" alig= n=3D"center"> <tr valign=3D"top">
      <td><a href=3D"https://www.paypal.com/us"; 
target=3D"_blank" ><img src=3D"= 
http://images.paypal.com/en_US/i/logo/email_logo.gif"; 
alt=3D"PayPal" borde= r=3D"0"></a></td> </tr> </table>

<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0" 
border=3D"0"> <tr>
      <td 
background=3D"http://images.paypal.com/images/bg_clk.gif"; 
width=3D"10= 0%"><img 
src=3D"http://images.paypal.com/images/pixel.gif"; 
height=3D"29" w= idth=3D"1" border=3D"0"></td> </tr> <tr>
      <td><img 
src=3D"http://images.paypal.com/images/pixel.gif"; 
height=3D"10" = width=3D"1" border=3D"0"></td> </tr> </table>

<table width=3D"600" cellspacing=3D"0" cellpadding=3D"0" 
border=3D"0" alig= n=3D"left"> <tr valign=3D"top">
      <td width=3D"400">
      <table width=3D"100%" cellspacing=3D"0" 
cellpadding=3D"2" border=3D"0">
              <tr>
                      <td>Dear PayPal Member,<br><br>
Your account has been randomly flagged in our system as a 
part of our rout= ine security measures. 
This is a must to ensure that only you have access and use of 
your PayPal = account and to ensure a safe PayPal experience. 
We require all flagged acc= ounts to verify their information 
on file with us. To verify your Informat= ion at this time, 
please visit our secure server webform by clicking the h= 
yperlink below:
<br><br>
 
<table width=3D"70%" cellpadding=3D"0" cellspacing=3D"0" 
border=3D"0" bgco= lor=3D"#FFFFFF" align=3D"center"> <tr> <td>
      <table width=3D"50%" cellpadding=3D"4" 
cellspacing=3D"0" border=3D"0" bgc= olor=3D"#FFFFFF" align=3D"center">
                      <FORM target=3D"_blank"  
ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url  METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq 
VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid 
0px; background:= #white;" 
value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
              </tr>
      </table>
</td>
</tr>
</table>

 Thank you for using PayPal!<br>
The PayPal Team</td>
</tr>

<tr>
<td>
<hr class=3D"dotted">
</td>
</tr>

<tr>
<td>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0" 
border=3D"0"> <tr> <td class=3D"pp_footer">Please do not 
reply to this e-mail. Mail sent to this address cannot be 
answered. For assistance, log in</a> to your PayPal account 
and choose the "Help" link in the footer of any page.<br> <br 
class=3D"h10">  To receive email notifications in plain text 
instead of HTML, update your preferences <a 
href=3D"https://www.paypal.com/us/PREFS-NOTI"; t= 
arget=3D"_blank" > here</a>.</td> </tr>

<tr>
      <td><img 
src=3D"http://images.paypal.com/en_US/i/scr/pixel.gif"; 
height=3D= "10" width=3D"1" border=3D"0"></td> </tr> </table> 
</td> </tr>

<tr>
      <td><br><span class=3D"pp_footer">PayPal Email ID 
PP478<br><br></span></t=
d>
</tr>
</table>
</td>
<td><img 
src=3D"http://images.paypal.com/en_US/i/scr/pixel.gif"; 
height=3D"= 1" width=3D"10" border=3D"0"></td> <td 
width=3D"190" valign=3D"top"> <table width=3D"100%" 
cellspacing=3D"0" cellpadding=3D"1" border=3D"0" bgc= 
olor=3D"#CCCCCC"> <tr>
      <td>
      <table width=3D"100%" cellspacing=3D"0" 
cellpadding=3D"0" border=3D"0" bg= color=3D"#ffffff">
      <tr>
      <td>
              <table width=3D"100%" cellspacing=3D"0" 
cellpadding=3D"5" border=3D"0" b= gcolor=3D"#EEEEEE">
              <tr>
              <td class=3D"pp_sidebartextbold" 
align=3D"center">Protect Your Account I= nfo</td>
              </tr>
              </table>
              
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"5" 
border=3D"0"> <tr> <td class=3D"pp_sidebartext">Make sure you 
never provide your password to fraudulent websites.<br> <br> 
To safely and securely access the PayPal website or your 
account, open up a new web browser (e.g. Internet Explorer or 
Netscape) and type in the PayPal URL 
(http://www.paypal.com/).<br> <br> PayPal will never ask you 
to enter your password in an email.<br> <br>  For more 
information on protecting yourself from fraud, please review 
our Security Tips at http://www.paypal.com/securitytips<br>
<img src=3D"http://images.paypal.com/en_US/images/pixel.gif"; 
height=3D "5" width=3D"1" border=3D"0"></td> </tr> </table> 
</td> </tr>

--02FA_603B..9_--



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Paypal Phishing Again Jason Weisberger (May 04)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Jeremy Heslop (May 05)
  - Re: Paypal Phishing Again Nick FitzGerald (May 05)
    - Re: Paypal Phishing Again Valdis . Kletnieks (May 05)
- Re: Paypal Phishing Again Mike Mohr (May 07)
- <Possible follow-ups>
- RE: Paypal Phishing Again Todd Towles (May 05)
- RE: Paypal Phishing Again Todd Towles (May 05)