Re: [Phishing] ALERT!! New Vicious PAYPAL phishing in Spam, Scam and Phishbusters

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 17 May 2006 03:43:52 EDT

removed : MGD, how dare you log on to a phisher's account, steal his data, and notify all his victims? You, sir, are a criminal and deserve to be punished to the fullest extent of the law!

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Sun, 14 May 2006 21:55:21 EDT

s0tet : Thanks, MGD. Great information to pass because of your time and effort.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Sun, 14 May 2006 20:37:56 EDT

garys_2k : Excellent work, MGD. Now if only Ebay and Paypal would take the precautions others have suggested, such as watching for "wrong country" logins and such.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Sat, 13 May 2006 21:44:17 EDT

MGD : First, Thank you all for the encouraging posts, much appreciated. Thanks also to UncleScooter and nwrickert for submitting to phishtrack, if it were not for that, I would not have discovered this process.

Update:

The two Paypal phishing sites that were found to be pulling the active account data from Paypal were submitted to phishtrack on 05/04

The first one was Phish 1911 »/phishtrack?pi···9&urls=1 and the second one was Phish 1909 »/phishtrack?pi···9&urls=1 Phish 1909, which was running on a kidc.net IP in Korea, that appears to have been finally taken down on Wednesday: ht*tp://211.233.66.55/paypal.com/index.php?bWFpIHByb3N0=aWxvciBtYWkgc3VnZXRpIHB1bGEgZnV0dXZhIG1hbWVsZSBpbiBndXRhIGRlIGxhYmFya SBjZSBzdW50ZXRpIHNpIGRvYm90b2NpIHBpc2VtYX

Phish 1911 was spammed to a referral link that was placed on a hijacked ht*tp://www.executivedevelopmentreport.com/index2.htm in the US, and it looks like Denairsoft and/or the host Nuvox.net finally pulled the referral on Thursday. By the way, that was a dismal response since they were both larted several times since 05/04. The actual phish site was hosted in China on an IP registered to China Telecom. The Phish has not been removed yet, however, it is now dormant. Records indicate that the phish site was spammed several times using different referrals on hijacked US hosts.

05/06/06 12:18:11 Browsing ht*tp://www.executivedevelopmentreport.com/index2.htm
Fetching ht*tp://www.executivedevelopmentreport.com/index2.htm ...
GET /index2.htm HTTP/1.1
Host: www.executivedevelopmentreport.com
Connection: close
User-Agent: Sam Spade 1.14

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Connection: close
Date: Sat, 06 May 2006 16:20:12 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Thu, 04 May 2006 18:34:20 GMT
ETag: "ec3e845ba96fc61:a8e"
Content-Length: 109
>META HTTP-EQUIV="Refresh"CONTENT="0; URL=http://219.1XX.XXX.XXX/XXXXXX/webscr.php?cmd=Login"

During the anyalysis and probing of Phish 1911 the victim User ID and passwords were discovered. The first notable trigger was the absence of expletive submits, where users who
know it is a phish will leave messages for the phisher in the User id password fields. While that issue itself is not totally unusual, many phishes especially Ebay will validate the user ID and discard non valid ones. It was the lack of those entries combined with the significant accrual rate during the monitoring that made it suspicious, and prompted further analysis.

A random check of several of the initial entries revealed that they were all valid accounts.
Based on that qualifaction the existing list of ~150 accounts was sent to a security contact at Ebay/PayPal on Thursday evening 05/04. The file was reviewed during the early hours on Friday and another batch of ~150 accounts was found and forwarded to the security contact.

It was then becoming obvious that something different was in play here. The rate and validity of the data surpassed anything I had previously ran across. Later on Friday I began examining the scripting process looking for clues that might explain the difference. It was then thar the discovery was made that the Phish was pulling the account data and displaying it to the victim. Not only was it the first time that I had seen this, but I considered it significant in that it gave a decidedly legitimate appearance to the phish.

In conversations with previous phishing victims many had said that they backed out of a phish when presented with the second page after logining in. They usually became suspicious when their SSN, or their card PIN # was requested. Obviously there is no valid reason for a SSN, and a PIN # is not needed for either debit or Credit card billing transactions. In anticipation of this, Phishers usually have two scripts running. The first one captures the User ID/ login upon entry/validation and sends it to the drop box. The second script sends all the card data plus SSN etc. along with a copy of the login data to the drop box after the second page is completed. This way the phisher still gets the login info even if the second page arouses suspicion and causes the victim to back out. The retrieval and display of the account data on that second page is considered a significant motivator for those that may have varying degrees of skepticism at page two. In fact, in several previous cases of victim notification I will get immediate replies along the lines of "Damm , I knew there was something wrong about that, it has been on my mind ever since I completed it." or " Thanks, I only need to change my log on password as I never entered anything on the second page, as it did not seem right".

Because of this "new to me" discovery I checked other Paypal phishes submitted to phishtrack to see if that process was used elsewhere. After reviewing several open Paypal phishes I found that Phish 1909 was using the same process. I then started to put together a documented post on this procedure to get the word out. I am grateful to those of you who helped get this front page attention so the warning could get grater publicity. The range of victims was used to demonstarte the pivotal factor of this account dispaly, which I believed was causing a significant increase in the response rate.

