register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Paypal- 'Update Account.'
29-Apr-2005

Summary
Email title: 'Update Account.'
Scam target: Paypal users
Sender:

service@paypal.com
Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's credit card information, other personal information
Phish link method: a 'Click Here' type link
Link 'masked'? Yes
Visible link: 'Please click here to update your billing records.'
Actual link to: http://review-data.org/go.html
Resolved URL: http://83.16.123.18/icons/pp/update.htm?=https://www.paypal.com/=cmd_login_access_account_uptead_curreny(truncated)
Phish site IP:

83.16.123.18
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
 
 
E-mail
 
The email is very convincingly shaped up, but the threatening aspect does not look much like a legitimate company's communication with its customers:
 
 
Web Site
Visible link: http://www.citizensbankonline.com/logon/securesurvey.asp
Actual link to: http://review-data.org/go.html
Resolved URL: http://83.16.123.18/icons/pp/update.htm?=https://www.paypal.com/=cmd_login_access_account_uptead_curreny(truncated)
Phish site IP:

83.16.123.18
 

The site first opened is just a redirect. The second site is where the phish resides.

There is no login screen immitation. The site demands information immediately:

 
 
The main phishing clue is the URL in the address bar:
 
 

Though it has 'https://paypal.com' in it, this is in the path part, not the domain name. This site is NOT Paypal.

The lack of a security certificate also points to a scam going on (the presence of a security certificate is indicated by a lock icon in the status bar of IE).

The site would accept any information passed - no checks will be made. Then, a fake 'processing delay' page pops up:

 
 
Followed by a fake logout screen:
 
 

Notice that the suspicious domain name stays in the address bar all the time!

The site is hosted in Poland:

 
WHOIS data (for IP 83.16.123.18) :

IP Location: Poland - Koodziejrudalska

inetnum: 83.16.123.16 - 83.16.123.23
netname: KOODZIEJRUDALSKA
descr: RUDA SLASKA
descr: POLAND
country: PL
admin-c: AK3756-RIPE
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
trouble: Network problems:
trouble: Abuse and spam notification:
trouble: DNS problems:
trouble: Routing problems:
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
mnt-by: TPNET
source: RIPE

person: ANDRZEJ KOLODZIEJ
address: BIELSZOWICKA
address: 41-717 RUDA SLASKA
address: POLAND
remarks: phone to TP CALL-CENTER
phone: +48 801 120 811
nic-hdl: AK3756-RIPE
mnt-by: TPNET
source: RIPE