Topic 'Re: PayPal.com phish scam, help me!' in forum 'Scam and Phishbusters' - dslreports.com

Re: PayPal.com phish scam, help me!

Fri, 16 Jan 2009 23:13:36 EDT

AlphaC posted :

said by nwrickert:

Part of the problem is that domain registrars do a poor job of checking the legitimacy of domain purchasers.

That's something spammers really take advantage of. A large registrar is going to be processing several thousand new domains every day. It's all automated. There's no human looking at the whois saying, "LOL! They expect me to believe that?"

Registrars can develop systems to identify fraudulent registrations based on the "fingerprints" of other known fake registrations. We worked very closely with an admin at TodayNIC when they were being inundated with spam registrations and were able to help him automate identifying and suspending fraudulent registrations; TodayNIC now gets far fewer new registrations as spammers take their domains and credit card chargebacks elsewhere.

Why don't all the registrars do that? Part of it is that they just don't know as much about these spam operations as those of us who concentrate on researching them, part of it is they aren't charging enough for a domain registration to spend a lot of money on aggressive enforcement of AUPs, and part of it is that many really don't want to get into policing website content (porn, especially), so they insist that complaints about spam and fraud go to the hosting service instead.

ICANN does require them to act on fraudulent registrations, but they don't require them to do it quickly and they don't particularly specify what action they need to take -- is emailing the "registrant" and allowing him to substitute new fake information for old info sufficient? Or should they Google the new address to see if that exists either, for instance?

Meanwhile, the policy of insisting that only the hosting company can act on spam or fraudulent content is specious. The worst of the worst websites are all hosted on hijacked computers, and the IP addresses you see when you look them up are only the first step in a bucket brigade of servers transferring files back and forth. If you were to be able to contact the owner of the hijacked server you see, he won't find any of the website files on his machine. And he's probably not all that concerned anyway if he doesn't even know there's a trojan on his machine in the first place.

Re: PayPal.com phish scam, help me!

Fri, 16 Jan 2009 22:31:30 EDT

nwrickert posted :

It's frustrating for us to see the magnitude of the fraud from our point of view (hundreds of thousands of domains at about $10 each), ...

Part of the problem is that domain registrars do a poor job of checking the legitimacy of domain purchasers.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5

Re: PayPal.com phish scam, help me!

Fri, 16 Jan 2009 22:20:15 EDT

AlphaC posted : We track a lot of the domains advertised in spam at the forums at »ksforum.inboxrevenge.com . Since they are carrying out criminal activity, they're registered with fake/stolen identity information, and usually paid with stolen credit/debit/paypal accounts.

It's frustrating for us to see the magnitude of the fraud from our point of view (hundreds of thousands of domains at about $10 each), yet see the financial institutions looking at it as a lot of tiny charges not worth pursuing. Shoot, they even give these guys merchant accounts and let them check credit cards in real time for people buying their fake viagra and male member enlargement crap.

I'd encourage anyone who has experienced this type of fraud to pursue it vigorously. In the case of these spamvertised sites, you really want it on record that you are not involved in the scam, and you want to make sure the registrar removes your name from public whois information.

I realize this is a very sensitive issue. But since most people who are victimized have no idea what I just said and may have arrived on this forum via a Google search, I'd invite them to visit our forum to get help learning how to extricate their identities from fraudulent domain registrations.

Re: PayPal.com phish scam, help me!

Wed, 14 Jan 2009 03:17:32 EDT

anon posted : This is why Nexon America did crack down on what types of Paypal accounts you can use to charge their NX cash.

I have a feeling you somehow did get phished by a gold farmer or something similar and they got a hold of your account information from paypal. Though, did the email come supposedly come from Paypal or Nexon? It should only come from Paypal.

An official reciept from buying from Nexon America SHOULD look like this:

service@paypal.com

Dear Name,

This email confirms that you have paid Nexon America Inc. (billingpp@nexon.net) $10.00 USD using PayPal.

Payment Details
Transaction ID: ###################
Item Price: $10.00 USD
Total: $10.00 USD (Ex.)
Buyer: Name.

It may take a few moments for this transaction to appear in the Recent Activity list on your Account Overview.