By Friday evening an additional 250 accounts were turned over, and by Monday the Ebay/Paypal contact confirmed that all 1,100 acconts were processed as compromised.

MeanPeepsSuk gave excellent scenarios as to the circumstances that yield a sucessfull phish, I also thank K Patterson , izy and others for their contributions.

Kudos to justin for creating phishtrack, numerous victims have been spared from the nightmare of having their financial accounts ravaged as a result of it. In additon, thanks to amysheehan and others who volunteer their time tracking down the hosting sites and having them shut down. Getting phish sites closed promptly is a key component in denying the criminals their financial benefit. The first 24 to 72 hours is the timeframe during which most of the data is collected. Obtaining the scripts helps identify the email drop box accounts, and also assists in identifying the origin of the phishers. In this case the benefit of over 1,100 accounts were removed from a phishers booty, hopefully generating much discord in the criminal aftermarket.

You can add this one to the numerous other data retrievals as a result of submissions to phishtrack. Most recently was the victim banking account details obtained from several Chase Bank phishes, some of which were in the hands of Chase security within an hour of the data routing to the criminals.

Unfortunately in this case individual notification to the victims was impossible due to the volume and timeframe required. Victim notification is a valuable part of the process of dealing with phishing. Besides the abilty to cancel or change the passwords on the affected accounts and denying access to the phisher, there is also an educational value. Many times when a card/account is compromised it takes some time for the discovery to be made. The victims may not realize that the account hijacking was the result of their participation in a phish. If so, then they are even more at risk to being phished again, as their name, address, and bank are now known to the criminals. They can be targeted in the future with more convincing and personalized phishes that contain portions of their personal information. With notification, the victim can not only know that they were phished, but see exactly how it operated, such as obfuscated links etc. Once explained, they will not likely fall victim again. Furthermore, many victims have told me that they alert and educate their family and friends, and spread the word. This wholesale reduction from the potential phish pool can very effective, as it certainly is not true that everyone can only be phished once.

Just a small reminder of how phishtrack and the volunteers of the BBR community have an impact on peoples lives, who otherwise are left to fend for themselves in the shark infested waters of cyberspace:

----- Original Message -----
From: "XXXX XXXXXXX"
To: XXXXXXXX
Sent: Tuesday, XXXX XX, 2006 2:36 PM
Subject: Fake Ebay

Dear member and Volunteer of Broadband Reports scambusting forum, I am so
grateful for your immediate help and correction on this fake e-mail from
Ebay. I didn't know that it was a fake and didn't even think twice about
it, I just replied on the matter, my husband had surgery a few days ago and
I decided to update for him or for us for that matter. I called our Bank
right away and all was done to Block and cancel account, nothing as of yet
had gone through on our account. I just thank you so much, I'm afraid that
I did get one from Capital One on line in the end of 05 saying and asking
questions regarding this account and I didn't have one, they said that
several people were using my ATM on this card and to please update . I
tried, the phone numbers didn't work or couldn't forward the e-mail to
check on this. I haven't as of yet seen anything or check our credit
report, but we did encounter a fraud charge and that was taken care.
On our e-mail there is a part I can't delete there is a hidden e-mail, you
can see it when you delete the last e-mail, its right below, this has never
been there before I don't know to delete it or clear it.
can you give us some help on this?
again, thank you for watching out, we are sooo grateful........
X. XXXXX

From: XXXXXXXX@aol.com
To: XXXXXXXXXX
Sent: Sunday, XXXXXX, 2006 1:41 PM
Subject: Fwd: XXXX E XXXXX IMPORTANT!! Please Read!!

Thank you for the ALERT AND UPDATE.

Please know that I have taken the necessary action to safeguard all of my personal information with the changes I've made.

GOD Bless you

XXXXXX

MGD

Re: Another one

Thu, 11 May 2006 15:15:15 EDT

catseyenu : Contact made with (954) 430-7156, information/links sent.
Edit: And she's down. Thank you Tous Corp.!

Re: Another one

Thu, 11 May 2006 13:46:14 EDT

izy : Looks like a business DSL account. Likely a hijacked web server. It hosts the site »www.touscorp.com

Windows 2000 - IIS 5.0 - Give them a ring!!

Registrant:
Tous SoftWare Corp

17447 S.W. 20 CT
MIRAMAR, Florida 33029
United States

Registered through: GoDaddy.com (»www.godaddy.com)
Domain Name: TOUSCORP.COM
Created on: 28-Oct-97
Expires on: 26-Oct-06
Last Updated on: 05-Dec-05

Administrative Contact:
Hidalgo, Felipe fhidalgo@touscorp.com
Tous SoftWare Corp
17447 SW 20 CT
MIRAMAR, Florida 33029
United States
(954) 430-7156 Fax -- (954) 430-7156

Technical Contact:
Hidalgo, Felipe fhidalgo@touscorp.com
Tous SoftWare Corp
17447 SW 20 CT
MIRAMAR, Florida 33029
United States
(954) 430-7156 Fax -- (954) 430-7156

Domain servers in listed order:
NS.TZO.COM
NS2.TZO.COM

Another one

Thu, 11 May 2006 13:35:24 EDT

oroper : »adsl-068-209-100-060.sip.mia.bel···ndex.php
--
I'm a Chapelle Fan- I'm Rich Beehatch!!

