OT: Funny Stuff from Pay Pal?

Page 2 of 3  

Watch out for this new scam:
Dear CNET members, By now, hopefully everyone is aware of phishing scams--cleverly designed e-mail and Web sites used to gain access to your financial logins and passwords. We've pretty much reached the level of sniffing those out from a mile away. But this fairly new heinous tactic, called pharming, is absolutely frightening. For example, you type in citibank.com in to your Internet browser. The address bar displays as you would expect--citibank.com and you proceed to log on to access your bank account information. No sweat, eh? Well, little did you know that behind the scenes, citibank.com's DNS (domain name servers) just got hijacked--displaying the completely legitimate URL address that you are accustomed to, but directing you to a spoofed site that looks and feels just like your financial institution, so you have absolutely no idea you willingly gave up your personal account info to the hijackers. Is this scary or what? Are you concerned? Are there any preventative measures out there that we can take, or are we just out of luck on this one? Find out more about this all-too-important topic in senior editor Robert Vamosi's article, "Alarm over pharming attacks: identity theft made even easier." And if you have concerns to share or preventative tips to offer, or if you've even been scammed before by this tactic, share your experience with us so that we can all learn how to tackle this issue together. Be safe and be aware out there! TalkBack here.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I fell for this the first time I got one. Immediately after I got through the form, I got a tinglin' in the old spidey-sense, and went straight to PayPal's home page, logged in and changed my password. Fortunately, nothing ever came of it. I am *extremely* skeptical of any such messages now, and always check the hidden URL of any link. If I'm still not sure it's a hoax, I'll log into the site's home page through my web browser, rather than click a link in the email message. It's definitely gotten dangerous out there.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I know these are just phishing expeditions - but can someone explain how the link below shoots you to somewhere else and not PayPal??

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

If the email is html, then what is shown may be hiding a different link. By copying this email as the text shown, the link has been discarded.
There are add-ins that would let you know whether the site you are going to go to is indeed the site you think you are going to. I use spoofstick as a Firefox extension, but I'm sure there are others, as well as for other browsers. IMHO, they should be standard.
--
Best regards
Han
email address is invalid
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
snipped-for-privacy@nospam.invalid says...

you can't read HTML, you should be able to spot a strange URL or two lurking in the message.
--
Homo sapiens is a goal, not a description

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The phishing logon is ever so slightly different from the genuine logon as shown below:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run <------ does not contain the /us/
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I just looked at one of the many PayPal phishes I've gotten. It displays an innocent-looking link to click at the label on a button. But, when you click the button, it takes you somewhere completely different.
I don't know if you're into the gory details of HTML, but here's what's burried in the email (slightly reformatted to make it easier to read):
<FORM target="_blank" ACTION=http://rds.yaho&#010 ;o.com/*http://www&#009;.google.com/url METHOD=get> <INPUT TYPE=HIDDEN NAME=q VALUE=http://rds.yahoo.com /*http://218.57.129.20/%6D%61%6E%75%61%6C/webscr /

type=submit style="color:#000080; border:solid 0px; background:#white;" value=https://www.paypal.com/cgi-bin/webscr?cmd=_update

When I clicked on the button, I ended up at 218.57.129.20 after several redirects. Even after watching all the conversations with a packet sniffer, I'm still not 100% sure what's going on. It looks like it contacted yahoo, got an error, then contacted google, got another error, and somehow ended up at 218.57.129.20 (where I was presented with what looked like a perfectly valid PayPal login screen). I suspect they're exploiting some bug in many browsers where incorrectly formed HTML is parsed wrong.
The bottom line is that these guys are not just some kids out for kicks. They're sophisticated, well equipped, and technologically savvy criminals. My guess is that phishing is the #1 financial fraud these days, and it's probably costing billions of dollars a year.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Roy Smith wrote:

*************************
You mean this isn't Paypal? ROTFLMAO
****** (6) Match Found at whois.apnic.net for 218.57.129.20 ...... % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.57.129.0 - 218.57.129.63 netname: JNQLSOFTWARE country: CN descr: Shandong Jinan Qilu Software Area Development Center admin-c: DS95-AP tech-c: DS95-AP status: ASSIGNED NON-PORTABLE changed: snipped-for-privacy@sdinfo.net 20020416 mnt-by: MAINT-CNCGROUP-SD source: APNIC
person: Data Communication Bureau Shandong nic-hdl: DS95-AP e-mail: snipped-for-privacy@sdinfo.net address: No.77 Jingsan Road,Jinan,Shandong,P.R.China phone: +86-531-6052611 fax-no: +86-531-6052414 country: CN changed: snipped-for-privacy@sd.cn.net 20050128 mnt-by: MAINT-CNCGROUP-SD source: APNIC
**************************
.... Start Report ... NS - name Server Specs: QTNS.Name Server: ns.sdjnptt.net.cn QTNS.Name : 57.218.in-addr.arpa
TTL: - Time to Live: 151305
NS - name Server Specs: QTNS.Name Server: dns-jn.sd.cninfo.net QTNS.Name : 57.218.in-addr.arpa
TTL: - Time to Live: 151305
************************* ****** One of the lat routers on the traceroute...
(6) Match Found at whois.apnic.net for 60.208.64.46 ...... % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 60.208.0.0 - 60.217.255.255 netname: CNCGROUP-SD descr: CNCGROUP Shandong province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: XZ14-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SD mnt-routes: MAINT-CNCGROUP-SD status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: snipped-for-privacy@apnic.net 20040705 source: APNIC
role: CNCGroup Hostmaster e-mail: snipped-for-privacy@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: snipped-for-privacy@cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC
person: XIAOFENG ZHANG nic-hdl: XZ14-AP e-mail: snipped-for-privacy@pub.sd.cninfo.net address: Jinan,Shandong P.R China phone: +86-531-605 fax-no: +86-531-605 country: CN changed: snipped-for-privacy@sd.cn.net 20050128 mnt-by: MAINT-ZXF source: APNIC
***************************
I have a little tool I wrote for tracking these SOB's
However, that assumes my local DNS servers have not been "poisened".
Every so often I get motivated to track them. But somany phishers - so little time...
Most are in China these days, But a lot are still in Dallas/FW area.
The most interesting ones are the ones that have router records on the tracroute that show a hop from LA to Detroit as the last hop. Or a registration record for Seatle -- bu the last router on the tracroute is in China, or Pakistan or whatever...
That way you know they are strictly legit. ROTFLMAO.
Now I assume that any business related email must be followed up with a telephone call.
Cheers and good hunting.
-- Will R. Jewel Boxes and Wood Art http://woodwork.pmccl.com The power of accurate observation is commonly called cynicism by those who have not got it. George Bernard Shaw
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I think that the "*" in a URL refers to the username. So everything left of the "*" is ignored.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 28 Mar 2005 01:50:17 GMT, Bruce Barnett

Microsoft was supposed to have fixed that problem 1.5 years ago. This may only work with very unpatched systems.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Rob V wrote:

As a friend explained it to me, one trick is to the same address as the legitimate one except for using a foreign letter character that looks like an English character. I'm sure there are a myriad of other sneaky techniques.
Glen
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

One new-ish exploit substitutes characters from other languages that _look_ like English characters into the URL. So, it looks like paypal.com but it's really aypal.com - where the "p" is the (Russian?) font character that looks like, but isn't, a "p".
If you get something "from" your bank, paypal, eBay, or anyone else claiming you need to do something to your account there, go to your browser, and type in the name of ebay, paypal, or your bank's site. Don't trust any clickable link for anything as important as your finances. Sounds paranoid, but they're getting pretty clever.
Another recent worm that I've heard about but not seen, is that your system gets infected by a virus, which modifies your local hosts file, so your system _thinks_ it's getting to paypal.com, but it's going to the scammer's site instead. Solution there is (1) don't run Windows, or (2) keep up to date (daily) with antivirus and spyware scans.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Well - "R" if you must know, but unless you have one of the 4 Cyrillic fonts activated, and don't notice the difference in the letter, probably will come as its equivalent in the Latin character set.

"If you had, three years ago, learned only one new English word every day, you would today know one thousand more English words."
Not that I replied, having no desire to learn English. Now American....
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

That sounds like the one. Thanks for the cpapification.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Linux also has a hosts file. The much larger problem on the Windows boxes was a third-party firewall that had a buggy DNS client that did not do anti-spoofing properly and would accept and cache DNS spoofed data from any source without verification.
The paypal 'attack' is nothing new, we were aware of the same problem back in the days of ASCII only DNS, long before SSL was designed some joker registered Micros0ft.com and put up an attack site. The problem identified by Schmoo had actually been anticipated in the design of the DNS multi-lingual extension, in theory it was not possible to register DNS names with names from different character sets. In practice there are some languages where either the Roman or the Cyrilic alphabet may be used. So one of the registrars had a code page up that accepted both if you registered a name in Tidjuk.
Oh and the paypal 'attack' only affected Firefox.
A much bigger problem is the phishing gangs registering bigbank-security.com, bigbank-login.com etc. etc.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Just curious... which third-party firewall was that?
-- Regards, Doug Miller (alphageek at milmac dot com)
Nobody ever left footprints in the sands of time by sitting on his butt. And who wants to leave buttprints in the sands of time?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

If you mosey over to news.admin.net-absue.email and Google for terms like "how to read email headers" you will find out how easy it is to verify that these are fake.
You can use the same techniques to find out who owns a webpage (up to a point, the criminals work through fronts but legit companies do not.)
Of course it is usually pretty easy to identify the fakes just from the text. They always ask for information a legitimate company will not, like your PIN or password, Social Security Account Number and so on.
--

FF


Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

saying "Your order #xxxxx is ready", just hoping you get nosy and send them an irate e mail. NOW they have your address, at least.
--
Nahmie
Those on the cutting edge bleed a lot.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Which they didn't use to contact me in the first place?
Or do you mean that they have confirmed someone at the address?
Sorry, I guess I'm just doing a Cawthorne, I really do understand what you mean. I just don't understand why they wouldn't continue to send to empty addresses, it being easier than weeding out, since their cutout mailing programs don't kick back undeliverables.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
George wrote:

Hey, I resemble that, but at least spell my last name correctly, Geroge.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.