Business Information
Business: Nexon America Inc.
Contact E-Mail: billingpp@nexon.net

Your Confirmed Address

Shipping Info: Your address or whatever here.

If you have questions about the shipping and tracking of your purchased item or service, please contact Nexon America Inc. at billingpp@nexon.net.

Thank you for using PayPal!
The PayPal Team

Your monthly account statement is available anytime; just log in to your account at »www.paypal.com/us/HISTORY. To correct any errors, please contact us through our Help Center at »www.paypal.com/us/HELP.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and choose the Help link located in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, update your preferences here.

PayPal Email ID #####

Because the game MapleStory attracts A LOT of those gold farmers from other countries, but they have to work via proxy, because there are many sites that are dedicated to selling the currency for actual money (usually cheap or something, I dunno).

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 07:45:21 EDT

anon posted : Since the language was in Chinese, I'm guessing they're "gold farmers" who sell the ingame items for real cash. I think that maybe this hides their identity since it's a 3rd party that does the billing and they won't get the cooperation of Nexon America to actually stop these people.

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 06:56:27 EDT

Doctor Olds posted :

said by MGD:

This I presume is the company paid? »www.google.com/search?hl=en&q=%2···C+inc%22 gaming, based in Los Angeles.

This is the game. Very Strange, but very popular to many it seems.

MapleStory
»en.wikipedia.org/wiki/MapleStory

quote:
MapleStory (Korean: 메이플스토리) is a free-of-charge, 2D, side-scrolling massively multiplayer online role-playing game developed by the South Korean company Wizet. Several versions of the game are available for specific countries or regions, and each is published by various companies such as Wizet and Nexon. Although playing the game is free, character appearances and gameplay enhancements can be purchased from the "Cash Shop" using real money. MapleStory has a combined total of over 50 million subscriber accounts in all of its versions.[3][4] MapleStory North America (Global), for players mainly in North America and outside of East Asia, Southeast Asia and Europe, has over three million players.[3]

--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 02:41:56 EDT

K Patterson posted : I wonder if the fraudulent charges ae coming from gamers - the company appears to be legit.

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 02:38:57 EDT

MGD posted :

said by ScamHelpPlease :

Apparently I wasn't the only one hit:

»www.complaintsboard.com/complain···411.html

Very good catch !!

That explains the foreign language setting, they logged into your account from Asia, and paypal remembers the last logon setting.

This I presume is the company paid? »www.google.com/search?hl=en&q=%2···C+inc%22 gaming, based in Los Angeles.

MGD

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 02:16:47 EDT

anon posted : Apparently I wasn't the only one hit:

»www.complaintsboard.com/complain···411.html

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 01:58:37 EDT

anon posted : I haven't been to PayPal in years, and it didn't have my e-mail address in the login box when I went to the page for the first time today. No one else uses my PC except for me. I don't know how the language change happened, but it is highly suspicious. The transaction appears to be real, I see two payments for $30 to a company called Nexon. Nexon appears to be an asian company that makes online RPGs, so the asian language again seems very suspicious. I wonder how they got my account info. The only thing that comes to mind is that I possibly used the same login info on a forum somewhere, and whomever could get access to forum login information could attempt to use it anywhere else. BTW, thanks for helping everyone. It's good to know I can come here for help. Hopefully I'll be able to resolve this tommorow with PayPal. Thankfully the sending limit was reached at $60.

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 01:24:46 EDT

MGD posted :

said by ScamHelpPlease :

.... And the E-mail I got saying I paid out $60 to this company called Nexon was using a phishing URL, yet it had my real contact info. It looks like the transaction is real, so I'll have to call PayPal

That has happened before, there are multiple threads in this forum of "targeted" paypal phishing mail. I recall one thread where the phish mail not only had the victims real id name. but also his correct address. I cannot find the correct search keys to find it, but I do remember it. I think it may also have a post where we showed phishers that we caught who had printouts of names addresses and email addresses that they bought form places like netdetective.com with carded accounts. Since your Paypal id is always an email address, it is not difficult to send millions of phish mails and hit many people with matching PayPal accounts.

MGD

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:55:44 EDT

MGD posted : If you go to >http://www.paypal.tw »www.paypal.tw (or any Asian paypal) it will default to www.paypal.com/tw and display the local language. If you now log in,

[att=1]

it will set a language preference cookie. Log out or just close the window. Now go to the English >http.www.paypal.com ».www.paypal.com log in and it will show you the .com site in an Asian language.

