Anti-Phishing Working Group: Paypal - 'Yout PayPal account will be suspended'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Paypal - 'Yout PayPal account will be suspended'
01-Apr-2005

Summary

Email title:	'WARNING!!! Yout PayPal account will be suspended!!!'
Scam target:	Paupal users
Sender:	unknown
Sender spoofed/hidden?	N/A
Scam goal:	Getting victim's paypal username(email)/password
Phish link method	a 'Click Here' type link
Link 'masked'?	Yes
Visible link:	'Click here to confirm your account'
Actual link to:	http://www.paypal-cgi.us/webscr.php?cmd=LogIn
Phish site IP :	68.142.234.44


Analysis contributed by:	Tumbleweed Communications - Message Protection Lab

Overview

A single, login-page scam, quite dangerous.

E-mail

The email is well designed and convincing:

The most suspicious thing is the anonymous 'Dear Paypal Customer'. There is no reason that Paypal would't use your real name. This is a clear scam indication. The other peculiar thing is the spelling mistake in the subject -
a typical spam technique.

Web Site

Visible link:	'Click here to confirm your account'
Actual link to:	http://www.paypal-cgi.us/webscr.php?cmd=LogIn
Phish site IP :	68.142.234.44

The phish site itself is on a domain that closely resembles the Paypal one:

The main phishing clue here is the unsecured page. Paypal would process your login information via a HTTPS session.

The interesting thing here is that the page will return a failed submission attempt, whatever the entered data. It's purpose is solely the acquisition of the victim's username/password. This practically increases the scam's chance of success, because it is easier to slip by unnoticed.

WHOIS data (for IP 68.142.234.44) :

IP Address: 68.142.234.44 (ARIN & RIPE IP search)
IP Location: - California - Foster City - Inktomi Corporation

Domain Name: PAYPAL-CGI.US
Domain ID: D7487223-US
Sponsoring Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Status: ok
Registrant ID: A111151510613910
Registrant Name: Lisa Turner
Registrant Organization: Lisa Turner
Registrant Address1: RT 2 BOX 107
Registrant City: GRANGEVILLE
Registrant State/Province: ID
Registrant Postal Code: 83530
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2089830749
Registrant Application Purpose: P3
Registrant Nexus Category: C11

Administrative Contact ID: A111151504109964
Administrative Contact Name: Lisa Turner
Administrative Contact Organization: Lisa Turner
Administrative Contact Address1: RT 2 BOX 107
Administrative Contact City: GRANGEVILLE
Administrative Contact State/Province: ID
Administrative Contact Postal Code: 83530
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.2089830749

Billing Contact ID: A11115151061399
Billing Contact Name: YahooDomains BillingContact
Billing Contact Organization: Yahoo! Inc
Billing Contact Address1: 701 First Ave.
Billing Contact City: Sunnyvale
Billing Contact State/Province: CA
Billing Contact Postal Code: 94089
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.6198813096
Billing Contact Facsimile Number: +1.6198813010

Technical Contact ID: A111151504109965
Technical Contact Name: YahooDomains TechContact
Technical Contact Organization: Yahoo! Inc
Technical Contact Address1: 701 First Ave.
Technical Contact City: Sunnyvale
Technical Contact State/Province: CA
Technical Contact Postal Code: 94089
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.6198813096
Technical Contact Facsimile Number: +1.6198813010

Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Created by Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Registration Date: Tue Mar 22 18:11:58 GMT 2005
Domain Expiration Date: Tue Mar 21 23:59:59 GMT 2006