False PayPal login
Results 1 to 7 of 7

Thread: False PayPal login

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    11

    False PayPal login

    Hi all,
    I just recieved this email claiming to be from PayPal:

    From : service@paypal.com <sErvICE@PAyPaL.Com>
    Reply-To : service@paypal.com
    Sent : March 5, 2005 3:38:01 PM
    To : malletelf@hotmail.com
    Subject : PayPal Account Security Measures ID 45409

    MIME-Version: 1.0
    Received: from linux2.nevidia.com ([66.197.141.85]) by mc4-f34.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sat, 5 Mar 2005 07:37:42 -0800
    Received: from nobody by linux2.nevidia.com with local (Exim 4.43)id 1D7bLt-00022e-BIfor malletelf@hotmail.com; Sat, 05 Mar 2005 10:38:01 -0500
    X-Message-Info: JGTYoYF78jHysFnp1wAsNRb+EIt3aadlPhQOF4RFBPw=
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - linux2.nevidia.com
    X-AntiAbuse: Original Domain - hotmail.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - linux2.nevidia.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: nobody@linux2.nevidia.com
    X-OriginalArrivalTime: 05 Mar 2005 15:37:42.0286 (UTC) FILETIME=[45184AE0:01C52199]

    --------------------------------------------------------------------------------

    View E-mail Message Source
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit


    Dear malletelf@hotmail.com
    ,
    We recently noticed one or more attempts to log in to your PayPal account
    from a different IP address.
    If you recently accessed your account while traveling, the unusual log in
    attempts may have been initiated by you. However, if you did not initiate
    the log ins, please visit PayPal as soon as possible to check-up your
    account information:

    http://www.paypal.com/cgi-bin/webscr?cmd=_login-run
    Thanks for your patience.
    Sincerely,
    PayPal
    ----------------------------------------------------------------
    Please do not reply to this e-mail. Mail sent to this address cannot be
    answered.
    Email ID PP32461
    Please note that the link claiming to point to:
    "http://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
    Actually points to:
    "javascript:ol('http://www.joonhyung.com/bbs/main.htm');"

    I've already contacted PayPal.com and ReportPhish.org.

    Anyone know of any other organizations who would be interested in receiving this?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'd say antiphishing.org and http://www.ic3.gov/ since joonhyung.com is a US based firm:

    Checking server [whois.enom.com]
    Results:

    Registration Service Provided By: ICDSoft.com
    Contact: hosting@icdsoft.com
    Visit:

    Domain name: joonhyung.com

    Registrant Contact:

    JoonHyung Cho (jhcho@mac.com)
    701-277-9182
    Fax:
    500216thAve.SW#203
    Fargo, ND 58103
    US

    Administrative Contact:
    ICDSoft.com
    Chan Mui Ping (hosting@icdsoft.com)
    +852 97585654
    Fax: +852 97585654
    POBox 68015
    Kowloon East Post Office
    Kowloon, HK 852
    HK

    Technical Contact:

    JoonHyung Cho (jhcho@mac.com)
    701-277-9182
    Fax:
    500216thAve.SW#203
    Fargo, ND 58103
    US

    Billing Contact:

    JoonHyung Cho (jhcho@mac.com)
    701-277-9182
    Fax:
    500216thAve.SW#203
    Fargo, ND 58103
    US

    Status: Locked

    Name Servers:
    ns1.station171.com
    ns2.station171.com

    Creation date: 12 Oct 2002 02:54:02
    Expiration date: 12 Oct 2005 02:54:02
    Although it's interesting to look at the page and see the following code:

    PHP Code:
    <html>
    &
    lt;head>
    &
    lt;title>PayPal Login</title>
    &
    lt;/head>
    &
    lt;frameset rows="0,*" frameborder="NO" border="0" framespacing="0">
      &
    lt;frame src="cl.htm" name="topFrame" scrolling="NO" noresize >
      &
    lt;frame src="http://youngadult.iemmanuel.org/zboard/ver.php" name="mainFrame">
    &
    lt;/frameset>
    &
    lt;/html&gt
    That one in turn has this:

