Forensic Analysis of a Paypal Phishing Scam

[Babak Pasdar <bpasdar () igxglobal com>]

Hello all,

I recently received this e-mail notifying me of a new e-mail address
that was added to my Paypal account.  I broke down the steps I took to
analyze the e-mail first to identify that it was a phishing scam and
then to track down the steps this Scammer used and identify the systems
in use.  

I have provided the e-mail and a synopsis along with a link to the
original full forensics.

Synopsis:  
1. The e-mail was sent from a Comcast network in Indianapolis from a
windows machine running outlook express.  The Scammer used a Yahoo name
on the account.

2. The domain was registered through a proxy domain registration company
which uses Yahoo's DNS and provided a web server through Yahoo.

3. The Yahoo web server redirects the user to an Oracle web server on
port 84 running in Seoul, Korea.

4. Finally, when you put in your username and password it tells you the
system is down for maintenance, but does take the time to ask you for
your credit card and pin numbers! 

Notes: The Scammer does use an interesting approach in eliminating the
address bar and using a graphics of an address bar in it's place showing
a Paypal login account. 

To see the the full analysis click here:
http://dsb.igxglobal.com/plugins/content/content.php?content.37


Babak Pasdar
Founder / Chief Technology & Information Security Officer

Support the Daily Security Briefing Web Site and Register Here:
http://dsb.igxglobal.com

For this week's DSB/Week-in-Review Audio/Video Security Report:
http://dsb.igxglobal.com/news.php?item.50.4

To register for a Daily Security Intelligence e-mail:
http://www.igxglobal.com/dsb/register.html

Get your security news via Podcast:
http://dsb.igxglobal.com/page.php?11



Return-Path: <lilreddtp2 () yahoo com>
Received: from groupware.igxglobal.com ([unix socket]) by groupware
(Cyrus v2.1.16) with LMTP; Tue, 14 Feb 2006 11:48:09 -0500
X-Sieve: CMU Sieve 2.2
Received: from mail5.igxglobal.com (unknown [192.168.27.51]) by
groupware.igxglobal.com (Postfix) with ESMTP id 910DD32C082 for
<bpasdar () igxglobal com>; Tue, 14 Feb 2006 11:48:09 -0500 (EST)
Received: from c-68-58-4-141.hsd1.in.comcast.net (HELO compaq)
([68.58.4.141]) by mail5.igxglobal.com with SMTP; 14 Feb 2006 11:48:09
-0500
Message-Id: <4oasf3$3s8uf () mail5 igxglobal com>
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.02,114,1139202000";  d="scan'208,217";
a="4072399:sNHT36133904"
Reply-To: lilreddtp2 () yahoo com
From: PayPal Security <lilreddtp2 () yahoo com>
Subject: New email address added to your account !
Date: Tue, 14 Feb 2006 11:48:06 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
To: undisclosed-recipients : ;
X-Evolution-Source: imap://bpasdar;auth=DIGEST-MD5@207.241.202.7/


You've added an additional email address to your PayPal account.

If you don’t agree with this email glasshk32 () comcast net and if you need
assistance with your account, 

please click here to login to your account.

 

To make sure you can use your PayPal account the next time you make a
purchase,

all you need to do is confirm or not your email address. 

If your email program has problems with hypertext links, 

you may also confirm your email address by logging in to your account.

 
Thank you for using PayPal! 

The PayPal Team

----------------------------------------------------------------

Please do not reply to this email. This mailbox is not monitored and you
will not receive a response.

For assistance, log in to your PayPal account and click the Help link
located in the top right corner of any PayPal page. 

----------------------------------------------------------------

PayPal Email ID PP059

HEMFBKCMCUNCRVRFYOEGZWKZKENTMXZBPDSJBD

Attachment: signature.asc
Description: This is a digitally signed message part

_________________________________
igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences.  
This message could have been secured by PGP Universal. To secure future messages from this sender, please click this 
link and contact your representative at igxglobal for further information:

https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/