MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
3 edits | [Phishing] ALERT!! New Vicious PAYPAL phishing
Within the past week a new to me breed of Paypal phishing has started making the rounds. There are now several in circulation, and based on the success rate I expect them to proliferate just like the Chase phishes did a few months back.
Within 72 hours one of these Paypal phishes has ensnared over 1,100 victim accounts. It was targeted by multiple spams that used various referral links on hijacked machines. In the two years that I have been digesting and extracting phish data, I have never seen any that came close to 1,100 victims in a little over two days. In fact, I have never seen anything even close to that rate regardless of the up-time or the phish type. As far as I am concerned this is a record.
What makes these Paypals so unique and vicious, is that they are scripted to interface with the real Paypal site. They not only validate the users credentials in real time, but also extract and display the users account details on the phish page. Whatever reservations and suspicions a potential victim may have, they will undoubtedly be overcome by the fact that after logging into the phish site, their account details will be retrieved from Paypal and displayed on the page. They are then asked to confirm their credit card number, enter their SSN number, and confirm their address.
I can tell you that these phishes are luring a wide range of people in several countries. The range of victims includes Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners, Headhunters, you name it, they are in there.
These are two examples of the original spam. This one gives you a deadline for updating your account:
The second example motivates you to log in by telling you that a primary email address was added to your account:
These are two examples of the login screens that victims are presented with when they click on the links in the spam mail. Only the IP address prefix in the URL is the give away that this is a bogus site.
The fake SSL key after secure log in should be a warning sign:
Once the victim enters their User ID and Password the script submits the data to the real Paypal for validation. An incorrect User ID and or Password will return this:
Once the victim successfully logs in, their complete data set is retrieved from Paypal and presented on the page. Once the victim gets this far, any doubts that they may have about being at the "legitimate" site should now be removed.
First they are presented with their first and last name from the account displayed right after "Dear". In addition to showing their current email address/ log in, the page also shows the last four digits of their credit card that is currently on file, along with the expiration date. They are then prompted to re enter/confirm the card number so the phisher can now capture it, as paypal will only display the last four digits. Also, they are asked to confirm their mailing address, and to round out the complete theft of their identity their Social Security number is needed:
Notice the last sentence in the above "Protecting the security of your PayPal account is our primary concern, and we apologize for any incontinence it may cause. If the the victim gives up all that data it will surely cause a bout of "incontinence" in a week or two when the statements start to roll in.
Even if the victim decides to back out at this stage, and not enter or confirm anything, the phisher has already captured the PayPal User ID and Password.
Here is where the "billing" address is entered:
Another version of the Paypal "interactive" phish actually retrieves and displays the victims address currently on file with PayPal:
There is no question that based on the current success rate, this integrated phishing will become rampant. Again 1,100 validated accounts in less than 3 days driven by multiple spams that have referrals on hijacked boxes in the US with the phish pages stashed in either China or Korea, will quickly become the phish du jour. It is readily apparent that a wide spectrum of people are falling for it.
MGD
EDIT=typo+added text |
|
s0tet
join:2005-06-08 | Thanks for reporting this. Do you have any URLs that are active that you can share? If not I can understand. I wonder if there are any news updates in google on this. I will take a look. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| said by s0tet  :Thanks for reporting this. Do you have any URLs that are active that you can share? If not I can understand. I wonder if there are any news updates in google on this. I will take a look. Sure here is one example, This one is on a Korea Internet Data Center IP:
»211.233.66.55/paypal.com/index.p···Bpc2VtYX
I notified PayPal Thursday and turned over victim data. China and Korea are both difficult to shut down promptly. I was hoping PayPal could block the IP's at their end from coming in, and prevent the phish from validating log ins and then extracting the account data.
MGD |
|
tdumaine
join:2004-03-14
Redmond, WA
 ·Comcast
| reply to MGD
Cant paypal block requests for authorization from off of thier servers?
Example:
I go to paypal.com. Paypal.com wants my login info, so if that ip is requesting to thier server to authenticate, cant they block auth requests from anything but paypal.com's ip? |
|
K Patterson
Premium,MVM
join:2006-03-12
Columbus, OH | I think the answer is that the Phishing site is connecting as though they are a customer and screen washing to get the info from PayPal's reply.
This whole deal is pretty nasty. |
|
tdumaine
join:2004-03-14
Redmond, WA
·Comcast
| reply to MGD
Dude,
Say im runnin a paypal like service. Lets call it tompal.
Tompal has 2 servers that runs it. When you go to tompal, server #1 presents you with a login page. Server 1 checks your username/password with my server#2 wich contains all that.
Set server 2 up to not allow any connections other than from server 1.
Then the phishers in china wouldnt work cause server 2 wont auth to the outside world.
Why cant they set it up like this? |
|
K Patterson
Premium,MVM
join:2006-03-12
Columbus, OH
·RoadRunner Cable
| Assuming that the Pay Pal system keeps the client database on a server different from their WWW server, that is exactly how it is set up.
The phisher does not access the database directly. It logs in to the WWW site just like any other PayPal member, using the user name and password which the yokel provides.
Until it bans the IP associated with the phisher, there is no way to separate this fake inquiry from a legitimate customer log-in.
