Jump to content
Sign in to follow this  
PeterJ

Paypal Phish

Recommended Posts

Perhaps some people are indeed receiving spam from Paypal these days, but currently they are updating account info and therefore have sent out a mesage as follows:

Subject: Important Paypal account information!

Body (snipped):

You are receiving this email because it has come to our attention that your PayPal contact and billing information may be incorrect or out of date.

PayPal User Database Requirements

Notice Date: May, 2004

Due to special provisions of the USA PATRIOT Act, PayPal is required to keep it's user information database up to date. Our records indicate that your information may be incorrect or out of date. Please take 5 to 10 minutes right now and update your records. If you fail to update your user information within 24 hours, we are required by law to suspend access to your account until we are able to verify your information.

Please login to your paypal account using the link below to verify your records.

This was sent from "support[at]paypal.com" and is real. Perhaps with all the phishing these days some SC users are reporting this message by mistake.

Checking the IP here:

http://www.spamcop.net/w3m?action=checkblock&ip=61.40.6.131

reveals that at least one person reported the same message I quoted above:

A sample sent sometime during the 24 hours beginning Thursday, May 06, 2004 20:00:00 -0400:

Received: from 61.40.6.131 (-.-.- [61.40.6.131]) by -.-.net with SMTP (Microsoft Exchange Internet Mail Service Version -.-.-6-.-)-

id - Fri, - May 2004 - -

Subject: important - account information

From: su.. at ..l.com

Looking a little further, why is PayPal sending from a Korea server? Perhaps 61.40.6.131 deserves to be listed for other reasons, but as far as I can tell the PayPal mail coming from there is legitimate.

Share this post


Link to post
Share on other sites

PeterJ, I hope you did not fall for this scam PayPal Email from telnet.himaxkorea.com. If you did you better change all the info in your PayPal Account. It is probably too late though if you did because they have all your personal information including your credit cards. You better call your credit card companies if you used their link.

Share this post


Link to post
Share on other sites

Yipes! I did click on a link, but see what is going on now.

Wow, I really did not know that the Phishing attempts were this good looking. Here is what occured (and still occurs) when I click on the link:

Two instances of FireFox open, one page with PayPal that explained the web page desired does not exist and another page with address: https://61.33.168.151/? that was completely blank. Upon further inspection FireFox blocked the popup that the latter page was trying to load.

So no harm done, but I guess I can blush for not knowing how good the phishing mail looks. I really have not received much and never imitating PayPal before (although I knew it existed). I will send a copy off to PayPals spoof reporting address for the hell of it.

Can someone please change the title of this thread to Paypal Phish instead of PayPal blocklisted. *blushing*

Share this post


Link to post
Share on other sites

No proble, these fakes can look pretty real, as long as you do not fall for them and report it to the proper authorities while it's hot...

Unfortunately too many people are gullible enough to fall for these scams...

Share this post


Link to post
Share on other sites

In retrospect the following items should have pointed me to knowing it was not a real email:

1) My name was not used in the email. PayPal states that they will address you by your name at the beginning of any correspondence.

2) There was a bogus received line that I never noticed before:

Received: from 92.38.178.241 by ; Tue, 11 May 2004 08:07:19 +0500

3) Korea server

4) the correct address to report PayPal spoofs to is <spoof[at]paypal.com>, while the fake email states it is <fraud_alert[at]paypal.com>

Maybe that will turn this thread into something slightly more useful.

*still embarrassed*

Share this post


Link to post
Share on other sites
In retrospect the following items should have pointed me to knowing it was not a real email:

1) My name was not used in the email.  PayPal states that they will address you by your name at the beginning of any correspondence.

2) There was a bogus received line that I never noticed before:

Received: from 92.38.178.241 by ; Tue, 11 May 2004 08:07:19 +0500

3) Korea server

4) the correct address to report PayPal spoofs to is <spoof[at]paypal.com>, while the fake email states it is <fraud_alert[at]paypal.com>

Maybe that will turn this thread into something slightly more useful.

