We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address.
If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the log ins, please visit PayPal as soon as possible to change your password:
formatting link
your password is a security measure that will ensure that you are the only person with access to the account.
Thanks for your patience as we work together to protect your account.
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the 'Help' link in the header of any page.
Lots of this stuff going around today. A veritable flood as it were.
I think that the woodwork groups are being farmed for addresses. (and=20 probably all others...)
People I know are seeing 5 to 8 virus attachments a day as well as this=20 crap.
I have looked at the code for the Paypal stuff and tracked some of the=20 websites back to China using some of the tools I have here.
You can use web based "whois" if you are brave enough to fiddle with the =
messages and extract stuff. Some of these messages now have executable=20 code in them. Exercise caution -- at the least turn off Javascript for=20 email and newsgroups.
The 419 and Lottery scams are in high gear this last week or so.
For your entertainment - see the "Busted up Cowgirl" Link on the=20 following page or got to the email security...
formatting link
R. Jewel Boxes and Wood Art
formatting link
power of accurate observation is commonly called cynicism by those=20 who have not got it.=94 George Bernard Shaw
PayPal is very explicit: they never, *ever* send e-mails that address you any other way than by your first and last name that you used when you registered.
See
formatting link
Doug Miller (alphageek at milmac dot com)
Nobody ever left footprints in the sands of time by sitting on his butt. And who wants to leave buttprints in the sands of time?
Glad to hear that there are individuals employed to chase down this type of crime. I also have gotten many of these notes within the year. I have reported these attempts to paypal, RCMP & CSIS (Canadian intelligence). I also picked up on the link being bogus. My advice to anyone is never follow the link in a email sent to them. Always go through a the
formatting link
login screen to login and check for activity on your account. Only change account info and passwords through the main login and not from link given in an email.
Hoax. It's called phishing. The link goes to some chelovek in Moscow. No, I haven't seen your example, but I've gotten a few similar spams. The very best was one that purported to be from Microsoft. It was a doozy, well laid out, corporate logos, look'n'feel of MS. Be careful out there.
Good deal! Hope you are having some success at that endeavor.
+--------------------------------------------------------------------------------+ The absence of accidents does not mean the presence of safety Army General Richard Cody
+--------------------------------------------------------------------------------+
Dear CNET members, By now, hopefully everyone is aware of phishing scams--cleverly designed e-mail and Web sites used to gain access to your financial logins and passwords. We've pretty much reached the level of sniffing those out from a mile away. But this fairly new heinous tactic, called pharming, is absolutely frightening. For example, you type in citibank.com in to your Internet browser. The address bar displays as you would expect--citibank.com and you proceed to log on to access your bank account information. No sweat, eh? Well, little did you know that behind the scenes, citibank.com's DNS (domain name servers) just got hijacked--displaying the completely legitimate URL address that you are accustomed to, but directing you to a spoofed site that looks and feels just like your financial institution, so you have absolutely no idea you willingly gave up your personal account info to the hijackers. Is this scary or what? Are you concerned? Are there any preventative measures out there that we can take, or are we just out of luck on this one? Find out more about this all-too-important topic in senior editor Robert Vamosi's article, "Alarm over pharming attacks: identity theft made even easier." And if you have concerns to share or preventative tips to offer, or if you've even been scammed before by this tactic, share your experience with us so that we can all learn how to tackle this issue together. Be safe and be aware out there! TalkBack here.
"firstjois" wrote in message news: snipped-for-privacy@comcast.com...
I fell for this the first time I got one. Immediately after I got through the form, I got a tinglin' in the old spidey-sense, and went straight to PayPal's home page, logged in and changed my password. Fortunately, nothing ever came of it. I am *extremely* skeptical of any such messages now, and always check the hidden URL of any link. If I'm still not sure it's a hoax, I'll log into the site's home page through my web browser, rather than click a link in the email message. It's definitely gotten dangerous out there.
"Rob V" wrote in news:eEd1e.68268$ snipped-for-privacy@twister.southeast.rr.com:
If the email is html, then what is shown may be hiding a different link. By copying this email as the text shown, the link has been discarded.
