ScamHelpPlease
@verizon.net
| PayPal.com phish scam, help me!
I got an e-mail today in a language which seems to be in Chinese stating that I paid $60 to some company called Nexon. I have not used PayPal in YEARS. It had my contact information in it, so I went to PayPal.com manually to see if the transaction was real. I logged in and the whole page was in chinese but not the front login page. I think I just screwed myself. I don't know how, but »www.paypal.com seems to go to a disguised hijacked page. Can someone help me please? I've scanned with a virus scanner and I'm not able to pick up anything. Where would something be able to hijack specific domain names in windows? Something with DNS? |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs: | You need to contact PayPal directly. |
|
ScamHelpPlease
@verizon.net | Can you give me their phone number? |
|
garys_2k
join:2004-05-07
Farmington, MI
 ·Future Nine Corpor..
·Vonage
1 edit | reply to ScamHelpPlease
Yep, likely your hosts file got changed by the phish. You may have more malware, too.
Anyway, paypal's IP is »66.211.168.193 -- use that. It should redirect you to their https site.
ETA, from their website:
PayPal Customer Service:
1-402-935-2050
(a U.S. telephone number)
4:00 AM PST to 10:00 PM PST Monday through Friday
6:00 AM PST to 8:00 PM PST Saturday and Sunday |
|
ScamHelpPlease
@verizon.net
| Thanks, I'm meticulously checking my system right now. I've checked my hosts file and as many places as I can to see DNS server settings, and they appear to be normal. The only way I could think that they could do this is by modifying DNS settings somewhere. I tried accessing the resolved name you gave, and it still seems to try www.paypal.com. The front page looks legit, but I can't be certain. It looks like their customer service just closed. Hopefully I can get in contact with someone tommorow. If anyone has any ideas, I'm open to them. Could they have hijacked something on the server end? |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to ScamHelpPlease
Ping PayPal and tell us what IP ping reports to you.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
ScamHelpPlease
@verizon.net | Pinging www.paypal.com [66.211.168.193] with 32 bytes of data:
Request timed out.
Request timed out. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs: | You are going to the right IP. |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
1 edit | reply to ScamHelpPlease
Their site looks fine on my end, and the address bar shows the green hilite that means it's cert. confirmed the address.
If you're using Firefox you can right-click on the page you get and select View Page Info, then confirm that the identity in the General tab. With IE, right click and select Properties, then check the Certificates button.
You may have been rootkit'd, start here for checking your machine out: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
ETA: Paypal's server doesn't answer pings. Don't worry about that, the IP is the main thing. |
|
ScamHelpPlease
@verizon.net | reply to Doctor Olds
Any idea why after logging in the entire page is in Chinese? |
|
ScamHelpPlease
@verizon.net
| reply to garys_2k
Any idea why the site is all in chinese after logging in?
Here is an image i took of the certificate check in firefox:
»i39.tinypic.com/2gw740i.png
 |
|
TestingReply
@verizon.net | reply to garys_2k
test, I can't seem to reply anymore |
|
ScamHelpPlease
@verizon.net
| reply to ScamHelpPlease
Sorry, it seems the replies were delayed. I found an option on the front page to switch the language to English. I couldn't find it before because the option to change language was in Chinese too. This is extremely strange. Why was the page in Chinese by default? And the E-mail I got saying I paid out $60 to this company called Nexon was using a phishing URL, yet it had my real contact info. It looks like the transaction is real, so I'll have to call PayPal |
|
garys_2k
join:2004-05-07
Farmington, MI
·Future Nine Corpor..
·Vonage
| reply to ScamHelpPlease
I just saw your replies and thought you had some sort of setting messed up. It does look like you're on the correct site and you ought to be able to get the charge straightened out. I'd still run one of the online virus checks anyway, just to be really certain you're clean.
Good luck! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to ScamHelpPlease
Why was the page in Chinese by default? Perhaps your account was broken into, and the default changed to Chinese.
