| |
|
|
| |
25-Jun-2004
| Summary |
| Email title: |
'Verify and update your PayPal information' |
| Scam target: |
PayPal users |
| Email format: |
HTML email |
| Sender: |
'PayPal Support Center <services@paypal.com>' |
| Sender spoofed? |
Yes |
| Scam call to action: |
'It has come to our attention that your PayPal® account information needs to be
updated...If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service... However, failure to update your records will result in account suspension...To update your PayPal® records click on the following link...' |
| Scam goal: |
Getting victim's Paypal username/password, credit/debit card information, personal contact information (address, phone number) |
| Call to action format: |
URL Link |
| Visible link: |
http://www.paypal.com/cgi-bin/webscr?cmd=_login-run |
| Called link : |
http://210.120.9.236/paypal/login.htm |
| Phish site : |
http://210.120.9.236/ |
|
| |
| E-mail |
| |
This message looks very legitimate on a first glance - the sender, the URL and the footer do not leave room for doubt. The sender, however, is spoofed, and the URL is 'masked'.
The contents itself is quite forcefull and designed to scare the victim, so the link can be clicked immediately. |
| |
_email.jpg) |
| |
| Web Site |
| Visible link: |
http://www.paypal.com/cgi-bin/webscr?cmd=_login-run |
| Called link : |
http://210.120.9.236/paypal/login.htm |
| Phish site : |
http://210.120.9.236/ |
|
| |
| Once the link in the message is clicked, the 'masked' URL is opened. The first page is a Paypal login page replica: |
| |
_site_login.jpg) |
| |
The page itself looks perfect, but you should notice the IP that the URL starts with. This is a strong phishing clue.
The links on the login page lead to the genuine PayPal, without the 'log in' button. It leads to the next phish page, no matter what username/password is entered. The phish does not validate them with Paypal in any way. |
| |
_site_justification.jpg) |
| |
| The interesting thing in this phish is that it does not demand information right away. It tries to 'build' a credible story first. That's why it puts you through a couple of pages of explanations and 'policy agreements' : |
| |
_site_justification2.jpg) |
| |
| It is only after this when it demands personal information : |
| |
_site_justification3.jpg) |
| |
| Again, the page looks perfectly legitimate. There are even more elements put there only to convince you of its legitimacy - the 'security test', for example. However, the phish does not verify any of the data you enter, even, ironically, the mentioned 'security test'. But all the other elements are pretty cunningly fabricated. When the 'continue' button is pressed, a 'wait...processing' type page opens: |
| |
_site_wait.jpg) |
| |
| Which is just another detail in an elaborate scam. There is nothing really being done here, just a timer clicking a few seconds of delay, before the final page opens: |
| |
_site_exit.jpg) |
| |
| As you see, all the details are in place to make you think this is an absolutely legal process. In such cases, there can be only a single phishing clue, but you should grasp it firmly. In this case, the URL, that is obviously not paypal.com: |
| |
_adrbar_exit.jpg) |
| |
| WHOIS Data : |
inetnum: 210.120.9.0 - 210.120.11.255
netname: DACOM-INTRA-KR
descr: DACOM
descr: DACOM bldg. 65-228 3-Ga Hangangro-Ro Yongsan-Ku
descr: SEOUL
descr: 140-716
country: KR
admin-c: KL483-AP
tech-c: TH167-AP
mnt-by: MAINT-KR-DACOM
status: ASSIGNED NON-PORTABLE
remarks: imported from KRNIC
changed: hm-changed@apnic.net 20021025
source: APNIC |
|
| |
| |
| |
|
