register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Paypal - 'Unauthorized Access...'
17-Feb-2005

Summary
Email title: Unauthorized Access:NA (Routing Code: C840-L001-Q-T-S111)
Scam target: Paypal users
Sender:

support@paypal.com or service@paypal.com

Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's credit/debit card information, bank account information, personal information
Phish link method URL link
Link 'masked'? Yes
Visible link: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Actual link to: http://tigermail.co.kr/%20/cgi-bin/webscrcmd_login.php
Phish hosted on: http://tigermail.co.kr
 
E-mail
 

This Corean-hosted phish is not one of the most savvy ones, but being mass-mailed widely, gets a statistically good chance of causing damage.

The HTML email is quite fancy, but some random text can be spotted at the bottom, which is a widely recognized spam technique:
 
 
Web Site
Visible link: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Actual link to: http://tigermail.co.kr/%20/cgi-bin/webscrcmd_login.php
Phish hosted on: http://tigermail.co.kr
 

The site that opens after the link is clicked resembles the original Paypal page very closely. Two things are, however, inconsistent:

  • The URL in the address bar is NOT on paypal.com;
  • There is no secure session indication by the browser (the padlock icon in the status bar in IE, for example) :
 
 
In this 'login' page anything will pass as a username/password (as long as there is a '@' in the username - which is how the site will tell it is a legitimate email address). Then, the following page will be opened:
 
 

Here, the credit card will be checked against a mathematical formula, generally used for a first stage CC number verification (before connecting to a CC server). This way, a random bogus number will be rejected, thus increasing the impression of credibility of the site.

The site will open a series of such pages, asking for a lot of information. This is one of its weak points, too - the potential victim will have a lot of time to eventually expose the hoax:

 
 
And there will even be one more:
 
 
After which the site will display a nicely looking logout kind of page:
 
 
The site is hosted on a Korean webmail server. It is possible that the phishers have used malware to obtain remote access to it.