    Domain ID:D68022846-LROR
    Domain Name:IEMMANUEL.ORG
    Created On:19-Mar-2001 22:23:06 UTC
    Last Updated On:24-Oct-2004 23:55:05 UTC
    Expiration Date:19-Mar-2007 22:23:06 UTC
    Sponsoring Registrar:Network Solutions LLC (R63-LROR)
    Status:CLIENT TRANSFER PROHIBITED
    Registrant ID:6050462-NSI
    Registrant Name:Emmanuel Church in Philadelphi
    Registrant Organization:Emmanuel Church in Philadelphi
    Registrant Street1:4723-41 Spruce St.
    Registrant Street2:**
    Registrant Street3:
    Registrant City:Philadelphia
    Registrant State/Province:PA
    Registrant Postal Code:19139
    Registrant Country:US
    Registrant Phone:+1.2154760330
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant Email:pitl153@hotmail.com
    Admin ID:6050462-NSI
    Admin Name:Emmanuel Church in Philadelphi
    Admin Organization:Emmanuel Church in Philadelphi
    Admin Street1:4723-41 Spruce St.
    Admin Street2:**
    Admin Street3:
    Admin City:Philadelphia
    Admin State/Province:PA
    Admin Postal Code:19139
    Admin Country:US
    Admin Phone:+1.2154760330
    Admin Phone Ext.:
    Admin FAX:
    Admin FAX Ext.:
    Admin Email:pitl153@hotmail.com
    Tech ID:5358805-NSI
    Tech Name:Network Solutions, LLC.
    Tech Organization:Network Solutions, LLC.
    Tech Street1:13200 Woodland Park Drive
    Tech Street2:
    Tech Street3:
    Tech City:Herndon
    Tech State/Province:VA
    Tech Postal Code:20171-3025
    Tech Country:US
    Tech Phone:+1.188864296
    Tech Phone Ext.:
    Tech FAX:+1.5714344620
    Tech FAX Ext.:
    Tech Email:customerservice@networksolutions.com
    Name Server:NS2.IXWEBHOSTING.COM
    Name Server:NS1.IXWEBHOSTING.COM
    Which apparently has some security issues. Moving up one directory shows the contents and one file, system.php, has rather interesting details.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    May 2004
    Posts
    274
    hi all,
    @ malletelf

    Please note that the link claiming to point to:
    "http://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
    Actually points to:
    "java scriptl('http://www.joonhyung.com/bbs/main.htm');"
    how did u got this?? because i go thru the source and didn't find anything like that and same in the case of etheral i didn't find anything. Can u explain the method from which u got this.

    Thanks
    Excuse me, is there an airport nearby large enough for a private jet to land?

  4. #4
    Junior Member
    Join Date
    Feb 2003
    Posts
    11
    @ mmkhan,
    Well, the reason I put that in the post is because the link supposedly pointing to
    "http://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
    wasn't actually pointing there. The email was in HTML format, and when I hovered the mouse over the link,
    "java script:ol('http://www.joonhyung.com/bbs/main.htm');"
    showed up in its stead.

    Cheers

  5. #5
    Junior Member
    Join Date
    Jul 2003
    Posts
    23
    I just got 2 of these dodgy paypal emails source below