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Thu, 11 May 2006 02:27:26 EDT

user4275 : MGD rulez! And yes, these Paypal phishes are very scary. Let's all try to chip in and fry them.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Thu, 11 May 2006 00:34:41 EDT

pcdebb : MGD I applaud and appreciate your efforts wholeheartedly. I've said this before and i'm saying it again. I know if my name were on any of those lists, I'd be satisfied to know you were fighting for me.
--
babbling | How's the weather?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 15:03:16 EDT

Mordy : OK, your opinions have been heard loud and clear. For whatever reason, you disbelieve the facts as stated as to the breadth of this crime, and you clearly don't like the efforts being taken to bring the criminals down and assist the victims.

Fine.

Now that the controversial opinions are on the table, have been discussed to death, and everyone has had a say, let's now get back to the original discussion of the crime. If anyone feels the further need to disrupt this thread by posting hyperbole, unsubstantiated conjecture, or just wanting to get more attention by being unpopular, I will start killing posts.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 14:59:15 EDT

nwrickert :

Again you entirely miss the point. The people that can actually do something about it, (READ: REAL LAW ENFORCEMENT) are continually crippled by this white hat BS good guy hacker crap.

You entirely miss the point. The people that can actually do something about it (READ: REAL LAW ENFORCEMENT) have been sitting on their behinds for years and doing nothing, while criminals have been busy building huge botnets.

I don't know exactly what MGD has been doing, but it sure better than the nothing that was otherwise being done.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 14:14:13 EDT

anon : I've gotten that email three times. The first time, suspecting it might be phishing, I went directly to PayPal (not by clicking on the link in the email), logged in, and sent a query, with the salient part of the email included in the text of my message. I asked PayPal if this was a legitimate request from them. To date, PayPal has not replied. To be on the safe side, I went back into PayPal--after restarting my computer--and verified all of my account data.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 14:09:26 EDT

SnowyOne :

said by AnonProxy :

That unless he's a sworn police officer or working under the direction of a law enforcement agency, he's done more dammage than good.

Without exception every victim behind the data that MGD culled from the phish would disagree with your assessment. Suggesting that prosecution of the bad guys is the final solution shows a total ignorance of the dynamics & complexity of a phish.
Of all the different elements that come into play regarding a successful phish, lack of prosecution isn't one of the biggies because it's just not realistic enough for this real world problem.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 14:09:06 EDT

K Patterson : We know who MGD is.

You, sir/madam, are a troll.

MGD has made many positive contributions. It would be helpful if you did the same.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:56:47 EDT

izy : You are correct, the data can be retrieved from anywhere. Hence the inability for law enforcement in the US to do exactly what MGD has done. Their hands are tied in most, if not all cases like this. The only thing that can be done is to put pressure on the host to take down the site. Meanwhile, hundreds more become victims.

Do you really think that even after all is said and done (or even during the phish) OUR government or PayPayl or {insert phished company name here} alerts victims that their identities have been compromised via a phishing website? If you do, you are sorely mistaken. It's every victim for themselves, heck they probably won't even know anything was wrong until they see a charge for a Volkswagen in Croatia on their Citibank card.

I'm done with your perfect world assumptions, if you feel the need to chime in with your "they should know better" attitude, feel free. I applaud MGD 's efforts and justin 's work on the invaluable phishtrack tool.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:26:44 EDT

AnonProxy : At least three admited felonies does not make for a good Samaritan.
Alerting the bad guys by stealing their data and exposing the flaws of their security and phishing, not a good Samaritan.
Just because a server is located half a world away, doesn't mean the data isn't retrieved from say Fort Lauderdale, FL...as so aptly "proven" by MGD in his supposed hack of their system.

said by izy :

Who are you? I have no clue...

Do you know who MGD is? Neither do I...

Is he being a good Samaritan? Yes indeed...

Is he breaking this so called "chain of evidence"? Probably, but when the server is in some 3rd world country where their own government is more corrupt than the phishing crooks, the least he can do is notify the victims (which has been done in the past with sucess) that their identity may be compromised. More power to him!

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:21:07 EDT

AnonProxy : Again you entirely miss the point. The people that can actually do something about it, (READ: REAL LAW ENFORCEMENT) are continually crippled by this white hat BS good guy hacker crap.

Again read his post, the number 1,100 is a totally BS number...taken from an estimation of 1 good out of 100.

You can slice it any way you want to make yourself feel good, but all this has proven is
That phistrack helps people hack into systems by listing the most popular phishing systems.
That even if you actually believe that MGD did hack the system, he committed several felonies and ruined a chain of evidence.
That the phisher was clued into the flaws in their system and will be "better" next time thanks to MGD, that PayPal will have to worry about the next one...that we know that there are at least two sets of hacked data out there...the info taken in the original phish and the stuff that supposedly on MGD's system...and gloy be, no arrests, the folks are in the wind, and they are smarter for the efforts of MGD.
That people will do anything to justify "white hat game".

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:20:45 EDT

izy : Who are you? I have no clue...

Do you know who MGD is? Neither do I...

Is he being a good smaraitan? Yes indeed...

Is he breaking this so called "chain of evidence"? Probably, but when the server is in some 3rd world country where their own government is more corrupt than the phishing crooks, the least he can do is notify the victims (which has been done in the past with sucess) that their identity may be compromised. More power to him!

