Another paypal scam

Fri 10 June 2005 : Another paypal scam

On a whim I decided to follow this one..

It linked to http://www.login-paypal-world.com
Interesting reply from whois:

No match for "LOGIN-PAYPAL-WORLD.COM".

But the gtld nameservers are more helpful:

login-paypal-world.com name server pdomns2.msn.com.
login-paypal-world.com name server pdomns1.msn.com.

And it points at:

www.login-paypal-world.com has address 65.54.132.254

Which is hosted by.. microsoft.

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment

Yeah, abuse@microsoft.com. I'd like a usable answer to my previous queries.

Anyway. Asking for it:

$ lynx -head -dump http://www.login-paypal-world.com
HTTP/1.1 302 Found
Connection: close
Date: Fri, 10 Jun 2005 16:30:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-AspNet-Version: 1.1.4322
Location: http://213.136.105.66/www.paypal.com/account/index.html
Cache-Control: private
Expires: Sat, 01 Jan 2000 08:00:00 GMT
Content-Type: text/html

Later the forward stopped, but the page at the redirect is still up.

A nice redirect to 213.136.105.66 where they have built a complete mockup
of the paypal login page, with all the right buttons pointing at the right
places at paypal.

213.136.105.66 is at afrinic..

inetnum: 213.136.105.0 - 213.136.105.255
netname: AVISONET
descr: ISP Cote d'Ivoire
country: CI
admin-c: ZJ59-AFRINIC
tech-c: AE496-AFRINIC
status: ASSIGNED PA

Some ISP in Cote d' Ivoire (sometimes home to a certain kind of people
from Nigeria with interesting financial propositions)

$ lynx -head -dump http://213.136.105.66/www.paypal.com/account/index.html
HTTP/1.0 200 OK
Date: Fri, 10 Jun 2005 17:03:20 GMT
Server: Apache
Last-Modified: Thu, 05 Aug 2004 16:15:48 GMT
ETag: "341d4-29f6-41125d34"
Accept-Ranges: bytes
Content-Length: 10742
Content-Type: text/html
Age: 17017

The submit is to

http://213.136.105.66/www.paypal.com/account/loginsubmit.php
which redirects to

http://213.136.105.66/www.paypal.com/account/loginsubmit.htm

This page looks like an 'error in your login data' page and asks for the
same login/password again. Funny is that they forgot to copy a pixel from
paypal or forgot to point at the right one, giving 404 errors and a somewhat
distorted page (in firefox).

$ lynx -head -dump http://213.136.105.66/en_US/i/scr/pixel.gif
HTTP/1.0 404 Not Found
Date: Fri, 10 Jun 2005 21:53:46 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

The page submits the data to

http://213.136.105.66/www.paypal.com/account/processing.php

Which redirects to (this is a pattern..)

http://213.136.105.66/www.paypal.com/account/processing.htm

Which gives an advert for a new 'immediate Paypal payment' option.

Another 'continue' button, which gets (using an 'onload' form)

http://213.136.105.66/www.paypal.com/account/agreement.htm?Continue=Continue

with a bit about updated terms and conditions (loads of legalese. I did not
check for 'you just gave us access to all your paypal funds, thank you
very much' hidden in there).

And next comes up a page
http://213.136.105.66/www.paypal.com/account/pp.htm?Submit=Submit

(hey, I never clicked on one of those 'yes, I agree'
buttons..) asking for every last detail such as social security number,
mother's maiden name, drivers license, credit card number and pin for the
credit card. They do their identity theft seriously!

Oops, forgot to fill in the form. Wow, there is a real check for a CC number
in it (16 digits) and other checks for pin lenght, the works. I was not
in the mood to find nonsense values for those. So I asked for the handler at
http://213.136.105.66/www.paypal.com/account/login.php

which redirected to

http://213.136.105.66/www.paypal.com/account/Complete.htm

which says...

"Your information submitted successfully! Your information will be
reviewed shortly."

And a link to 'paypal home' at the real http://www.paypal.com/

Makes me wonder where all that information is sent..

the form name used is 'mailbomber' and a google search for 'paypal' and
'mailbomber' shows that this is a well-known script for paypal account
phishing.

Most recent entries
My take on Microsoft wants to buy yahoo
Last updated Fri 01 February 2008
The server room as multistable climate system
Last updated Wed 09 January 2008
Comparing tvtime and XawTV
Last updated Fri 30 November 2007
From VIDEO_TS to working video DVD in Linux
Last updated Tue 27 November 2007
Configuring ssh on a Netgear GSM7224/GSM7248 switch
Last updated Thu 29 March 2007
mod_authnz_ldap, Apache 2.2 and allowing all ldap users
Last updated Tue 13 February 2007
weblog software
Last updated Mon 01 May 2006
FreeBSD ntpd PPS setup (PPS slave)
Last updated Mon 01 May 2006
homeplug netwerk
Last updated Thu 02 March 2006
Monitoring squid using mon
Last updated Mon 23 January 2006
All entries

Copyright
Valid HTML 4.01!
Valid CSS!
The Irregular is an irregular column-like something which I write. Any opinion in The Irregular is my own personal opinion and has nothing to do with any current, past or future employers or any other person/company I may have contact with.

I consider it my copyright what I write here, please get in touch with me if you want to copy/republish it.

Koos van den Hout, koos@kzdoos.xs4all.nl
The Virtual Bookcase / Camp Wireless / SnowCam