Results 1 to 3 of 3

Thread: Phishy: PayPal - Flagged Account

  1. February 25th, 2005, 01:31 PM #1
    MrLinus
    MrLinus is offline
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Arrow Phishy: PayPal - Flagged Account

    Just got this one (and have notified PayPal already):

    PayPal <https://www.paypal.com/us>

    Dear PayPal Member,

    Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your PayPal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below

    Click here to verify your Information <http://202.108.69.147/webscr/>

    Thank you for using PayPal!
    The PayPal Team
    --------------------------------------------------------------------------------
    Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

    To receive email notifications in plain text instead of HTML, update your preferences here <https://www.paypal.com/us/PREFS-NOTI>.

    PayPal Email ID PP478

    Protect Your Account Info

    Make sure you never provide your password to fraudulent websites.

    To safely and securely access the PayPal website or your account, open up a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (http://www.paypal.com/).

    PayPal will never ask you to enter your password in an email.
    For more information on protecting yourself from fraud, please review our Security Tips at http://www.paypal.com/securitytips
    Header info:

    From - Fri Feb 25 02:04:54 2005
    X-Account-Key: account3
    X-UIDL: 78644dce3bc9b76d346181a76e70edbb
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 10000000
    X-Apparently-To: msmittens@msmittens.com via aa.bb.cc.dd; Thu, 24 Feb 2005 23:00:39 -0800
    X-YahooFilteredBulk: aa.bb.cc.dd
    Authentication-Results: aa.bb.cc.dd from=paypal.com; domainkeys=neutral (no sig)
    X-Originating-IP: [aa.bb.cc.dd]
    Return-Path: <service@paypal.com>
    Received: from aa.bb.cc.dd (EHLO aa.bb.cc.dd) (aa.bb.cc.dd)
    by aa.bb.cc.dd; Thu, 24 Feb 2005 23:00:39 -0800
    Received: from paypal.com (unknown [216.117.177.39])
    by mailhub.korax.net (Postfix) with ESMTP id 19A2B2B6BEC
    for <msmittens@msmittens.com>; Fri, 25 Feb 2005 02:00:39 -0500 (EST)
    Message-ID: <20050225020030.B89914F2B5806CB4@paypal.com>
    From: service@paypal.com
    To: msmittens@msmittens.com
    Subject: [Bulk] PayPal - Flagged Account
    Reply-To: service@paypal.com
    Date: 25 Feb 2005 02:00:30 -0500
    X-Antivirus: AVG for E-mail 7.0.300 [266.4.0]
    Mime-Version: 1.0
    However, the address -- 202.108.69.147 -- resolves to:

    inetnum: 202.108.69.0 - 202.108.69.255
    netname: YS-INFORMATION-CO
    descr: YS Information Co.Ltd
    country: CN
    admin-c: GS26-AP
    tech-c: GS26-AP
    mnt-by: MAINT-CNCGROUP-BJ
    changed: hostmast@publicf.bta.net.cn 20040116
    status: ASSIGNED NON-PORTABLE
    source: APNIC

    person: Gao SuJian
    address: Yang Fang Dian Lu 9 Hai Dian District
    address: Beijing 100038
    nic-hdl: GS26-AP
    phone: +86-10-13910230034
    fax-no: +86-10-88244077
    e-mail: gaosujian@ys.cctv.com
    mnt-by: MAINT-CNCGROUP-BJ
    changed: hostmast@publicf.bta.net.cn 20040108
    source: APNIC
    China. So unless PayPal has outsourced...

