register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Paypal - 'Fraud'
13-Sep-2004

Summary
Email title: 'Fraud'
Scam target: Paypal customers
Email format: HTML e-mail (the source HTML of the message can be seen here)
Sender:

fraud@paypal.com
Sender spoofed? Yes
Scam call to action: 'You have recieve this email because you or someone had tried to used your paypal account...To decline this transaction, please follow the link provide below...'
Scam goal: Getting victim's credit/debit card information, bank account information, contact information (name, e-mail address, phone numbers, etc.)
Call to action format: URL link
Visible link: http://service.users-paypal.com/index.php?_alert_id=3Dpaypal
Called link :

http://service.users-paypal.com/index.php?_alert_id=3Dpaypal&user<number>
Phish website on: users-paypal.com
 
E-mail
 

This phish message is really composed with some ingenuity. It proves that a real con-artist approach comes into play in phishing - alongside a rich arsenal of purely technical tricks:
 
 
As you see, this scam does not rely on misleading you using complex spoofing. However, it is cleverly made - hence dangerous.
 
Web Site
Visible link: http://service.users-paypal.com/index.php?_alert_id=3Dpaypal
Called link :

http://service.users-paypal.com/index.php?_alert_id=3Dpaypal&user<number>
Phish website on: users-paypal.com
 
The phish site demands a whole lot of information from you, and it does not have a login screen, which is quite suspicious:
 
 
The address bar is not manipulated in any manner - the phishers count on the 'social engineered' domain name:
 
 
The phish does not check whether the information falls into any borders - it simply checks whether all the fields have some text in them. A logout screen follows:
 
 
WHOIS data:

Domain Name: USERS-PAYPAL.COM
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com
Name Server: DNS1.FREESERVERHOST.COM
Name Server: DNS2.FREESERVERHOST.COM
Status: REGISTRAR-LOCK
Updated Date: 12-sep-2004
Creation Date: 07-sep-2004
Expiration Date: 07-sep-2006