I think it would have been better to have said "sceen scraper" in my earlier post. |
|
public
join:2002-01-19
Santa Clara, CA
 ·DSL EXTREME
| reply to s0tet
Example:
»202.181.96.54/secure/signin.ebay···hsin.php |
|
kw524
join:2005-07-09
Walden, NY | reply to MGD
I'm just a uneducated machinist in upstate N.Y. and I knew better than to fall for that one. Maybe some Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners and Headhunters go seek some common sense courses |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to K Patterson
K Patterson is spot on, that is precisely how it works. A snippet of the source code confirms it. The phishers login.php script has a line: href="ht*tps://www.paypal.com/cgi-bin/webscr?cmd=_login-run
<html>
<head>
<title>PayPal - Log In</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="data.css" rel="stylesheet" type="text/css">
</head>
<body>
<TABLE width="620" height="68" border=0 align=center cellPadding=0 cellSpacing=0 class=main>
<TBODY>
<TR>
<TD width="200" noWrap><A><IMG
height=50 src="img/logo.gif" width=200
border=0></A></TD>
<TD> </TD>
<TD width="161" align=right noWrap class=pptext><A href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><strong>Sign Up</strong></A> | <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log In</a> | <A href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=p/gen/jobs-outside">Help</A></TD>
</TR>
<TR>
<TD height="18" noWrap> </TD>
<TD width="259"> </TD>
<TD class=pptext noWrap align=right> </TD>
</TR>
</TBODY>
</TABLE>
<table width="100%" height="63" border="0" cellpadding="0" cellspacing="0" background="img/bg.gif">
Banning the IP would be an effective method to block this validation and retrieval process.
MGD |
|
jojadi76
Premium
join:2002-10-18
Toronto, ON
1 edit | reply to MGD
I can't understand how come paypal can't or don't want to implement a security feature like e-gold's,»www.e-gold.com/ they can steal your password BUT if they log in from a different IP or country you need an especial password and email verification in order to log in back again.
This is the security feature explained:
»www.e-gold.com/accsent.html
--
Remember prohibition? it still doesn't work. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to kw524
said by kw524 :... I knew better than to fall for that one. Maybe some Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners and Headhunters go seek some common sense courses Good point, I see repeatedly that there is no correlation between extended education and common sense.
I am far more sympathetic to the elderly though, some get phished over and and over. I noticed a while back that some elderly victims that I notified to cancel their credit card, would say "oh no not again". When I inquired as to why, they said that their bank had contacted them twice in the past six months to notify them that there were multiple charges coming in from foreign countries, and their card was compromised.
These victims did not have any idea how it was happening. I asked them if they routinely responded to emails from Banks etc., then got copies of some of those emails. It was clear that these people were being re targeted over and over. Once they had first responded to a random phish, the phisher would come back and later and hit them with personalized phishes. Because they now new their full name and the issuing banks name, the next phishes would contain their name and the specific bank's name.
That is why I always tell people to never respond period, using the rule that legitimate mail will always include their name, no longer applies in these cases.
MGD |
|
Judeab
@aol.com | reply to MGD
I see these all the time. If you have an email id that has been spread around for years, you will get lots of phishing attempts, I see these weekly. |
|
savannah27
join:2006-05-08
Gloucester City, NJ
| reply to kw524
I received a letter, that looked so much like a Paypal letter., It stated that they were removing over 800 bucks froim my credit card and were sending two razor phones to this address in Hatfield pa. First thing I did was call the bank and close off everything. I got a new account, new cards, new everything. The letter stated if I did not approve of this shipment to click on an url. But then the url was not workable. The bank told me if it happens agin, just dlete it because they ar elooking for info is all. I don;'t allow junkmail into my account and if it gets thru I delete it. Something needs to be done because this is the 3rd time its happened to me . Its just a pain to have to change everything to be on the safe side. |
|
furlonium
Computer Over? Virus equals Very Yes?
join:2002-05-08
Bethlehem, PA | reply to MGD
I think a big thing to remember is that when Paypal actually sends you an email, they address you as "Dear (your first name, last name)", not "Dear Paypal Member" or "Dear Paypal User". These bogus emails always are always formatted as the latter. |
|
rob_in_chatt
Premium
join:2004-09-17
Chattanooga, TN
·Comcast
| reply to MGD
i run the netcraft toolbar and look what i got when i clicked the korean link....... |
|
The Gizmo
join:2002-03-12
Pearland, TX
| reply to MGD
Whenever I get an email like this, I just open a browser or a new browser and goto their site manually (IE: "https://www.paypal.com" if it's paypal) and login. I NEVER ever goto a site like paypal from an email link period. If there's anything important that they need to bring to my attention, paypal will let me know when I login to the real site from their real URL. Actually I always turn off HTML on email, so I can always see the real destination of a URL and not what they make it say. |
|
cothrom
join:2005-12-01
Greer, SC
·Charter Pipeline
| reply to MGD
Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Funny,
I've been getting these emails for two months, but not on the email address associated with my PayPal account, but the secondary addresses I have put into paypal. I have not received anything on the address I log in on.
Anyone else get it like this? |
|
retiredat44
North San Diego County
join:2002-08-13
Vista, CA
1 edit |  reply to MGD
This is the type I got about 2 or 3 months back...
-----------
The second example motivates you to log in by telling you that a primary email address was added to your account:
------------
You can only tell it wasn't from PayPal if you moved your mouse over the link and look at the script readout on the bottom of your eMail client. YOu coould then see some addres with a »****.***.de like URL.
It looks exactly like PayPal website, in fact it problably was with a second feed going to the hijackers...
I tried to post this info earlier a couple months back.. I had sent my copy to PayPal and htye confirmed me it was not from them..
I really think we should start executing the criminals... whoever is against executing them are assclowns..
(don't think you are too smart, if you are half asleep, tired, in a hurry, or not thinking clearly all it takes is a moment of dumbass and you are screwed ...) |
|
