It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.
However, failure to update your records will result in account suspension.
Please update your records on or before January 10, 2006.
There are two new Paypal phishing emails circulating at the moment and the above is the start of one of them. This first one was received from studioubachswisbrun.nl ([62.58.170.30]), and not -- as you may have guessed -- from paypal.com.
[click to enlarge]The body says to click on the following link: http://www.paypal.com/cgi-bin/webscr?cmd=_login-run, however, when I scroll over it this site comes up instead: http://user.ifw.uni-bremen.de/www.paypal.com/index.htm. Clearly don't click on it!
A second Paypal scam starts off with:
It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information.
Failure to update your records will result in account termination. Please update your records within 24 hours. Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.
Here is a thumbnail snapshot of the email:
[click to enlarge]
I'm asked to click thru to a site to activate my account, and the destination is: http://69.219.36.86/us/Account_verification/webscr-cmd=_login/ which looks like this:
[click to enlarge]
Naturally all the hyperlinks point back to Paypal, and the page even scams off the images for TRUSTe and BBBOnLine (which they themselves have been questionable at times). However, if take a deeper look at this webpage/server we found:
- apache 2.0.40 (old vulnerable web server version)
- php 4.2.2 (also old and highly vulnerable)
If you try to login the form sends you here: http://69.219.36.86/us/Account_verification/webscr-cmd=_login/processing.php?login_email=&login_password=&go=1 which gets redirected to: http://69.219.36.86/us/Account_verification/webscr-cmd=_login/login.php. Lo-and-behold, another paypal-like phishing page, all to get your account information:
[click to enlarge]
Great measures are being taken to get your confidential Paypal login information. Don't get duped!
Paypal won't be sending emails to you asking for your login information. This second particular email scam comes from ms.hlshb.gov.tw ([203.65.62.122]). Nice to see a government server exposed eh?
