Anatomy of a phishing attempt

Thursday, March 17 2005 @ 06:14 PM EST

Contributed by: boz

Today I got an obviously fraudulent email claiming I need to "update my account information" at PayPal. The site it links to has entry fields for all sorts of personal information, plus credit card account information. I don't have a PayPal account. This isn't the first I've gotten something like this, but here are the details for this one.

Screenshot of the email as it appears in my Hotmail account

The header.

From: "service@paypal.com" 
Subject: Account Verification.
To: USERNAME@hotmail.com
Content-Type: text/html;iso-8859-1
Reply-To: service@paypal.com
Date: Tue, 15 Mar 2005 18:23:20 -0600
Message-ID: 

Clicking on the link to "update" your information takes to you to http://add.update.config.cmdcmd.503subscription.info:80/ and then fowards you to an ugly looking URL that can be simplified to this: http://216.51.232.128/best-greetings-flirting.com/pp/update.htm?=

If you actually go the URL, the browser doesn't get that secured lock icon. This idiot fraudster wasn't even nice enough to encrypt the information he's trying to steal. Meh.

It looks like the form submission results get posted via this http://216.51.232.128/best-greetings-flirting.com/pp/form2mail.php

form2mail.php is a form mailer implemented in PHP. Looking at the HTML source of the form on the page shows a hidden form field called "login_email" and the value is someone's AOL address. Hmmm... After some poking around, it looks like this is likely compromised Windows 2003 machine.

What's interesting is that if you go to http://216.51.232.128/best-greetings-flirting.com/pp/ , you get forwarded to theark.ws, which doesn't respond.

0 comments

http://www.upperbound.com/article.php/phishing_attempt