There are add-ins that would let you know whether the site you are going to go to is indeed the site you think you are going to. I use spoofstick as a Firefox extension, but I'm sure there are others, as well as for other browsers. IMHO, they should be standard.
I just looked at one of the many PayPal phishes I've gotten. It displays an innocent-looking link to click at the label on a button. But, when you click the button, it takes you somewhere completely different.
I don't know if you're into the gory details of HTML, but here's what's burried in the email (slightly reformatted to make it easier to read):
When I clicked on the button, I ended up at 218.57.129.20 after several redirects. Even after watching all the conversations with a packet sniffer, I'm still not 100% sure what's going on. It looks like it contacted yahoo, got an error, then contacted google, got another error, and somehow ended up at 218.57.129.20 (where I was presented with what looked like a perfectly valid PayPal login screen). I suspect they're exploiting some bug in many browsers where incorrectly formed HTML is parsed wrong.
The bottom line is that these guys are not just some kids out for kicks. They're sophisticated, well equipped, and technologically savvy criminals. My guess is that phishing is the #1 financial fraud these days, and it's probably costing billions of dollars a year.
****** (6) Match Found at whois.apnic.net for 218.57.129.20 ...... % [whois.apnic.net node-1] % Whois data copyright terms
formatting link
218.57.129.0 - 218.57.129.63 netname: JNQLSOFTWARE country: CN descr: Shandong Jinan Qilu Software Area Development Center admin-c: DS95-AP tech-c: DS95-AP status: ASSIGNED NON-PORTABLE changed: snipped-for-privacy@sdinfo.net 20020416 mnt-by: MAINT-CNCGROUP-SD source: APNIC
person: Data Communication Bureau Shandong nic-hdl: DS95-AP e-mail: snipped-for-privacy@sdinfo.net address: No.77 Jingsan Road,Jinan,Shandong,P.R.China phone: +86-531-6052611 fax-no: +86-531-6052414 country: CN changed: snipped-for-privacy@sd.cn.net 20050128 mnt-by: MAINT-CNCGROUP-SD source: APNIC
**************************
=2E... Start Report ... NS - name Server Specs: QTNS.Name Server: ns.sdjnptt.net.cn QTNS.Name : 57.218.in-addr.arpa
TTL: - Time to Live: 151305
NS - name Server Specs: QTNS.Name Server: dns-jn.sd.cninfo.net QTNS.Name : 57.218.in-addr.arpa
TTL: - Time to Live: 151305
*************************
****** One of the lat routers on the traceroute...
(6) Match Found at whois.apnic.net for 60.208.64.46 ...... % [whois.apnic.net node-1] % Whois data copyright terms
formatting link
60.208.0.0 - 60.217.255.255 netname: CNCGROUP-SD descr: CNCGROUP Shandong province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: XZ14-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SD mnt-routes: MAINT-CNCGROUP-SD status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: snipped-for-privacy@apnic.net 20040705 source: APNIC
I have a little tool I wrote for tracking these SOB's
However, that assumes my local DNS servers have not been "poisened".
Every so often I get motivated to track them. But somany phishers - so=20 little time...
Most are in China these days, But a lot are still in Dallas/FW area.
The most interesting ones are the ones that have router records on the=20 tracroute that show a hop from LA to Detroit as the last hop. Or a=20 registration record for Seatle -- bu the last router on the tracroute is =
in China, or Pakistan or whatever...
That way you know they are strictly legit. ROTFLMAO.
Now I assume that any business related email must be followed up with a=20 telephone call.
Cheers and good hunting.
--=20 Will R. Jewel Boxes and Wood Art
formatting link
power of accurate observation is commonly called cynicism by those=20 who have not got it.=94 George Bernard Shaw
Some email readers (most?) will let you display message source. Even if you can't read HTML, you should be able to spot a strange URL or two lurking in the message.
Thanks all! I've emailed my buddies and reported it back to Pay Pal, too. I've been using the internet for a long time but hadn't seen anything like that before. Some people really have a lot of time on their hands and pretty mean minds.
The problems revolve around changing the existing infrastructure in a non-disruptive way and doing it in a fashion that won't be percieved as proprietary by any other vendors or the open source community.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.