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:12:26 EDT

AnonProxy : Ohhh I understand completely, he used fishtrack to find a popular system then hacked into it.
Taking all the data and the logs.
The openly admitted to it here.

What you seem not to understand is that in doing so he damaged a chain of evidence. That he committed a felony or three to do so.

Yes there were victims in this case but my concern is also with actually doing something about the people doing this, not just the victims for once incident.

So MGD did a great job, he alerted the bad guys to the problems with their "system", stole data of any number of people, and now the argument could be made that any of the data used was used by MGD or anyone else that might have rode in on his hack.

said by izy :

said by AnonProxy :

If you have a claim from PayPal that all those accounts were compromised, I'd like to see it.

You sir obviously need to view some of MGD 's past posts. These phishing websites log to a file stored on the server. In which, MGD has compromised the suspect webspace the phish site is hosted on gaining access to these log files.

Being skeptical is good, we all should be more skeptical. But you really don't seem to understand how these phish sites operate. Maybe read through some of MGD's past threads and you will understand more clearly the situation at hand.

btw, every single ~~name~~ victim on that file HAS BEEN compromised. If you don't agree, I suggest you lookup the definition of compromised.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:08:44 EDT

justin : I don't normally do spelling flames but it is very hard to take your holier than thou accusations seriously here.

The victims would be grateful, paypal would be grateful, and the phisher very unhappy. The only other person who appears to be unhappy is you, because you shot first without reading the details and are now trying (and failing) to find something else to criticise.

If you run the server that was compromised in order to damage the phish, feel free to start the lawsuit.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 13:05:19 EDT

AnonProxy : I understand this:

Phistrack was used to find a very popular phishing "system" and a poster named MGD used that information to then supposedly hack into that system to download data.

That hacking into a system (for good intentions or bad) is a FELONY in the US. Which seems to be what MGD has admitted to.

That in doing so he has ruined any chance maintaining a true evidence chain. That unless he's a sworn police officer or working under the direction of a law enforcement agency, he's done more dammage than good.

Now let us talk about phistrack
If MGD can do it for "good", reading phistrack and trying to exploit the top listed "phishes" so can any other person for "bad". So phistrack is an excellent tool for the lasy hacker who wants to exploit other peoples phishing schemes. Why bother doing all the work of setting up you own phish when DSLreports has a top 100(0) list of phishes you can hack and then steal data from. Nice.

Good intentions all around but bad implimentation.

Lastly, his number is an "estimation" based on a 1 in 100 good for incident. As well it seems much of his information is estimate and conjecture...so he either addmited to a couple felonies, and actually got the data or is just guessing and making up numbers. You tell me, I would love to know.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 12:51:54 EDT

izy :

said by AnonProxy :

If you have a claim from PayPal that all those accounts were compromised, I'd like to see it.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 12:09:48 EDT

justin :

said by AnonProxy :

As state before, the use of Phistrack to difinitively prove anything is suspect. If you have a claim from PayPal that all those accounts were compromised, I'd like to see it.

You mis understand, it isn't from phishtrack, it is from MGD busting into the server that was collecting the compromised records and downloading them in their entirety. Phishtrack may have alerted him to the new phish, and had the details, but the rest was good old fashioned detective work.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 12:02:06 EDT

AnonProxy : Double

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 12:01:35 EDT

AnonProxy : As state before, the use of Phistrack to difinitively prove anything is suspect. If you have a claim from PayPal that all those accounts were compromised, I'd like to see it.

Just because somone "alerts" to a potential scam, doesn't mean they were taken in by it.

I alert when I see something I know is suspect, so in my instance any of my alerts are not to be counted as "he was taken" and I would argue that most of the people that know about phistrack are not your "normal" user and are more adept to not being "had". So the reports are even less suspect of being actually hacked.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Wed, 10 May 2006 06:59:08 EDT

anon : I have no sympathy. Ignorance is never an excuse; it's just the cognitive human version of evolution in action. Getting "sucked in" to this site is just laziness, the refusal to follow the simple rule (if you MUST go & check PayPal or etc.) of not following the link, of just typing in the URL of the site directly. This doesn't require a masters' degree or some kind of esoteric knowledge.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 22:08:50 EDT

Jan Janowski : Thanks for the great post!!!

I have received those exact emails... Wife almost fell for a bank version of same thing, too... She's now educated...

I've been always forwarding the Paypal emails to spoof@paypal.com
That's about all I can do to counteract it...

HOWEVER... Anybody remember the FREE CAD SOFTWARE from last year? THE EMAIL ADDRESS I GAVE AT THAT TIME (not my 'regular' email address) is the email address it comes to... (My Paypal account uses a different email address)..

Jan
--
Looking for 1939 Indian Motocycle

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 22:00:57 EDT

Jafo232 : You know what would be nice? A way to tell your mail program that if mail X says it comes from paypal.com, mybank.com, etc., to disable all hyperlinks in email X. Better yet? A server side solution to do this.

Paypal and other sites with sensitive information should have a policy to never insert a hyperlink into email. A list of these sites with this policy should be included in a mail servers configuration (i.e. load in sendmail.cf). Any email saying they are from those domains will then be "de-linked" before the mail client retrieves it.

