Broadband Tech > Security > Scam and Phishbusters > PayPal.com phish scam, help me!

PayPal.com phish scam, help me!

You need to contact PayPal directly.

Can you give me their phone number?

reply to ScamHelpPlease
Yep, likely your hosts file got changed by the phish. You may have more malware, too.

Anyway, paypal's IP is »66.211.168.193 -- use that. It should redirect you to their https site.

ETA, from their website:

PayPal Customer Service:

1-402-935-2050
(a U.S. telephone number)

4:00 AM PST to 10:00 PM PST Monday through Friday
6:00 AM PST to 8:00 PM PST Saturday and Sunday

Thanks, I'm meticulously checking my system right now. I've checked my hosts file and as many places as I can to see DNS server settings, and they appear to be normal. The only way I could think that they could do this is by modifying DNS settings somewhere. I tried accessing the resolved name you gave, and it still seems to try www.paypal.com. The front page looks legit, but I can't be certain. It looks like their customer service just closed. Hopefully I can get in contact with someone tommorow. If anyone has any ideas, I'm open to them. Could they have hijacked something on the server end?

reply to ScamHelpPlease
Ping PayPal and tell us what IP ping reports to you.

C:\Documents and Settings\Owner>ping www.paypal.com
 
Pinging www.paypal.com [66.211.168.209] with 32 bytes of data:
 
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 66.211.168.209:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 

Pinging www.paypal.com [66.211.168.193] with 32 bytes of data:

Request timed out.
Request timed out.

You are going to the right IP.

reply to ScamHelpPlease
Their site looks fine on my end, and the address bar shows the green hilite that means it's cert. confirmed the address.

If you're using Firefox you can right-click on the page you get and select View Page Info, then confirm that the identity in the General tab. With IE, right click and select Properties, then check the Certificates button.

You may have been rootkit'd, start here for checking your machine out: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

ETA: Paypal's server doesn't answer pings. Don't worry about that, the IP is the main thing.

reply to Doctor Olds
Any idea why after logging in the entire page is in Chinese?

reply to garys_2k
Any idea why the site is all in chinese after logging in?

Here is an image i took of the certificate check in firefox:

»i39.tinypic.com/2gw740i.png

reply to garys_2k
test, I can't seem to reply anymore

reply to ScamHelpPlease
Sorry, it seems the replies were delayed. I found an option on the front page to switch the language to English. I couldn't find it before because the option to change language was in Chinese too. This is extremely strange. Why was the page in Chinese by default? And the E-mail I got saying I paid out $60 to this company called Nexon was using a phishing URL, yet it had my real contact info. It looks like the transaction is real, so I'll have to call PayPal

reply to ScamHelpPlease
I just saw your replies and thought you had some sort of setting messed up. It does look like you're on the correct site and you ought to be able to get the charge straightened out. I'd still run one of the online virus checks anyway, just to be really certain you're clean.

Good luck!

reply to ScamHelpPlease

reply to ScamHelpPlease
Did you check your PayPal account to make sure that the transaction was real. Many PayPal email phishing scams will show a bogus transaction in order to lure you into clicking the link and logging in to the phishing site. One possibility is if the phishing website was in an Asian country and you clicked the phish link, Paypal will auto set a cookie with an Asian language preference. That way when you go back to Paypal it will remember your language preference. many sites will auto assume that language preference based on the Geo location of the IP that you come in from. Many phishing sites are scripted to validate a log in by passing your data in real time to PayPal. That would generate the cookie with language preference. I am not sure if the cookie wll set by just a visit without a log in or not.

You may want to post the entire phish mail real links to see if in fact it was hosted in an Asian country. I do not suspect that your PC has been compromised solely based on the language change alone. Need Phish info to confirm my suspicion.

Google for example also will adapt your language preference based on where the IP that you log in from is loccated.

MGD

I immediately assume all e-mails from PayPal are phish/spam. I stopped using PayPal years ago, unfortunately I didn't remove my credit card from my account. This is the URL the PayPal receipt E-mail has:

»secure.uninitialized.real.paypal···s/VERIFY

I mean, it's really easy to tell that it's fake. So I manually went to PayPal.com and logged in. The front login page was in English, but as soon as it went to the account info page, it was all in Chinese.

reply to ScamHelpPlease
That is not the real phishing link, you either neither to show the mail in text format or right click on that link and show properties then copy and post the link in properties.

I can duplicate that problem.

Hang on I will show you how to make it happen

MGD

reply to ScamHelpPlease
If you go to >http://www.paypal.tw »www.paypal.tw (or any Asian paypal) it will default to www.paypal.com/tw and display the local language. If you now log in,