AlphaC
join:2008-12-25
| reply to nwrickert
Re: PayPal.com phish scam, help me!
said by nwrickert  :Part of the problem is that domain registrars do a poor job of checking the legitimacy of domain purchasers. That's something spammers really take advantage of. A large registrar is going to be processing several thousand new domains every day. It's all automated. There's no human looking at the whois saying, "LOL! They expect me to believe that?"
Registrars can develop systems to identify fraudulent registrations based on the "fingerprints" of other known fake registrations. We worked very closely with an admin at TodayNIC when they were being inundated with spam registrations and were able to help him automate identifying and suspending fraudulent registrations; TodayNIC now gets far fewer new registrations as spammers take their domains and credit card chargebacks elsewhere.
Why don't all the registrars do that? Part of it is that they just don't know as much about these spam operations as those of us who concentrate on researching them, part of it is they aren't charging enough for a domain registration to spend a lot of money on aggressive enforcement of AUPs, and part of it is that many really don't want to get into policing website content (porn, especially), so they insist that complaints about spam and fraud go to the hosting service instead.
ICANN does require them to act on fraudulent registrations, but they don't require them to do it quickly and they don't particularly specify what action they need to take -- is emailing the "registrant" and allowing him to substitute new fake information for old info sufficient? Or should they Google the new address to see if that exists either, for instance?
Meanwhile, the policy of insisting that only the hosting company can act on spam or fraudulent content is specious. The worst of the worst websites are all hosted on hijacked computers, and the IP addresses you see when you look them up are only the first step in a bucket brigade of servers transferring files back and forth. If you were to be able to contact the owner of the hijacked server you see, he won't find any of the website files on his machine. And he's probably not all that concerned anyway if he doesn't even know there's a trojan on his machine in the first place. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to AlphaC
It's frustrating for us to see the magnitude of the fraud from our point of view (hundreds of thousands of domains at about $10 each), ... Part of the problem is that domain registrars do a poor job of checking the legitimacy of domain purchasers.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
AlphaC
join:2008-12-25
| reply to ScamHelpPlease
We track a lot of the domains advertised in spam at the forums at »ksforum.inboxrevenge.com . Since they are carrying out criminal activity, they're registered with fake/stolen identity information, and usually paid with stolen credit/debit/paypal accounts.
It's frustrating for us to see the magnitude of the fraud from our point of view (hundreds of thousands of domains at about $10 each), yet see the financial institutions looking at it as a lot of tiny charges not worth pursuing. Shoot, they even give these guys merchant accounts and let them check credit cards in real time for people buying their fake viagra and male member enlargement crap.
I'd encourage anyone who has experienced this type of fraud to pursue it vigorously. In the case of these spamvertised sites, you really want it on record that you are not involved in the scam, and you want to make sure the registrar removes your name from public whois information.
I realize this is a very sensitive issue. But since most people who are victimized have no idea what I just said and may have arrived on this forum via a Google search, I'd invite them to visit our forum to get help learning how to extricate their identities from fraudulent domain registrations. |
|
Harr Harr Harr
@cot.net
| reply to ScamHelpPlease
This is why Nexon America did crack down on what types of Paypal accounts you can use to charge their NX cash.
I have a feeling you somehow did get phished by a gold farmer or something similar and they got a hold of your account information from paypal. Though, did the email come supposedly come from Paypal or Nexon? It should only come from Paypal.
An official reciept from buying from Nexon America SHOULD look like this:
service@paypal.com
Dear Name,
This email confirms that you have paid Nexon America Inc. (billingpp@nexon.net) $10.00 USD using PayPal.
Payment Details
Transaction ID: ###################
Item Price: $10.00 USD
Total: $10.00 USD (Ex.)
Buyer: Name.
It may take a few moments for this transaction to appear in the Recent Activity list on your Account Overview.
Business Information
Business: Nexon America Inc.
Contact E-Mail: billingpp@nexon.net
Your Confirmed Address
Shipping Info: Your address or whatever here.
If you have questions about the shipping and tracking of your purchased item or service, please contact Nexon America Inc. at billingpp@nexon.net.
Thank you for using PayPal!
The PayPal Team
Your monthly account statement is available anytime; just log in to your account at »https://www.paypal.com/us/HISTORY. To correct any errors, please contact us through our Help Center at »https://www.paypal.com/us/HELP.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and choose the Help link located in the top right corner of any PayPal page.