LOOK !!!:

[att=2]

I am at Paypal.com but the language is in Asian / Chineese

I can either delete the cookie or reset it in preferences.

In your case you did not click on the phish link, and the language may have nothing to do with the phish. If you have not been to paypal in a long time, then that preference change could have happened long ago. All that is needed for an auto change to happen is that you log in to a legit Paypal domain via a foreign paypal site. The two events may not be connected,only that you now went in to PayPal to check and saw the language set to non English.

That transaction in the phishmail is fake. I am sure if you check your account there will be no record of it.

So while the jury may still be out, it is important to realize that the change can happen for non nefarious reasons. That is important before you go ripping your system apart looking for a virus that may not exist. Especially if this was the only symptom. It is understandable when you see the foreign screen right when you check up on that phish mail. However, you appear to be someone who is well aware of the fake links, and never clicked on it.

There may be no connection between the two events, other than the coincidence that this is when you decided to log in. When was the last time that you were at PayPal?. Are you the only one that uses that PC who has a PayPal account?

EDIT= ADD
That Paypal cookie is global within that windows user account. If another person logged in under their account and changed preferences or logged in on a foreign Paypal. Then whoever goes to paypal.com again under that windows user will be presented with that same language setting.

Had you not of changed it back, then you could tell when it originally happened by the date of the cookie. I presume, but am not sure that the other cookie is now overwritten

When you went to paypal.com the first time after seeing the phish mail, did it already have the correct user ID (yours) in the field, or someone elses, or was it blank?.

MGD

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:32:29 EDT

MGD posted : That is not the real phishing link, you either neither to show the mail in text format or right click on that link and show properties then copy and post the link in properties.

I can duplicate that problem.

Hang on I will show you how to make it happen

MGD

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:32:11 EDT

Doctor Olds posted :

said by ScamHelpPlease :

This is the URL the PayPal receipt E-mail has:

»secure.uninitialized.real.paypal···s/VERIFY

I mean, it's really easy to tell that it's fake.

That is actually a PayPal server link and resides at IP 64.4.241.49

OrgName: PayPal
OrgID: PAYPAL
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95125
Country: US

NetRange: 64.4.240.0 - 64.4.255.255
CIDR: 64.4.240.0/20
NetName: PAYPAL-1
NetHandle: NET-64-4-240-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: PPNS1.PHX.PAYPAL.COM
NameServer: PPNS2.PHX.PAYPAL.COM
NameServer: PPNS1.DEN.PAYPAL.COM
NameServer: PPNS2.DEN.PAYPAL.COM
Comment:
RegDate: 2003-02-25
Updated: 2008-04-17

OrgTechHandle: EBAYN-ARIN
OrgTechName: eBay Network
OrgTechPhone: +1-408-376-7400
OrgTechEmail: network@ebay.com

# ARIN WHOIS database, last updated 2009-01-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

**complete**
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:17:04 EDT

anon posted : I immediately assume all e-mails from PayPal are phish/spam. I stopped using PayPal years ago, unfortunately I didn't remove my credit card from my account. This is the URL the PayPal receipt E-mail has:

»secure.uninitialized.real.paypal···s/VERIFY

I mean, it's really easy to tell that it's fake. So I manually went to PayPal.com and logged in. The front login page was in English, but as soon as it went to the account info page, it was all in Chinese.

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:10:28 EDT

MGD posted : Did you check your PayPal account to make sure that the transaction was real. Many PayPal email phishing scams will show a bogus transaction in order to lure you into clicking the link and logging in to the phishing site. One possibility is if the phishing website was in an Asian country and you clicked the phish link, Paypal will auto set a cookie with an Asian language preference. That way when you go back to Paypal it will remember your language preference. many sites will auto assume that language preference based on the Geo location of the IP that you come in from. Many phishing sites are scripted to validate a log in by passing your data in real time to PayPal. That would generate the cookie with language preference. I am not sure if the cookie wll set by just a visit without a log in or not.

You may want to post the entire phish mail real links to see if in fact it was hosted in an Asian country. I do not suspect that your PC has been compromised solely based on the language change alone. Need Phish info to confirm my suspicion.

