K Patterson
Premium,MVM
join:2006-03-12
Columbus, OH
 ·RoadRunner Cable
| reply to tdumaine
Re: [Phishing] ALERT!! New Vicious PAYPAL phishing
Assuming that the Pay Pal system keeps the client database on a server different from their WWW server, that is exactly how it is set up.
The phisher does not access the database directly. It logs in to the WWW site just like any other PayPal member, using the user name and password which the yokel provides.
Until it bans the IP associated with the phisher, there is no way to separate this fake inquiry from a legitimate customer log-in.
I think it would have been better to have said "sceen scraper" in my earlier post. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| K Patterson  is spot on, that is precisely how it works. A snippet of the source code confirms it. The phishers login.php script has a line: href="ht*tps://www.paypal.com/cgi-bin/webscr?cmd=_login-run
<html>
<head>
<title>PayPal - Log In</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="data.css" rel="stylesheet" type="text/css">
</head>
<body>
<TABLE width="620" height="68" border=0 align=center cellPadding=0 cellSpacing=0 class=main>
<TBODY>
<TR>
<TD width="200" noWrap><A><IMG
height=50 src="img/logo.gif" width=200
border=0></A></TD>
<TD> </TD>
<TD width="161" align=right noWrap class=pptext><A href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><strong>Sign Up</strong></A> | <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log In</a> | <A href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=p/gen/jobs-outside">Help</A></TD>
</TR>
<TR>
<TD height="18" noWrap> </TD>
<TD width="259"> </TD>
<TD class=pptext noWrap align=right> </TD>
</TR>
</TBODY>
</TABLE>
<table width="100%" height="63" border="0" cellpadding="0" cellspacing="0" background="img/bg.gif">
Banning the IP would be an effective method to block this validation and retrieval process.
MGD |
|