    <span id=z>
    <xhtml><head><title>PayPal</title></head>
    <style type="text/css">#obmessage .dummy {}
    #z BODY, #z TD {font-family: verdana,arial,helvetica,sans-serif;
    font-size:12px;color: #000000;}
    </style>
    <table width=680 align=center>
    <tr><td><A target="_blank"href="https://www.paypal.com/us"><IMG src="http://images.paypal.com/en_US/i/logo/email_logo.gif" alt=PayPal border=0></A></td></tr>
    </table>
    <table width="100%" cellpadding=0>
    <tr><td background="http://images.paypal.com/images/bg_clk.gif" width=100%><img src="http://images.paypal.com/images/pixel.gif"height=29 width=1 border=0></td></tr>
    </table>
    <br>
    <table align=center>
    <tr>
    <td width=400>
    <table>
    <tr><td>Information Regarding Your account:</td></tr>
    <tr><td><b>Dear PayPal Member:<br><br>Attention! Your PayPal account has been violated!<br><br>Someone with ip address 149.225.126.87 tried to access your personal account!</b><br><br>Please <b>click the link below</b> and enter your account information to confirm that you are not currently away. You have 3 days to confirm account information or your account will be locked.<br><br>
    <table width="80%" cellspacing=0 border=0 bgcolor="#FFE65C" align=left>
    <tr><td>
    <table width="100%" cellpadding=4 bgcolor="#FFFECD" align=center>
    <tr><td class="pp_sansserif" align=center><a target="_blank" href="http://204.8.221.194/~cold8/">Click here to activate your account</a></td></tr>
    </table>
    </td></tr>
    </table>
    <br><br><BR>You can also confirm your email address by logging into your PayPal account at <a target="_blank" href="http://204.8.221.194/~cold8/"><br>http://paypal-userpage.com/</a>. Click on the "Confirm email" link in the Activate Account box and then enter this confirmation number: 1036-8535-4511-9500-3892<br><br>Thank you for using PayPal!<br>The PayPal Team
    </td></tr>
    <tr><td><hr class=dotted></td></tr>
    <tr><td>
    <tr><td class="pp_footer">Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, <a href="http://204.8.221.194/~cold8/">log in</a> to your PayPal account and choose the "Help" link in the footer of any page.<br></td></tr><tr><td><img src="http://images.paypal.com/en_US/i/scr/pixel.gif" height=10 width=1 border=0></td></tr>
    </td></tr>
    <tr><td>PayPal Email ID PP059</td></tr>
    </table>
    </td>
    <td width=190 valign=top>
    <table cellspacing=0 cellpadding=1 bgcolor="#cccccc">
    <td>
    <table cellspacing=0 cellpadding=0 bgcolor="#ffffff">
    <tr><td>
    <table width="100%" cellpadding=5 bgcolor="#eeeeee">
    <tr><td align=center>Protect Your Account Info</td></tr>
    </table>
    <table cellpadding=5>
    <tr><td>Make sure you never provide your password to fraudulent websites.<br><br>To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal login page (http://paypal.com/) to be sure you are on the real PayPal site.<br><br>PayPal will never ask you to enter your password in an email.<br><br>For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips<br></td></tr>
    </table></td></tr>
    <tr><td>
    <table width="100%" cellpadding=5 bgcolor="#eeeeee">
    <tr><td align=center>Protect Your Password</td></tr>
    </table>
    <table cellpadding=5>
    <tr><td>You should never give your PayPal password to anyone.<br></td></tr>
    </table>
    </td></tr>
    </table>
    </td></tr>
    </table>
    </td></tr>
    </table>
    </xhtml></span>


    check out the dodgy link (DO NOT CLICK THIS LINK ITS DODGY) http:\\204.8.221.194\~cold8\ (DO NOT CLICK THIS LINK ITS DODGY) (DONT ENTER ANY INFO HERE)

    some of the graphics are different, and some are missing entirely from the real page, http:\\www.paypal.com but my real question is I've reported it to the abuse people at Paypal but do they actually do anything about it?? Id hate to think less conscious people would get sucked in....is there anywhere else that investigates these people...

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    They often do something about it. All the sites I reported were removed. Given that this one is in the US they'll probably be able to address it quickly.

    OrgName: JustEdge Networks
    OrgID: JUSTE
    Address: 71 Ackerman Ave #161
    City: Clifton
    StateProv: NJ
    PostalCode: 07011
    Country: US

    ReferralServer: rwhois://rwhois.justedge.net:4321

    NetRange: 204.8.216.0 - 204.8.223.255
    CIDR: 204.8.216.0/21
    NetName: JE-BLK-1
    NetHandle: NET-204-8-216-0-1
    Parent: NET-204-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.JUSTEDGE.NET
    NameServer: NS2.JUSTEDGE.NET
    Comment:
    RegDate: 2004-08-19
    Updated: 2004-08-19

    OrgTechHandle: JUSTE-ARIN
    OrgTechName: JustEdge
    OrgTechPhone: +1-866-458-7833
    OrgTechEmail: info@justedge.net
    You could also notify http://www.ic3.gov/
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Junior Member
    Join Date
    Jul 2003
    Posts
    23
    thanks Ms M...I'm doing so right now...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •