register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Paypal - 'New email address added to your account'
14-Jan-2005

Summary
Email title: 'New email address added to your account'
Scam target: Paypal users
Sender:

aw-service@paypal.com
Sender spoofed/hidden? Spoofed
Phish 'punch line' : 'You have added laptopseller@yahoo.com as a new email address for your PayPal account. If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service...'
Scam goal: Getting victim's Paypal username/password, dredit card information
Phish link method URL link
Link 'masked'? Yes
Visible link: https://www.paypal.com/row/wf/f=ap_email
Actual link to http://www.fast-email-address.us/phpss/
Phish website IP:

68.142.234.35
 
E-mail
 

This is a particularly insidious phish. It uses a variety of techniques, well blended to create one of the most dangerous scam attempts out there.

The email message is a variation of another one, used a while ago. It is distinctive for being quite persuasive, without threatening or displaying other unusual behaviour. It lacks, however, any Paypal logo or legit header/footer. But the sender is spoofed, the link is 'masked' and the message is overally convincing:

 
 
Web Site
Visible link: https://www.paypal.com/row/wf/f=ap_email
Actual link to http://www.fast-email-address.us/phpss/
Phish website IP:

68.142.234.35
 
When the link is clicked, the following page is displayed:
 
 
At this time the address bar of your browser will look somewhat like this:
 
 

At this time, the address bar is still at its original state, and the real URL of the phish site is visible. The presence of a Paypal page at such an URL is one of the chief weaknesses of this scam.

But after the 'Click here to go to our main page' link is clicked, an address bar forgery loads up and is displayed, with the phisers' version of the Paypal login screen, in a separate window. This is how the forged address bar will look like:

 
 
The difference between the original and the forged address bars is visible, but quite slight, as you can see. This new forgery is quite better than the old one, which remained on top of whichever window came above it, and was much easier to spot. This one remains strictly in the instance of the browser attacked and is generally much harder to expose.
 
The site beneath looks perfectly paypal:
 
 
The real URL of the phish page is visible in the properties page (File/Properties):
 
 

The site is a http, not a https one, and the status bar is not forged. This creates a visible inconsistency between the 'https' in the address bar and the lack of the lock icon in the status bar.

After 'logging in', the next phish page loads up:

 
 

All the previous concerns about the address bar and the status bar still apply. The site will do a preliminary check of the CC number entered using a simple formula - it will not connect to a CC server, but will reject any random CC number.

Afterwards, the phis uses another clever trick: it passes the information entered in the 'login' screen to the legitimate paypal.com login. This way, if valid information has been entered, a normal paypal login will proceed and the victim will not see anything unusual - a normal Paypal session will commence. In our case, we entered a bogus username/password that was, of course, rejected by paypal.com:

 
 

Notice how the address bar forgery remains active.

The phish site is hosted on a server in California:

 
WHOIS information (for IP 68.142.234.35):

IP Location: USA, California

Domain Name: FAST-EMAIL-ADDRESS.US
Domain ID: D7066774-US
Sponsoring Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Status: ok
Registrant ID: A110325394080776
Registrant Name: Sondra Wissel
Registrant Organization: Sondra Wissel
Registrant Address1: 2634 Fenwick Court
Registrant City: Ann Arbor
Registrant State/Province: MI
Registrant Postal Code: 48104
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2486680157
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: A110325394080773
Administrative Contact Name: Sondra Wissel
Administrative Contact Organization: Sondra Wissel
Administrative Contact Address1: 2634 Fenwick Court
Administrative Contact City: Ann Arbor
Administrative Contact State/Province: MI
Administrative Contact Postal Code: 48104
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.2486680157
Billing Contact ID: A110325394080775
Billing Contact Name: YahooDomains BillingContact
Billing Contact Organization: Yahoo! Inc
Billing Contact Address1: 701 First Ave.
Billing Contact City: Sunnyvale
Billing Contact State/Province: CA
Billing Contact Postal Code: 94089
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.6198813096
Billing Contact Facsimile Number: +1.6198813010
Technical Contact ID: A110325402841726
Technical Contact Name: YahooDomains TechContact
Technical Contact Organization: Yahoo! Inc
Technical Contact Address1: 701 First Ave.
Technical Contact City: Sunnyvale
Technical Contact State/Province: CA
Technical Contact Postal Code: 94089
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.6198813096
Technical Contact Facsimile Number: +1.6198813010
Technical Contact Email:
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Created by Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Registration Date: Fri Dec 17 03:28:03 GMT 2004
Domain Expiration Date: Fri Dec 16 23:59:59 GMT 2005