To receive email notifications in plain text instead of HTML, update your preferences here.
PayPal Email ID #####
Because the game MapleStory attracts A LOT of those gold farmers from other countries, but they have to work via proxy, because there are many sites that are dedicated to selling the currency for actual money (usually cheap or something, I dunno). |
|
ScamHelpPlease
@verizon.net
| reply to Doctor Olds
Since the language was in Chinese, I'm guessing they're "gold farmers" who sell the ingame items for real cash. I think that maybe this hides their identity since it's a 3rd party that does the billing and they won't get the cooperation of Nexon America to actually stop these people. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to MGD
This is the game. Very Strange, but very popular to many it seems.
MapleStory
»en.wikipedia.org/wiki/MapleStory
quote:
MapleStory (Korean: 메이플스토리) is a free-of-charge, 2D, side-scrolling massively multiplayer online role-playing game developed by the South Korean company Wizet. Several versions of the game are available for specific countries or regions, and each is published by various companies such as Wizet and Nexon. Although playing the game is free, character appearances and gameplay enhancements can be purchased from the "Cash Shop" using real money. MapleStory has a combined total of over 50 million subscriber accounts in all of its versions.[3][4] MapleStory North America (Global), for players mainly in North America and outside of East Asia, Southeast Asia and Europe, has over three million players.[3]
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
K Patterson
Premium,MVM
join:2006-03-12
Columbus, OH | reply to MGD
I wonder if the fraudulent charges ae coming from gamers - the company appears to be legit. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ScamHelpPlease
Very good catch !!
That explains the foreign language setting, they logged into your account from Asia, and paypal remembers the last logon setting.
This I presume is the company paid? »www.google.com/search?hl=en&q=%2···C+inc%22 gaming, based in Los Angeles.
MGD |
|
ScamHelpPlease
@verizon.net | reply to MGD
Apparently I wasn't the only one hit:
»www.complaintsboard.com/complain···411.html |
|
ScamHelpPlease
@verizon.net
| reply to MGD
I haven't been to PayPal in years, and it didn't have my e-mail address in the login box when I went to the page for the first time today. No one else uses my PC except for me. I don't know how the language change happened, but it is highly suspicious. The transaction appears to be real, I see two payments for $30 to a company called Nexon. Nexon appears to be an asian company that makes online RPGs, so the asian language again seems very suspicious. I wonder how they got my account info. The only thing that comes to mind is that I possibly used the same login info on a forum somewhere, and whomever could get access to forum login information could attempt to use it anywhere else. BTW, thanks for helping everyone. It's good to know I can come here for help. Hopefully I'll be able to resolve this tommorow with PayPal. Thankfully the sending limit was reached at $60. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ScamHelpPlease
said by ScamHelpPlease :
.... And the E-mail I got saying I paid out $60 to this company called Nexon was using a phishing URL, yet it had my real contact info. It looks like the transaction is real, so I'll have to call PayPal
That has happened before, there are multiple threads in this forum of "targeted" paypal phishing mail. I recall one thread where the phish mail not only had the victims real id name. but also his correct address. I cannot find the correct search keys to find it, but I do remember it. I think it may also have a post where we showed phishers that we caught who had printouts of names addresses and email addresses that they bought form places like netdetective.com with carded accounts. Since your Paypal id is always an email address, it is not difficult to send millions of phish mails and hit many people with matching PayPal accounts.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
4 edits | reply to ScamHelpPlease
If you go to >http://www.paypal.tw »www.paypal.tw (or any Asian paypal) it will default to www.paypal.com/tw and display the local language. If you now log in,
it will set a language preference cookie. Log out or just close the window. Now go to the English >http.www.paypal.com ».www.paypal.com log in and it will show you the .com site in an Asian language.
LOOK !!!:
I am at Paypal.com but the language is in Asian / Chineese
I can either delete the cookie or reset it in preferences.
In your case you did not click on the phish link, and the language may have nothing to do with the phish. If you have not been to paypal in a long time, then that preference change could have happened long ago. All that is needed for an auto change to happen is that you log in to a legit Paypal domain via a foreign paypal site. The two events may not be connected,only that you now went in to PayPal to check and saw the language set to non English.
That transaction in the phishmail is fake. I am sure if you check your account there will be no record of it.
So while the jury may still be out, it is important to realize that the change can happen for non nefarious reasons. That is important before you go ripping your system apart looking for a virus that may not exist. Especially if this was the only symptom. It is understandable when you see the foreign screen right when you check up on that phish mail. However, you appear to be someone who is well aware of the fake links, and never clicked on it.
There may be no connection between the two events, other than the coincidence that this is when you decided to log in. When was the last time that you were at PayPal?. Are you the only one that uses that PC who has a PayPal account?
EDIT= ADD
That Paypal cookie is global within that windows user account. If another person logged in under their account and changed preferences or logged in on a foreign Paypal. Then whoever goes to paypal.com again under that windows user will be presented with that same language setting.
Had you not of changed it back, then you could tell when it originally happened by the date of the cookie. I presume, but am not sure that the other cookie is now overwritten
When you went to paypal.com the first time after seeing the phish mail, did it already have the correct user ID (yours) in the field, or someone elses, or was it blank?.
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ScamHelpPlease
That is not the real phishing link, you either neither to show the mail in text format or right click on that link and show properties then copy and post the link in properties.
I can duplicate that problem.
Hang on I will show you how to make it happen
MGD |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to ScamHelpPlease
That is actually a PayPal server link and resides at IP 64.4.241.49
OrgName: PayPal
OrgID: PAYPAL
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95125
Country: US
NetRange: 64.4.240.0 - 64.4.255.255
CIDR: 64.4.240.0/20
NetName: PAYPAL-1
NetHandle: NET-64-4-240-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: PPNS1.PHX.PAYPAL.COM
NameServer: PPNS2.PHX.PAYPAL.COM
NameServer: PPNS1.DEN.PAYPAL.COM
NameServer: PPNS2.DEN.PAYPAL.COM
Comment:
RegDate: 2003-02-25
Updated: 2008-04-17
OrgTechHandle: EBAYN-ARIN
OrgTechName: eBay Network
OrgTechPhone: +1-408-376-7400
OrgTechEmail: network@ebay.com
# ARIN WHOIS database, last updated 2009-01-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
**complete**
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
ScamHelpPlease
@verizon.net
| reply to MGD
I immediately assume all e-mails from PayPal are phish/spam. I stopped using PayPal years ago, unfortunately I didn't remove my credit card from my account. This is the URL the PayPal receipt E-mail has:
»https://secure.uninitialized.real.paypal···s/VERIFY
I mean, it's really easy to tell that it's fake. So I manually went to PayPal.com and logged in. The front login page was in English, but as soon as it went to the account info page, it was all in Chinese. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ScamHelpPlease
Did you check your PayPal account to make sure that the transaction was real. Many PayPal email phishing scams will show a bogus transaction in order to lure you into clicking the link and logging in to the phishing site. One possibility is if the phishing website was in an Asian country and you clicked the phish link, Paypal will auto set a cookie with an Asian language preference. That way when you go back to Paypal it will remember your language preference. many sites will auto assume that language preference based on the Geo location of the IP that you come in from. Many phishing sites are scripted to validate a log in by passing your data in real time to PayPal. That would generate the cookie with language preference. I am not sure if the cookie wll set by just a visit without a log in or not.
You may want to post the entire phish mail real links to see if in fact it was hosted in an Asian country. I do not suspect that your PC has been compromised solely based on the language change alone. Need Phish info to confirm my suspicion.
Google for example also will adapt your language preference based on where the IP that you log in from is loccated.
MGD |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to ScamHelpPlease
Why was the page in Chinese by default? Perhaps your account was broken into, and the default changed to Chinese.
Yes, you need to call Paypal.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
garys_2k
join:2004-05-07
Farmington, MI
 ·Future Nine Corpor..
·Vonage
| reply to ScamHelpPlease
I just saw your replies and thought you had some sort of setting messed up. It does look like you're on the correct site and you ought to be able to get the charge straightened out. I'd still run one of the online virus checks anyway, just to be really certain you're clean.
Good luck! |
|
ScamHelpPlease
@verizon.net
| reply to ScamHelpPlease
Sorry, it seems the replies were delayed. I found an option on the front page to switch the language to English. I couldn't find it before because the option to change language was in Chinese too. This is extremely strange. Why was the page in Chinese by default? And the E-mail I got saying I paid out $60 to this company called Nexon was using a phishing URL, yet it had my real contact info. It looks like the transaction is real, so I'll have to call PayPal |
|
TestingReply
@verizon.net | reply to garys_2k
test, I can't seem to reply anymore |
|