Yes, you need to call Paypal.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5 |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ScamHelpPlease
Did you check your PayPal account to make sure that the transaction was real. Many PayPal email phishing scams will show a bogus transaction in order to lure you into clicking the link and logging in to the phishing site. One possibility is if the phishing website was in an Asian country and you clicked the phish link, Paypal will auto set a cookie with an Asian language preference. That way when you go back to Paypal it will remember your language preference. many sites will auto assume that language preference based on the Geo location of the IP that you come in from. Many phishing sites are scripted to validate a log in by passing your data in real time to PayPal. That would generate the cookie with language preference. I am not sure if the cookie wll set by just a visit without a log in or not.
You may want to post the entire phish mail real links to see if in fact it was hosted in an Asian country. I do not suspect that your PC has been compromised solely based on the language change alone. Need Phish info to confirm my suspicion.
Google for example also will adapt your language preference based on where the IP that you log in from is loccated.
MGD |
|
ScamHelpPlease
@verizon.net
| I immediately assume all e-mails from PayPal are phish/spam. I stopped using PayPal years ago, unfortunately I didn't remove my credit card from my account. This is the URL the PayPal receipt E-mail has:
»https://secure.uninitialized.real.paypal···s/VERIFY
I mean, it's really easy to tell that it's fake. So I manually went to PayPal.com and logged in. The front login page was in English, but as soon as it went to the account info page, it was all in Chinese. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| That is actually a PayPal server link and resides at IP 64.4.241.49
OrgName: PayPal
OrgID: PAYPAL
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95125
Country: US
NetRange: 64.4.240.0 - 64.4.255.255
CIDR: 64.4.240.0/20
NetName: PAYPAL-1
NetHandle: NET-64-4-240-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: PPNS1.PHX.PAYPAL.COM
NameServer: PPNS2.PHX.PAYPAL.COM
NameServer: PPNS1.DEN.PAYPAL.COM
NameServer: PPNS2.DEN.PAYPAL.COM
Comment:
RegDate: 2003-02-25
Updated: 2008-04-17
OrgTechHandle: EBAYN-ARIN
OrgTechName: eBay Network
OrgTechPhone: +1-408-376-7400
OrgTechEmail: network@ebay.com
# ARIN WHOIS database, last updated 2009-01-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
**complete**
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ScamHelpPlease
That is not the real phishing link, you either neither to show the mail in text format or right click on that link and show properties then copy and post the link in properties.
I can duplicate that problem.
Hang on I will show you how to make it happen
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
4 edits | reply to ScamHelpPlease
If you go to >http://www.paypal.tw »www.paypal.tw (or any Asian paypal) it will default to www.paypal.com/tw and display the local language. If you now log in,
it will set a language preference cookie. Log out or just close the window. Now go to the English >http.www.paypal.com ».www.paypal.com log in and it will show you the .com site in an Asian language.
LOOK !!!:
I am at Paypal.com but the language is in Asian / Chineese
I can either delete the cookie or reset it in preferences.
In your case you did not click on the phish link, and the language may have nothing to do with the phish. If you have not been to paypal in a long time, then that preference change could have happened long ago. All that is needed for an auto change to happen is that you log in to a legit Paypal domain via a foreign paypal site. The two events may not be connected,only that you now went in to PayPal to check and saw the language set to non English.
That transaction in the phishmail is fake. I am sure if you check your account there will be no record of it.
So while the jury may still be out, it is important to realize that the change can happen for non nefarious reasons. That is important before you go ripping your system apart looking for a virus that may not exist. Especially if this was the only symptom. It is understandable when you see the foreign screen right when you check up on that phish mail. However, you appear to be someone who is well aware of the fake links, and never clicked on it.
There may be no connection between the two events, other than the coincidence that this is when you decided to log in. When was the last time that you were at PayPal?. Are you the only one that uses that PC who has a PayPal account?
EDIT= ADD
That Paypal cookie is global within that windows user account. If another person logged in under their account and changed preferences or logged in on a foreign Paypal. Then whoever goes to paypal.com again under that windows user will be presented with that same language setting.
Had you not of changed it back, then you could tell when it originally happened by the date of the cookie. I presume, but am not sure that the other cookie is now overwritten
When you went to paypal.com the first time after seeing the phish mail, did it already have the correct user ID (yours) in the field, or someone elses, or was it blank?.
MGD |
|