I think it would stop a lot of users from pathetically clicking these links. Obviously education will never work.
--
Write Your News, Find Your News At PingPost.com

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 21:17:07 EDT

ddhort : That was the immediate clue for me also, receiving a "paypal" email at a email address NOT associated with my account. Lordy, those emails look authentic. Vigilence is the cost of freedom I suppose.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 19:44:42 EDT

Oregonian :

said by Vasic :

Of course, in Europe, this cannot happen. The banks over there give you a physical token (and some even give you a token/magnetic card reader), so that only a person with the correct number generated by the token can log in. But this would be just too inconvenient for the US consumers, wouldn't it...?

I seem to remember reading something about US banks (and others) being required by Congress to start using a second form of verification such as a token. Was I just dreaming?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 19:32:55 EDT

happyland : Paypal does have a verification system.
They will flag suspicious attempts to login (via a hijacked server or drastically different IP,browser,etc.) and will display some verification info for you to confirm (i.e. last 4 digis of cc and you have to enter in the full number yourself)
However, the phisher could just display this page to the victim, and then just forward the data to paypal.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 18:47:28 EDT

anon : Many posters here commented (judgementally) that one should easilly recognise these messages by the URLs of the links, and other things. After having seen about 2000 phishing messages, I can say that they are getting craftier with each new one. It is very common now to see a link pointing to an URL like this:

www.paypal.com.cgi-bin.auth.490990...some seemingly arbitrary string...poorhijackedserver.com/collect.php

If you closely examine the string, you'll find out that all that staff between the 'www' and the 'poorhijackedserver.com' addresss is secondary-level domain. The phisher hacked 'poorhijackedserver.com', modified its DNS tables, added his collect.php script and spammed the world with his lure. If you look at the URL, it looks as if it comes from PayPal (begins with www.paypal.com); you don't stop to realise that there should be a '/' (forward slash) after paypal.com if that's the server address. All that 'cgi-bin.auth' stuff is made to look legitimate.

The only consistently reliable clue is the poor English in the message (which, unfortunately, a lot of victims don't notice) and almost a requirement for phishing messages, 'If you could please take 5-10 minutes out of your online experience'. Out of more than 2000 phishing messages, I would say 1980 had this sentence in the first paragraph. I guess most phishers don't really speak English that well, so they recycle the message.

To wrap it up, it is impossible to fight this. As long as there are inexperienced web users, there will be (successful) phishing in the US. Of course, in Europe, this cannot happen. The banks over there give you a physical token (and some even give you a token/magnetic card reader), so that only a person with the correct number generated by the token can log in. But this would be just too inconvenient for the US consumers, wouldn't it...?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 16:06:28 EDT

K Patterson : It may be useful to repeat what MGD found while investigating an earlier scam. Almost all of the people who fell for it had just been on line to the bank or had just registered and were preconditioned to accept the query as legitimate. If you think about a phisher sending out a million emails for citibank as an example, he is going to hit several tens of thousands of folks who are Citibank customers. Let's say that the average user uses the Citibank site once a month, and that the phisher hit 40,000 citibank customers. That would mean that he hit 1333 people with a day of using the site, and 222 within four hours.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 15:42:34 EDT

CTF : I have received an email before saying: "Dear firstname Lastname: and it was correct.
It was one of those Paypal:" You have successfully sent $268.00" to Joe Blow Jewelery...

Of course, I had not made such payment.
There was a link in the email to log on to your account.

I almost clicked and then just typed the paypal address in a new browser window.
My account was fine and nothing had been paid that I had not authorized...

While I consider myself cautious, I could certainly understand that some people fall for it.
It was a pretty well done scam...

Arno

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 13:43:45 EDT

timcuth :

said by nshulga :

I got one of these. Besides the obvious "don't click on emailed links", the English didn't seem right at all. In a sense, this is kinda funny, as I'm not a native English speaker (not even a very good English speaker).

So... a question for native English speakers. Do you see anything weird in the way these emails are phrased?

Yes, the first one said something like "to reduce the instance of fraud". I think a more professional way of saying it would be, "...the incidence of fraud".

Tim
--
The shortest sentence is, "I am". The longest is, "I do".

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 12:51:56 EDT

MGD :

said by MxxCon :

said by AnonProxy :

Quick question where did the number of actually exploited customers come from? Who said it was actually 1,100?

i'm also curious how you know that so many people got hooked

K Patterson is correct, the submissions to phishtrack are routinely analysed. If available, the scripts, logs, upload packages and any victim data are
extracted. This enables the phisher email drop boxes to be identified, as well as the IP addresses used by the scammer. If the victim data contains contact info, then they are notified also. If they fail to acknowledge quickly, then the data is turned over to the relevant institutions. The sheer volume in this case made sending individual notices to all of the victims impossible.

In one of the PayPal phishes the criminal was first capturing the validated log in User Id and Password separately. If the victim decided to back out at the next screen then the criminal already had those credentials.

It was that log in data that was extracted from the phish. I assume that the majority
would have confirmed their credit card since the last four digits and the expiration
date was already displayed. The card data was not found and was most likely emailed
to a drop box along with the log in info when they clicked on the update button.

The data was sent directly to Ebay/PayPal security to be processed as it accrued. Though
this Phish was spammed multiple times, it is probable that the unusually high response rate
was a result of this new technique, which made it appear far more legitimate than the usual phish. The typical response rate for a phish depending on the category is around 100 valid entries for a good one.

MGD

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 12:51:03 EDT

MeanPeepsSuk :

said by kw524 :

I'm just a uneducated machinist in upstate N.Y. and I knew better than to fall for that one. Maybe some Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners and Headhunters go seek some common sense courses

It seems like common sense.. because you know what to look for, but it's not really common sense, is it? I mean all the clues to soothe the "average" user are there. That's why people get fooled. You'd have to know to look for the off URL... and know you should first (most things are easy when you know what to do, right?).

I do IT for wide range of high professionals, and (for the most part), they are not stupid.. they just don't have time to keep up with all this. And, personally, I'd rather my doctors, lawyers, etc, spending their waking moments keeping up with their field ... rather than spending time with all this.

Besides, most of them don't actually do their administrivia, they have low paid staff doing it for them (yes, reading all their email, doing online banking, etc.).

Just food for thought...

Good job, MGD.. Keep on rockin'

--
"There are no victories against stupidity; only battles."

Re: [Phishing] ALERT!! New Vicious PAYPAL Phishes

Tue, 09 May 2006 12:31:49 EDT

pleekmo :

said by Lyppy :

Here's something that may help. Sensitive sites like PayPal should NOT [snipped]

As far as the URL check, couldn't that be spoofed too?

Part of the problem is the intrinsic nature of the Internet itself. The Internet was not built for security -- it was built to be enduring. Perhaps the so-called "Internet II" is being constructed with security more in mind. This, however, may reduce its endurance...
--
HCN: Because you deserve a rest!

Free Omelas!

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 12:18:35 EDT

Lyppy : Here's something that may help. Sensitive sites like PayPal should NOT provide links in their e-mail addresses. They should direct the user to log into their account as they would normally do from a bookmark. Then inform their users never to follow emailed links and that they will never email a link.

Since this is an eBay division, why don't they also use an internal email system like eBay itself? I think that works pretty good.

Bank of America also displays a picture and term that the user has previously chosen after a successful login, but I guess that could be easily compromised.

As far as the URL check, couldn't that be spoofed too?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 12:03:59 EDT

Xizer : Anyone who falls for this deserves to have their money stolen.

I thought this was some uber-new hax thing like actually making paypal.com show up in the address bar when you go to the site, but nope, all you see is some IP address.

If you're too retarded to watch your address bar, just have Firefox autofill in your username and password in the login bar for paypal.com. If you visit ANY site other than PayPal, it won't show up.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 11:53:36 EDT

AnonProxy : No actually it's not this "bait and switch" with auto recognition of a second page is very old. Or the populating of fields from a second screen.

As well I see only one person saying 1,100 people were hooked.

Where's that number coming from? Is there some confirmation of 1,100 people losing their shirt? Did paypal say ohhh by the way 1,100 people lost their info?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 10:54:24 EDT

FiL : an give em a staff made of fossil with some kind of "gem of light" thingy on the end of it, illuminating his path. hehe

g.j. MGD. Keep munchin' away at these noobz.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 10:49:31 EDT

K Patterson : He knows the count and has talked to some of them, which likely means that he was able to get into the Phisher's database. He does that sort of thing. Maybe we should buy him a white hat and glue it on so he is not tempted by the dark side.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 10:46:15 EDT

MxxCon :

said by AnonProxy :

Quick question where did the number of actually exploited customers come from? Who said it was actually 1,100?

i'm also curious how you know that so many people got hooked
--
[Sig removed by Administrator: Signature can not exceed 20GB]

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 10:16:56 EDT

justin :

said by AnonProxy :

Look this is nothing that new or amazing. The short version is the answer is in the text and URL.

It isn't amazing, but it is new. Quite a large step forward in so-phish-tication.
Of course it is true that most people who can read message boards on phish techniques know to look at a URL (if their email client is not badly designed), but after that hurdle, this phish becomes more convincing than the average one.

1000 people losing their identity (And their balances) to a gang in a few days equates to a sizeable bank robbery!

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 10:06:13 EDT

SCCutler : The simple answer, and my unyielding policy, is that I must initiate all communications with any on-line provider of services, and I never initiate that from a link in an email.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 10:02:45 EDT

AnonProxy : Look this is nothing that new or amazing. The short version is the answer is in the text and URL.

The URL is not paypal, it for a site on a Korean server. Look at the URL, don't see the www.paypal.com, you don't enter any information.

If people are too dumb to figure that out...god bless them

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 09:59:41 EDT

AnonProxy : Quick question where did the number of actually exploited customers come from? Who said it was actually 1,100?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 09:52:10 EDT

BullroarerT : What's wrong with this logic:
Paypal should monitor its weblogs, and if it sees hundreds of logins from the same IP address, and these logins have mail addresses in a different countries--Shouldn't that arouse their suspicions? Why can't paypal ban that IP address based on this logic?

For example, there's probably hundred or so logins from Microsoft's Redmond campus, which probably uses the same IP addy, and these logins all have US addresses. You could say the same for any large campus whether its a university, business, military base, etc. However, the phishing attack as described would have paypal mail addreses spread over multiple countries, the majority of which would not be the country of the IP address that's doing the login.

Of course, the next step for the phisher would be to rent a bot net.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 09:47:42 EDT

nshulga : I got one of these. Besides the obvious "don't click on emailed links", the English didn't seem right at all. In a sense, this is kinda funny, as I'm not a native English speaker (not even a very good English speaker).

