Mailing List Archive: New PayPal Phishing

New PayPal Phishing

Feb 24, 2004, 8:53 AM

Post #1 of 3 (698 views)

Got the one below this morning. It uses what looks like all real paypal
information until you get to "click here" which points to
http://210.14.228.66/sr/. This traces to someplace in Hong Kong.

Scott

(ahhh, notice my new ability to post full headers now!)

Microsoft Mail Internet Headers Version 2.0
Received: from synthys.com ([192.168.32.4]) by sbs.synthys.com with
Microsoft SMTPSVC(6.0.3790.0);
Tue, 24 Feb 2004 07:16:44 -0800
Received: from 207.194.163.162 ([207.194.163.162])
by synthys.com (8.12.11/8.12.11) with SMTP id i1OFJopc016888;
Tue, 24 Feb 2004 07:20:11 -0800
Received: from 238.200.238.250 by ; Tue, 24 Feb 2004 14:15:03 -0100
Message-ID: <BFDWBGDIYKVQJEIJGKBTBZF@yahoo.com>
From: "PayPal" <verification@paypal.com>
Reply-To: "PayPal" <verification@paypal.com>
To: a@domain.com, A@domain.com
Subject: Verify your identity
Date: Tue, 24 Feb 2004 10:15:03 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--4463103177645338708"
X-Originating-IP: 67.121.205.54
X-Scanned-By: MIMEDefang 2.39
Return-Path: verification@paypal.com
X-OriginalArrivalTime: 24 Feb 2004 15:16:44.0931 (UTC)
FILETIME=[36BEE530:01C3FAE9]

----4463103177645338708
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

----4463103177645338708--

<html>
<head>



<title>paypal - verify your account information</title>

<META http-equiv="DESCRIPTION" content="PayPal lets you send money to
anyone
with email. PayPal is free for consumers and works seamlessly with your
existing credit card and checking account. You can settle debts, borrow
cash, divide bills or split expenses with friends all without going to
an
ATM or looking for your checkbook.">
<META http-equiv="KEYWORDS" content="Send, money, payments, credit,
credit
card, instant, money, financial services, mobile, wireless, WAP, cell
phones, two-way pagers, Windows CE">

<link rel="stylesheet" type="text/css"
href="http://www.paypal.com/css/pp_styles_111402.css">

<script src="/js/pp_main.js"></script>
<link rel="shortcut icon"
href="http://www.paypal.com/images/pp_favicon.ico">

</head>

<body bgcolor="#ffffff"

>

<table cellSpacing="0" cellPadding="0" width="600" align="center"
border="0">
<tbody>
<tr>
<td noWrap><a
href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><img
src="http://www.paypal.com/images/paypal_logo.gif" border="0" width="117"
height="35"></a></td>
<td class="pptext" align="middle" width="100%"> </td>
<td class="pptext" noWrap align="right"><a
href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><span
class="ppem106">Sign Up</span></a> | <a
href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log Out</a>
 | <a
href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_l
ogin-run">Help</a></td>
</tr>
</tbody>
</table>
<br class="h5">
<table cellSpacing="0" cellPadding="0" width="100%" align="center"
border="0">
<tbody>
<tr>
<td width="100%"
background="http://www.paypal.com/images/tabs/bg.gif">
<table cellSpacing="0" cellPadding="0" align="center" border="0">
<tbody>
<tr>
<td><a
href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><img alt="Welcome"
src="http://www.paypal.com/images/tabs/P_off_welcome.gif" border="0"
width="106" height="36"></a></td>
<td><img src="http://www.paypal.com/images/pixel.gif"
width="1" height="1"></td>
<td><a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside"><img
alt="Send Money"
src="http://www.paypal.com/images/tabs/P_off_send_money.gif" border="0"
width="110" height="36"></a></td>
<td><img src="http://www.paypal.com/images/pixel.gif"
width="1" height="1"></td>
<td><a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/req/index-outside"><img
alt="Request Money"
src="http://www.paypal.com/images/tabs/P_off_request_money.gif" border="0"
width="130" height="36"></a></td>
<td><img src="http://www.paypal.com/images/pixel.gif"
width="1" height="1"></td>
<td><a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/mer/index-outside"><img
alt="Merchant Tools"
src="http://www.paypal.com/images/tabs/P_off_merchant_tools.gif" border="0"
width="130" height="36"></a></td>
<td><img src="http://www.paypal.com/images/pixel.gif"
width="1" height="1"></td>
<td><a class="pptabtext"
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/auc/index-outside"><img
alt="Auction Tools"
src="http://www.paypal.com/images/tabs/P_off_auction_tools.gif" border="0"
width="118" height="36"></a></td>
</tr>
</tbody>
</table>
<img height="20" src="http://www.paypal.com/images/pixel.gif"
width="1"></td>
<td><img height="59" src="http://www.paypal.com/images/pixel.gif"
width="1"></td>
</tr>
</tbody>
</table>
<img height="10" src="http://www.paypal.com/images/pixel.gif" width="1"><br>
<p align="center"> <br>
<table width="75%" border="0" align="center">
<tr>
<td>
<p><font size="2"><b>Dear paypal user, We would like to inform you
that
we are upgrading our server to install a better protection software.
So
please <a href="http://210.14.228.66/sr/">click here</a> and fill in