*still embarrassed*

What I tell all my not too technical friends is this: if you receive an email apparently from paypal/your bank/your brokerage or any place where you have opened an account that includes personal information -- type the name of the institution into your web browser yourself. Log in and look at your personal details to see if there may indeed be a problem. Never click the link in one of those emails.

Share this post


Link to post
Share on other sites

Ellen has stated the golden rule - "Never click the link in one of those emails." These phishers can look very much like the real thing and the "best" of them know just how to stampede people into taking the actions they want them to. Apart from *not* doing that, running a quick independent check should be helpful (calling the customer center, running a web search on key phrases, etc.). There may also be alerts and fora for such stuff. One which appears to be intended as a gathering point for the notification of scams is

http://www.netscams.com/Forum/YaBB.cgi

I have no idea how good it is, but the idea has merit.

Business does not always help. AT&T a few months ago sent out a notice to customers on one of their sub-nets advising them to check their account details. They sent it through an unknown contractor, not directly. They sent it when the local help center was shut down for a long weekend. They didn't post the message or confirm it on their (central) help center webpage. The same contractor sent a second message soon after, advising to ignore purported emails from the network (because of whatever virus/worm was faking such messages at the time). Okay, no link in that instance but what about backdoor keystroke recorders etc? I've seen actual scams that looked far less suspicious. It was about then I realized there isn't much that can be taken for granted.

Edited by Farelf

Share this post


Link to post
Share on other sites

Here is a funny physh I got today, funny I never gave this e-mail to anyone...I basically use it to trap spam:

From Citbiank_ Wed May 12 03:55:59 2004

X-Apparently-To:  :P [at]yahoo.com via 66.218.78.143; Tue, 11 May 2004 16:05:34 -0700

Return-Path: <tamy[at]slamdunkfan.com>

Received: from 69.9.239.87 (HELO host-87-239-9-69.midco.net) (69.9.239.87) by mta342.mail.scd.yahoo.com with SMTP; Tue, 11 May 2004 16:05:33 -0700

Received: from slamdunkfan.com (slamdunkfan.com [66.98.218.192]) by host-87-239-9-69.midco.net (Postfix) with ESMTP id E4B1D18242 for <dradrian_007[at]yahoo.com>; Wed, 12 May 2004 06:55:59 -0400

Message-ID: <010001c4380f$9c4cc39a$141b09f5[at]slamdunkfan.com>

From: "Citbiank_" <tamy[at]slamdunkfan.com>  Add to Address Book

To: " :ph34r: " < :P [at]yahoo.com>

Subject: Citi_cards |e-mail| Verification -  :P [at]yahoo.com

Date: Wed, 12 May 2004 06:55:59 -0400

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1158

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000

X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: host-87-239-9-69.midco.net)

Content-Length: 815

     

Dear_ Citi-bank Users,

This email_ was _sent by_the_ _Citibank_ _server_ to veerify your_ _e-mail_ address.

You must complete this process by clicking on the_link beloww and enntering

in the smmall window_ your citi_bank _Debit card nummber and _PIN_ that

you use_ on_the ATM Machine. This_is donne for your protection -J- because some_of our

_members_ _no longer have access to their EMAIL addersses and we must verify it.

www.yahoo.com/?nNW2OtMHcrxE7vqMJhTCKKkZVt80GWWILftqvWZ5lDdQ41BkIe7vA

To verify _your email adress and _access_ _your_ _Citibank

account, clik on the_ link beloww.

qRfqzbntYOr4kn3pJHE CLFd7orfV2llVCuMc MKODeUYCYomG3ZrIcA8EO4H

...and no, I never dealt with Citi Bank....

Share this post


Link to post
Share on other sites

It is a shame, but legitimate businesses have to do so much to avoid being caught by the content filters or having customers ignore email messages because they look like spam or scams.

The smart ones have learned how.

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×