So... a question for native English speakers. Do you see anything weird in the way these emails are phrased?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 09:00:44 EDT

retiredat44 : This is the type I got about 2 or 3 months back...
-----------
The second example motivates you to log in by telling you that a primary email address was added to your account:
------------
You can only tell it wasn't from PayPal if you moved your mouse over the link and look at the script readout on the bottom of your eMail client. YOu coould then see some addres with a »****.***.de like URL.

It looks exactly like PayPal website, in fact it problably was with a second feed going to the hijackers...

I tried to post this info earlier a couple months back.. I had sent my copy to PayPal and htye confirmed me it was not from them..

I really think we should start executing the criminals... whoever is against executing them are assclowns..
:mad:

(don't think you are too smart, if you are half asleep, tired, in a hurry, or not thinking clearly all it takes is a moment of dumbass and you are screwed ...)

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 07:28:09 EDT

cothrom : Funny,
I've been getting these emails for two months, but not on the email address associated with my PayPal account, but the secondary addresses I have put into paypal. I have not received anything on the address I log in on.
Anyone else get it like this?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 03:34:29 EDT

The Gizmo : Whenever I get an email like this, I just open a browser or a new browser and goto their site manually (IE: "https://www.paypal.com" if it's paypal) and login. I NEVER ever goto a site like paypal from an email link period. If there's anything important that they need to bring to my attention, paypal will let me know when I login to the real site from their real URL. Actually I always turn off HTML on email, so I can always see the real destination of a URL and not what they make it say.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 02:10:14 EDT

rob_in_chatt : i run the netcraft toolbar and look what i got when i clicked the korean link.......

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Tue, 09 May 2006 01:47:09 EDT

furlonium : I think a big thing to remember is that when Paypal actually sends you an email, they address you as "Dear (your first name, last name)", not "Dear Paypal Member" or "Dear Paypal User". These bogus emails always are always formatted as the latter.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Mon, 08 May 2006 23:28:43 EDT

savannah27 : I received a letter, that looked so much like a Paypal letter., It stated that they were removing over 800 bucks froim my credit card and were sending two razor phones to this address in Hatfield pa. First thing I did was call the bank and close off everything. I got a new account, new cards, new everything. The letter stated if I did not approve of this shipment to click on an url. But then the url was not workable. The bank told me if it happens agin, just dlete it because they ar elooking for info is all. I don;'t allow junkmail into my account and if it gets thru I delete it. Something needs to be done because this is the 3rd time its happened to me . Its just a pain to have to change everything to be on the safe side.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Mon, 08 May 2006 23:02:20 EDT

anon : I see these all the time. If you have an email id that has been spread around for years, you will get lots of phishing attempts, I see these weekly.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Mon, 08 May 2006 20:13:43 EDT

MGD :

said by kw524 :

... I knew better than to fall for that one. Maybe some Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners and Headhunters go seek some common sense courses

Good point, I see repeatedly that there is no correlation between extended education and common sense.

I am far more sympathetic to the elderly though, some get phished over and and over. I noticed a while back that some elderly victims that I notified to cancel their credit card, would say "oh no not again". When I inquired as to why, they said that their bank had contacted them twice in the past six months to notify them that there were multiple charges coming in from foreign countries, and their card was compromised.

These victims did not have any idea how it was happening. I asked them if they routinely responded to emails from Banks etc., then got copies of some of those emails. It was clear that these people were being re targeted over and over. Once they had first responded to a random phish, the phisher would come back and later and hit them with personalized phishes. Because they now new their full name and the issuing banks name, the next phishes would contain their name and the specific bank's name.

That is why I always tell people to never respond period, using the rule that legitimate mail will always include their name, no longer applies in these cases.

MGD

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Mon, 08 May 2006 20:08:44 EDT

jojadi76 : I can't understand how come paypal can't or don't want to implement a security feature like e-gold's,»www.e-gold.com/ they can steal your password BUT if they log in from a different IP or country you need an especial password and email verification in order to log in back again.

This is the security feature explained:

»www.e-gold.com/accsent.html

--
Remember prohibition? it still doesn't work.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing

Mon, 08 May 2006 19:40:33 EDT

MGD : K Patterson is spot on, that is precisely how it works. A snippet of the source code confirms it. The phishers login.php script has a line: href="ht*tps://www.paypal.com/cgi-bin/webscr?cmd=_login-run



PayPal - Log In



 














                  height=50 src="img/logo.gif" width=200 
      border=0>               Sign Up | Log In | Help     
                                
  


Banning the IP would be an effective method to block this validation and retrieval process. 

MGD

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Mon, 08 May 2006 19:36:36 EDT
kw524 : I'm just a uneducated machinist in upstate N.Y. and I knew better than to fall for that one. Maybe some Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners and Headhunters go seek some common sense courses

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Mon, 08 May 2006 19:04:10 EDT
public : Example:

»202.181.96.54/secure/signin.ebay···hsin.php

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Mon, 08 May 2006 17:20:58 EDT
K Patterson : Assuming that the Pay Pal system keeps the client database on a server different from their WWW server, that is exactly how it is set up.

The phisher does not access the database directly.  It logs in to the WWW site just like any other PayPal member, using the user name and password which the yokel provides.

