OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: New PayPal Email Scam

From: Charles Hamby (fixergci.net)
Date: Mon Nov 10 2003 - 20:09:49 CST


Isaac,

Might I also suggest contacting the ISP of the IP address that the scam is
being run from?

OrgName: Affinity Internet, Inc
OrgID: AFFI
Address: 101 Continental 4th Floor
City: El Segundo
StateProv: CA
PostalCode: 90245
Country: US

OrgTechHandle: ZA94-ARIN
OrgTechName: Affinity Internet IP Management Group
OrgTechPhone: +1-310-524-3000
OrgTechEmail: ip-adminaffinity.com

I ran across a similar Paypal scam about 8 months ago and contacted Paypal.
They weren't much help. Roughly a month later the website was still up and
running (and presumably still scamming people). After contacting the ISP
the site was taken offline within 3 days.

Charles Hamby

 
-----Original Message-----
From: Isaac Hopper [mailto:inhopp01yahoo.com]
Sent: Monday, November 10, 2003 9:19 AM
To: incidentssecurityfocus.com
Subject: New PayPal Email Scam

This morning (Nov. 10, 2003) I received yet another in
the seemingly endless string of spam messages. This
one caught my eye though. The message purports to be
from PayPal, and states the following:

<--- Begin Message Text
This e-mail is the notification of recent innovations
taken by PayPal to detect inactive customers and
non-functioning mailboxes.

The inactive customers are subject to restriction and
removal in the next 3 months.

Please confirm your email address and and Credit Card
info number by logging in to your PayPal account using
the form below:

Your Address Information - You may only enter English
characters during Sign Up. This does NOT include
characters with accents. Please enter your name and
address as they are listed for your credit card or
bank account. Your primary currency is the currency in
which you are expecting to send and receive the
majority of your payments.
<--- End Message text

When I saw the demand for Credit details, I
immediately opened the code in UltraEdit to take a
look. It appears that the form is submitting
to the following address:

http://207.150.192.12/temp/top0az/cgi-bin/p.php

Everything else on the page, including the other links
point to the actual PayPal site, making this a fairly
effective ruse for the unsuspecting user. I have made
PayPal aware of the problem, but I don't want it to
get lost in the shuffle, so I thought I would post the
information here for your review. If you would like a
copy of the email in its entirety (HTML format),
please let me know via email, and I will be happy
to send it along.

Sincerely,

Isaac N. Hopper

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------