Triple Pundit Headlines:
Category Archive:
Architecture : Aviation : Barcelona : Cars : Cuisine : Cycling : Design : Environment : Friends : General Thoughts : Geography : Internet : London : Milwaukee : Music : Ostrich Guy : Photos : San Francisco : Society : Technology : Transit : Travel : Urban Planning : Wildcard :

Monthly Archive:
September 2006 : June 2006 : April 2006 : March 2006 : February 2006 : January 2006 : December 2005 : November 2005 : October 2005 : September 2005 : August 2005 : July 2005 : June 2005 : May 2005 : April 2005 : March 2005 : February 2005 : January 2005 : December 2004 : November 2004 : October 2004 : September 2004 : August 2004 : July 2004 : June 2004 : May 2004 : April 2004 : March 2004 : February 2004 : January 2004 : December 2003 : November 2003 : October 2003 : September 2003 : August 2003 : July 2003 : June 2003 : May 2003 : April 2003 : March 2003 : February 2003 : January 2003 : December 2002 : November 2002 : October 2002 : September 2002 : August 2002 : July 2002 : June 2002 : November 2001 : October 2001 : September 2001 : August 2001 : July 2001 : June 2001 : May 2001 : April 2001 :
 
June 12, 2003
Paypal Spam Scam?

Watch out: I got some weird spam that appeared to come from Paypal this morning. The email states: "Dear Paypal Customer This e-mail is the notification of recent innovations taken by PayPal to detect inactive customers and non-functioning mailboxes...The inactive customers are subject to restriction and removal in the next 3 months...Please confirm your email address and credit card information by logging in to your PayPal account using the form below:"

Among other things, I am asked to fill out a form with my credit card details and my ATM PIN, supposedly for bank notification.

That's where my scam alert kicks in. There's no way in hell Paypal would ask for my ATM PIN, nor my credit card details. The email looks deceptively legitimate otherwise.

So... analysis of the source code behind the form shows that the form info is sent to:

http://www.paypal.com0..tons of zeros and ones...1@robinsonhost.port5.com/..more zeros and ones...1.php

So the question is... who is that?
Posted at 9:21 AM | Comments (8)
Category: Internet



 Comments on this article:

I don't know who's doing that but I did notice that PayPal (the real PayPal) had a notice the other day to make sure one's browser shows the "https" and has the secure logo. They must be aware of the scammer.

 Posted by: Andrew on June 13, 2003 3:15 AM


I received the same SPAM scam email on Saturday, June 14 2003.

However, 'my' form was intended for a slightly different address:
http://www.paypal.com0011...(countless zeroes and ones...)...@shitday.port5.com/paypa_update_info.php

It's good to see that the page is no longer in operation, though.
(Portland Communications... 404 PAGE NOT FOUND...
has either been removed or is temporarily unavailable.)

And as you said, "...who is that?"

Well, unfortunately, I bet there are many different 'whos'
all using this latest scam method.

Yikes. :/

Tristan James Taber
webmaster/graphic designer/musician

 Posted by: Tristan Taber on June 16, 2003 5:20 PM

The one I received was from

action=http://www.paypal.com001110000111000110100111000111000011100011010011100011100001110001101001110001110000111000110100111000111000011100011@bigparty.port5.com/01111011100011101010101100111001.php

What I usually do with email's like that is find the ip address and goto www.arin.net find out who their isp is and than report them, In situations like this they will almost allways get action taken against them.

Last I heard about the person who sent me this was that attbi had kicked them and is looking into legal action.

 Posted by: Nick Best on June 16, 2003 9:38 PM

Aside from the obvious giveaways : 1) that it was sent to my spamcatcher email address, and 2) the aforementioned pin number/bank account questions, My hat goes off to the scumbag behind this scam.

The target URL of the form submit (in my case, "http://www.paypal.com001110000111000110100111000111000011100011010011100011100001110001101001110001110000111000110100111000111000011100011@shitday.port5.com/paypa_update_info.php") doesn't actually load a page, but a quick http redirect which goes to a httpS://www.paypal.com type address, obviously in response to PayPal's "make sure its https, and make sure the secure zone icon is shown etc etc" mantra. I wonder how many people he took to town on this one....

Brett

 Posted by: brett on June 22, 2003 9:26 AM

Just to let you know .... He's at it again using a different link this time.

http://www.paypal.com0011101100011010011100011100001110001101001110001110000111000110100111000111000011100011%40web.bigvolumesites.com/paypal/paypal.php

 Posted by: Rick on July 3, 2003 7:46 PM

Well I had an updated version today one today which said my Paypal account had been "Limited "due to inactivity (wrong!) and asked me to re-enter my credit card info etc in the form provided. The cheeky buggers even included a deadline for doing this of 30 September. The mail arrived from service@paypal.com (wegge@dgii.com) and appeared to be from Paypals https; server.

Checking up dgii does exist and seems to be a pukka US business. Do they know what is being done | wonder. The URL for the incoming email turned out to be nazoo.net based in Seoul, Korea. They appear to have a whole stack of random URLs stacked up waiting to be used.

I reported it to Paypal and a couple of hours the return site had gone but whether that was after the spoofers had cleaned up or Paypal had closed them down I don't know.

It was a very impressive piece of software.

Hazel

 Posted by: hazel on August 14, 2003 12:46 AM

Boris rules !

 Posted by: Boris on October 1, 2003 7:42 PM

Interesting... my previous post is missing.

 Posted by: zipcodes on October 12, 2003 1:45 PM