Until it bans the IP associated with the phisher, there is no way to separate this fake inquiry from a legitimate customer log-in.

I think it would have been better to have said "sceen scraper" in my earlier post.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Mon, 08 May 2006 16:24:39 EDT
tdumaine : Dude,

Say im runnin a paypal like service. Lets call it tompal.

Tompal has 2 servers that runs it. When you go to tompal, server #1 presents you with a login page. Server 1 checks your username/password with my server#2 wich contains all that.

Set server 2 up to not allow any connections other than from server 1.

Then the phishers in china wouldnt work cause server 2 wont auth to the outside world.

Why cant they set it up like this?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Mon, 08 May 2006 09:47:46 EDT
K Patterson : I think the answer is that the Phishing site is connecting as though they are a customer and screen washing to get the info from PayPal's reply.

This whole deal is pretty nasty.

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Mon, 08 May 2006 04:33:05 EDT
tdumaine : Cant paypal block requests for authorization from off of thier servers?

Example:

I go to paypal.com. Paypal.com wants my login info, so if that ip is requesting to thier server to authenticate, cant they block auth requests from anything but paypal.com's ip?

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Sun, 07 May 2006 23:21:44 EDT
MGD : said by  s0tet  :

Thanks for reporting this. Do you have any URLs that are active that you can share? If not I can understand. I wonder if there are any news updates in google on this. I will take a look.
 
Sure here is one example, This one is on a Korea Internet Data Center IP:
»211.233.66.55/paypal.com/index.p···Bpc2VtYX

I notified PayPal Thursday and turned over victim data. China and Korea are both difficult to shut down promptly. I was hoping PayPal could block the IP's at their end from coming in, and prevent the phish from validating log ins and then extracting the account data. 

MGD 

Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Sun, 07 May 2006 23:01:55 EDT
s0tet : Thanks for reporting this. Do you have any URLs that are active that you can share? If not I can understand. I wonder if there are any news updates in google on this. I will take a look.

[Phishing] ALERT!! New Vicious PAYPAL phishing
Sun, 07 May 2006 21:34:44 EDT
MGD : Within the past week a new to me breed of Paypal phishing has started making the rounds. There are now several in circulation, and based on the success rate I expect them to proliferate just like the Chase phishes did a few months back.

Within 72 hours one of these Paypal phishes has ensnared over 1,100 victim accounts. It was targeted by multiple spams that used various referral links on hijacked machines. In the two years that I have been digesting and extracting phish data, I have never seen any that came close to 1,100 victims in a little over two days. In fact, I have never seen anything even close to that rate regardless of the up-time or the phish type. As far as I am concerned this is a record.

What makes these Paypals so unique and vicious, is that they are scripted to interface with the real Paypal site. They not only validate the users credentials in real time, but also extract and display the users account details on the phish page. Whatever reservations and suspicions a potential victim may have, they will undoubtedly be overcome by the fact that after logging into the phish site, their account details will be retrieved from Paypal and displayed on the page. They are then asked to confirm their credit card number, enter their SSN number, and confirm their address.

I can tell you that these phishes are luring a wide range of people in several countries. The range of victims includes Lawyers, Engineers, Academic Professionals, Web Consultants, Business owners, Headhunters, you name it, they are in there.

These are two examples of the original spam. This one gives you a deadline for updating your account:

[attachment=1]

The second example motivates you to log in by telling you that a primary email address was added to your account:

[attachment=2]

These are two examples of the login screens that victims are presented with when they click on the links in the spam mail. Only the IP address prefix in the URL is the give away that this is a bogus site.

[attachment=3]

The fake SSL key after secure log in should be a warning sign:

[attachment=4]

Once the victim enters their User ID and Password the script submits the data to the real Paypal for validation. An incorrect User ID and or Password will return this:

[attachment=5]

Once the victim successfully logs in, their complete data set is retrieved from Paypal and presented on the page. Once the victim gets this far, any doubts that they may have about being at the "legitimate" site should now be removed.

First they are presented with their first and last name from the account displayed right after "Dear". In addition to showing their current email address/ log in, the page also shows the last four digits of their credit card that is currently on file, along with the expiration date. They are then prompted to re enter/confirm the card number so the phisher can now capture it, as paypal will only display the last four digits. Also, they are asked to confirm their mailing address, and to round out the complete theft of their identity their Social Security number is needed:

[attachment=6]

Notice the last sentence in the above "Protecting the security of your PayPal account is our primary concern, and we apologize for any incontinence it may cause. If the the victim gives up all that data it will surely cause a bout of "incontinence" in a week or two when the statements start to roll in.

Even if the victim decides to back out at this stage, and not enter or confirm anything, the phisher has already captured the PayPal User ID and Password.

Here is where the "billing" address is entered:

[attachment=7]

Another version of the Paypal "interactive" phish actually retrieves and displays the victims address currently on file with PayPal:

[attachment=8]

There is no question that based on the current success rate, this integrated phishing will become rampant. Again 1,100 validated accounts in less than 3 days driven by multiple spams that have referrals on hijacked boxes in the US with the phish pages stashed in either China or Korea, will quickly become the phish du jour. It is readily apparent that a wide spectrum of people are falling for it.

MGD
EDIT=typo+added text

height=50 src="img/logo.gif" width=200 border=0>		Sign Up \| Log In \| Help