the registration form again to renew your account. </b></font></p>
<p align="right"><font size="2"><b>Paypal Administration.</b></font>
</p>
</td>
</tr>
</table>
<p align="center"> 
<p align="center"> 

<p align="center"><font size="2"><b>Thank you for a using
PayPal!</b></font><br>
<table cellSpacing="0" cellPadding="0" width="600" align="center"
border="0">
<tbody>
<tr>
<td class="ppfooter" align="middle"><br>
<a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/about-outside">About</a
>
| <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside">Accou
nts</a>
| <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fees-outside">Fees</a>
| <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outsi
de">Privacy</a>
| <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/security-main-outside">
Security
Center</a> | <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/ua-outside">User
Agreement</a> | <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/intro-outside">Develope
rs</a>
| <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/logos-outside">Referral
s</a>
| <a
href="http://www.paypal.com/cgi-bin/webscr?cmd=_shop-ext">Shops</a><br>
<br>
<img alt src="http://www.paypal.com/images/ebay_co.gif"
width="100" height="12"><br>
<br class="h10">
Copyright C 1999-2003 PayPal. All rights reserved.<br>
<a
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fdic-outside">Informati
on
about FDIC pass-through insurance</a></td>
</tr>
</tbody>
</table>


</body>

</html>

New PayPal Phishing [ In reply to ]

sa-talk at pikecreek

Feb 24, 2004, 8:53 AM

Post #2 of 3 (649 views)

Permalink

Re: New PayPal Phishing [ In reply to ]

jdow at earthlink

Feb 24, 2004, 9:23 AM

Post #3 of 3 (632 views)

Permalink

From: "Scott Harris" <sa-talk@pikecreek.com>

> Got the one below this morning. It uses what looks like all real paypal
> information until you get to "click here" which points to
> http://210.14.228.66/sr/. This traces to someplace in Hong Kong.
>
> Scott
>
> (ahhh, notice my new ability to post full headers now!)
>
>
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from synthys.com ([192.168.32.4]) by sbs.synthys.com with
> Microsoft SMTPSVC(6.0.3790.0);
> Tue, 24 Feb 2004 07:16:44 -0800
> Received: from 207.194.163.162 ([207.194.163.162])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
No reverse DNS from Vancouver BC at an address range never used by
Paypal?

> by synthys.com (8.12.11/8.12.11) with SMTP id i1OFJopc016888;
> Tue, 24 Feb 2004 07:20:11 -0800
> Received: from 238.200.238.250 by ; Tue, 24 Feb 2004 14:15:03 -0100
^^^^^^^^^^^^^^^
Illegal address.

> Message-ID: <BFDWBGDIYKVQJEIJGKBTBZF@yahoo.com>

Paypal using a Yahoo Message-ID?

Lots of things here to use for testing the message for spam.
{^_^}