-
February 25th, 2005, 01:31 PM
#1
Phishy: PayPal - Flagged Account
Just got this one (and have notified PayPal already):
PayPal < https://www.paypal.com/us>
Dear PayPal Member,
Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your PayPal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below
Click here to verify your Information <http://202.108.69.147/webscr/>
Thank you for using PayPal!
The PayPal Team
--------------------------------------------------------------------------------
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.
To receive email notifications in plain text instead of HTML, update your preferences here < https://www.paypal.com/us/PREFS-NOTI>.
PayPal Email ID PP478
Protect Your Account Info
Make sure you never provide your password to fraudulent websites.
To safely and securely access the PayPal website or your account, open up a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL ( http://www.paypal.com/).
PayPal will never ask you to enter your password in an email.
For more information on protecting yourself from fraud, please review our Security Tips at http://www.paypal.com/securitytips
Header info:
From - Fri Feb 25 02:04:54 2005
X-Account-Key: account3
X-UIDL: 78644dce3bc9b76d346181a76e70edbb
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Apparently-To: msmittens@msmittens.com via aa.bb.cc.dd; Thu, 24 Feb 2005 23:00:39 -0800
X-YahooFilteredBulk: aa.bb.cc.dd
Authentication-Results: aa.bb.cc.dd from=paypal.com; domainkeys=neutral (no sig)
X-Originating-IP: [aa.bb.cc.dd]
Return-Path: <service@paypal.com>
Received: from aa.bb.cc.dd (EHLO aa.bb.cc.dd) (aa.bb.cc.dd)
by aa.bb.cc.dd; Thu, 24 Feb 2005 23:00:39 -0800
Received: from paypal.com (unknown [216.117.177.39])
by mailhub.korax.net (Postfix) with ESMTP id 19A2B2B6BEC
for <msmittens@msmittens.com>; Fri, 25 Feb 2005 02:00:39 -0500 (EST)
Message-ID: <20050225020030.B89914F2B5806CB4@paypal.com>
From: service@paypal.com
To: msmittens@msmittens.com
Subject: [Bulk] PayPal - Flagged Account
Reply-To: service@paypal.com
Date: 25 Feb 2005 02:00:30 -0500
X-Antivirus: AVG for E-mail 7.0.300 [266.4.0]
Mime-Version: 1.0
However, the address -- 202.108.69.147 -- resolves to:
inetnum: 202.108.69.0 - 202.108.69.255
netname: YS-INFORMATION-CO
descr: YS Information Co.Ltd
country: CN
admin-c: GS26-AP
tech-c: GS26-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: hostmast@publicf.bta.net.cn 20040116
status: ASSIGNED NON-PORTABLE
source: APNIC
person: Gao SuJian
address: Yang Fang Dian Lu 9 Hai Dian District
address: Beijing 100038
nic-hdl: GS26-AP
phone: +86-10-13910230034
fax-no: +86-10-88244077
e-mail: gaosujian@ys.cctv.com
mnt-by: MAINT-CNCGROUP-BJ
changed: hostmast@publicf.bta.net.cn 20040108
source: APNIC
China. So unless PayPal has outsourced...
Additional "stuff": The 404 reports:
Apache/2.0.53 (Unix) DAV/2 PHP/5.0.3 mod_perl/1.999.21 Perl/v5.8.0 Server at 202.108.69.147 Port 80
-
February 26th, 2005, 08:23 AM
#2
this gave me an idea MsM - read about it here
v_Ln
-
February 28th, 2005, 12:40 PM
#3
Got another one with the same body. This time the address is http://203.98.178.86/paypal/ . What's interesting is if you remove the directory for PayPal: it becomes the RCEasy.com (RC Car Forums I believe). Makes me wonder if the site got compromised and then used (They use PHPBB as their forum template). A few errors also got: Apache/2.0.40 (Red Hat Linux).
This one's in Hong Kong:
inetnum: 203.98.128.0 - 203.98.191.255
netname: NWT-NET
descr: New World Telephone
descr: Broadband Service
descr: Data Center
descr: Regional VPN network
country: HK
admin-c: KT88-AP
admin-c: ST211-AP
admin-c: AC286-AP
tech-c: ST211-AP
tech-c: AC286-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-NEWWORLDTEL
remarks: For network abuse email
changed: hm-changed@apnic.net 20040212
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20040720
source: APNIC
person: Karl Tsah
address: 17/F Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong
country: HK
phone: +852-21337176
fax-no: +852-21332146
e-mail: Ktsah@newworldtel.com
nic-hdl: KT88-AP
mnt-by: MAINT-NEW
changed: patricksw@hotmail.com 20000927
source: APNIC
person: Samuel Tan
address: 17/F, Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong
country: HK
phone: +852-21336894
fax-no: +852-21332175
e-mail: samuel.tan@newworldtel.com
nic-hdl: ST211-AP
mnt-by: MAINT-HK-NEWWORLDTEL
changed: wptan@sinaman.com 20010710
source: APNIC
person: Anson Chan
nic-hdl: AC286-AP
e-mail: anson28@hotmail.com
address: 17/F Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong
phone: +852-21337341
fax-no: +852-21332175
country: HK
changed: anson28@hotmail.com 20050224
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC
The owners of RCEasy.com:
Organization:
City Data Ltd
Alan Ng
Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
Shamshuipo,
HK
Phone: 27203818
Email: info@rceasy.com
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: RCEASY.COM
Created on..............: Mon, Oct 27, 2003
Expires on..............: Fri, Oct 27, 2006
Record last updated on..: Sun, Sep 19, 2004
Administrative Contact:
City Data Ltd
Alan Ng
Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
Shamshuipo,
HK
Phone: 27203818
Email: info@rceasy.com
Technical Contact:
City Data Ltd
Alan Ng
Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
Shamshuipo,
HK
Phone: 27203818
Email: info@rceasy.com
Zone Contact:
City Data Ltd
Alan Ng
Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
Shamshuipo,
HK
Phone: 27203818
Email: info@rceasy.com
Domain servers in listed order:
WWW.RCEASY.COM 203.98.178.86
MAIL.MICROSTYLE.COM 203.98.178.85
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|