Google for example also will adapt your language preference based on where the IP that you log in from is loccated.

MGD

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:02:50 EDT

nwrickert posted :

Why was the page in Chinese by default?

Perhaps your account was broken into, and the default changed to Chinese.

Yes, you need to call Paypal.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.5

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:02:04 EDT

garys_2k posted : I just saw your replies and thought you had some sort of setting messed up. It does look like you're on the correct site and you ought to be able to get the charge straightened out. I'd still run one of the online virus checks anyway, just to be really certain you're clean.

Good luck!

Re: PayPal.com phish scam, help me!

Sun, 11 Jan 2009 00:00:07 EDT

anon posted : Sorry, it seems the replies were delayed. I found an option on the front page to switch the language to English. I couldn't find it before because the option to change language was in Chinese too. This is extremely strange. Why was the page in Chinese by default? And the E-mail I got saying I paid out $60 to this company called Nexon was using a phishing URL, yet it had my real contact info. It looks like the transaction is real, so I'll have to call PayPal

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:55:56 EDT

anon posted : test, I can't seem to reply anymore

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:55:53 EDT

anon posted : Any idea why the site is all in chinese after logging in?

Here is an image i took of the certificate check in firefox:

»i39.tinypic.com/2gw740i.png

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:55:47 EDT

anon posted : Any idea why after logging in the entire page is in Chinese?

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:36:17 EDT

garys_2k posted : Their site looks fine on my end, and the address bar shows the green hilite that means it's cert. confirmed the address.

If you're using Firefox you can right-click on the page you get and select View Page Info, then confirm that the identity in the General tab. With IE, right click and select Properties, then check the Certificates button.

You may have been rootkit'd, start here for checking your machine out: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

ETA: Paypal's server doesn't answer pings. Don't worry about that, the IP is the main thing.

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:35:50 EDT

Doctor Olds posted : You are going to the right IP.

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:33:40 EDT

anon posted : Pinging www.paypal.com [66.211.168.193] with 32 bytes of data:

Request timed out.
Request timed out.

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:32:41 EDT

Doctor Olds posted : Ping PayPal and tell us what IP ping reports to you.

C:\Documents and Settings\Owner>ping www.paypal.com Pinging www.paypal.com [66.211.168.209] with 32 bytes of data: Request timed out.Request timed out.Request timed out.Request timed out. Ping statistics for 66.211.168.209:    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:30:50 EDT

anon posted : Thanks, I'm meticulously checking my system right now. I've checked my hosts file and as many places as I can to see DNS server settings, and they appear to be normal. The only way I could think that they could do this is by modifying DNS settings somewhere. I tried accessing the resolved name you gave, and it still seems to try www.paypal.com. The front page looks legit, but I can't be certain. It looks like their customer service just closed. Hopefully I can get in contact with someone tommorow. If anyone has any ideas, I'm open to them. Could they have hijacked something on the server end?

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:21:29 EDT

garys_2k posted : Yep, likely your hosts file got changed by the phish. You may have more malware, too.

Anyway, paypal's IP is »66.211.168.193 -- use that. It should redirect you to their https site.

ETA, from their website:

PayPal Customer Service:

1-402-935-2050
(a U.S. telephone number)

4:00 AM PST to 10:00 PM PST Monday through Friday
6:00 AM PST to 8:00 PM PST Saturday and Sunday

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:20:19 EDT

anon posted : Can you give me their phone number?

Re: PayPal.com phish scam, help me!

Sat, 10 Jan 2009 23:17:05 EDT

Doctor Olds posted : You need to contact PayPal directly.

PayPal.com phish scam, help me!

Sat, 10 Jan 2009 22:44:31 EDT

anon posted : I got an e-mail today in a language which seems to be in Chinese stating that I paid $60 to some company called Nexon. I have not used PayPal in YEARS. It had my contact information in it, so I went to PayPal.com manually to see if the transaction was real. I logged in and the whole page was in chinese but not the front login page. I think I just screwed myself. I don't know how, but »www.paypal.com seems to go to a disguised hijacked page. Can someone help me please? I've scanned with a virus scanner and I'm not able to pick up anything. Where would something be able to hijack specific domain names in windows? Something with DNS?