    Additional "stuff": The 404 reports:

    Apache/2.0.53 (Unix) DAV/2 PHP/5.0.3 mod_perl/1.999.21 Perl/v5.8.0 Server at 202.108.69.147 Port 80
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage
    Reply With Quote Reply With Quote
  2. February 26th, 2005, 08:23 AM #2
    valhallen
    valhallen is offline
    Banned
    Join Date
    Sep 2001
    Posts
    3,444
    this gave me an idea MsM - read about it here

    v_Ln
    Reply With Quote Reply With Quote
  3. February 28th, 2005, 12:40 PM #3
    MrLinus
    MrLinus is offline
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Got another one with the same body. This time the address is http://203.98.178.86/paypal/ . What's interesting is if you remove the directory for PayPal: it becomes the RCEasy.com (RC Car Forums I believe). Makes me wonder if the site got compromised and then used (They use PHPBB as their forum template). A few errors also got: Apache/2.0.40 (Red Hat Linux).

    This one's in Hong Kong:

    inetnum: 203.98.128.0 - 203.98.191.255
    netname: NWT-NET
    descr: New World Telephone
    descr: Broadband Service
    descr: Data Center
    descr: Regional VPN network
    country: HK
    admin-c: KT88-AP
    admin-c: ST211-AP
    admin-c: AC286-AP
    tech-c: ST211-AP
    tech-c: AC286-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-HK-NEWWORLDTEL
    remarks: For network abuse email
    changed: hm-changed@apnic.net 20040212
    status: ALLOCATED PORTABLE
    changed: hm-changed@apnic.net 20040720
    source: APNIC

    person: Karl Tsah
    address: 17/F Chevalier Commercial Centre,
    address: 8 Wang Hoi Road, Kowloon Bay,
    address: Hong Kong
    country: HK
    phone: +852-21337176
    fax-no: +852-21332146
    e-mail: Ktsah@newworldtel.com
    nic-hdl: KT88-AP
    mnt-by: MAINT-NEW
    changed: patricksw@hotmail.com 20000927
    source: APNIC

    person: Samuel Tan
    address: 17/F, Chevalier Commercial Centre,
    address: 8 Wang Hoi Road, Kowloon Bay,
    address: Hong Kong
    country: HK
    phone: +852-21336894
    fax-no: +852-21332175
    e-mail: samuel.tan@newworldtel.com
    nic-hdl: ST211-AP
    mnt-by: MAINT-HK-NEWWORLDTEL
    changed: wptan@sinaman.com 20010710
    source: APNIC

    person: Anson Chan
    nic-hdl: AC286-AP
    e-mail: anson28@hotmail.com
    address: 17/F Chevalier Commercial Centre,
    address: 8 Wang Hoi Road, Kowloon Bay,
    address: Hong Kong
    phone: +852-21337341
    fax-no: +852-21332175
    country: HK
    changed: anson28@hotmail.com 20050224
    mnt-by: MAINT-HK-NEWWORLDTEL
    source: APNIC
    The owners of RCEasy.com:

    Organization:
    City Data Ltd
    Alan Ng
    Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
    Shamshuipo,
    HK
    Phone: 27203818
    Email: info@rceasy.com

    Registrar Name....: Register.com
    Registrar Whois...: whois.register.com
    Registrar Homepage: http://www.register.com

    Domain Name: RCEASY.COM

    Created on..............: Mon, Oct 27, 2003
    Expires on..............: Fri, Oct 27, 2006
    Record last updated on..: Sun, Sep 19, 2004

    Administrative Contact:
    City Data Ltd
    Alan Ng
    Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
    Shamshuipo,
    HK
    Phone: 27203818
    Email: info@rceasy.com

    Technical Contact:
    City Data Ltd
    Alan Ng
    Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
    Shamshuipo,
    HK
    Phone: 27203818
    Email: info@rceasy.com

    Zone Contact:
    City Data Ltd
    Alan Ng
    Shop 246, New Capital Computer Plaza, 85-98 Un Chau St.,
    Shamshuipo,
    HK
    Phone: 27203818
    Email: info@rceasy.com

    Domain servers in listed order:

    WWW.RCEASY.COM 203.98.178.86
    MAIL.MICROSTYLE.COM 203.98.178.85
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules