Paypal phishing: take online survey and receive money

MX Lab is intercepting phishing messages that target PayPal users. The email comes from the spoofed address Pay Pal.Inc This e-mail address is being protected from spambots. You need JavaScript enabled to view it with the subject Confirm refund request Identity Verification. The contents of the email: Dear client,PayPal CONGRATULATIONS! You have been chosen by the Online Department to take part in our survey. In return we will credit $99.0 to your account [...]


MX Lab is intercepting phishing messages that target PayPal users. The email comes from the spoofed address
“Pay Pal.Inc” < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > with the subject “Confirm refund request – Identity Verification”.

The contents of the email:

Dear client,PayPal

CONGRATULATIONS!

You have been chosen by the Online Department to take part in our survey.
In return we will credit $99.0 to your account – Just for your time!

SERVICE: PayPal .Inc Online®
EXPIRATION: October – 29 – 2009

hxxp://www.developmentalfun.com/attachments/paypal.eu/index.php

2009 PayPal ® All Rights Reserved

MEOEXQPRKZJCHFGZMHONBBPUQDRLGHPYOORBYS

Following the link brings you to the phishing site with a similar interface to the original PayPal site.

Notice that the phishing site is hosted on a non PayPal domainn, has no HTTPS connection. When filling in a fake login and password I go to the page hxxp://www.developmentalfun.com/attachments/paypal.eu/login.php with the known PayPal progress bar and get a redirect to hxxp://www.developmentalfun.com/attachments/paypal.eu/Revalidate.htm?cmd_submitaccess0023044.submit=data_refund. This is where I need to fill in personal details for the refund. Yeah, right.

When filling in the form with fake data I receive the page hxxp://www.developmentalfun.com/attachments/paypal.eu/thankyou.html?RXZlbnQyIE9jdDI3RXZlbnQyIE9jdDI3 and get a redirect to the official PayPal web site. There is no check wether my social security number, credit card number and CVV2 is valid.

If you have used your real login, password and other details you are screwed by now. At this point the people behind the phishing site now know your details and can go into your PayPal account and get what they need. So it’s not recommended to do such things as I just did.

The navigation at the top doesn’t point to PayPal but to hxxxp://216.104.169.200/login/webscr.html but I got an Internal Server Error. The web site itself is hosted on the server listening to the IP 64.49.206.169. Now the web site http://www.developmentalfun.com/ is a valid one so this hosting account seems to be hacked and is hosting the phishing pages.


Read Full Article
GSO
Written on Friday, 23 October 2009 00:32 by GSO

Viewed 69 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News  Latest Security News
Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools