False PayPal login

[malletelf]

Hi all,
I just recieved this email claiming to be from PayPal:

From : service@paypal.com <sErvICE@PAyPaL.Com>
Reply-To : service@paypal.com
Sent : March 5, 2005 3:38:01 PM
To : malletelf@hotmail.com
Subject : PayPal Account Security Measures ID 45409

MIME-Version: 1.0
Received: from linux2.nevidia.com ([66.197.141.85]) by mc4-f34.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sat, 5 Mar 2005 07:37:42 -0800
Received: from nobody by linux2.nevidia.com with local (Exim 4.43)id 1D7bLt-00022e-BIfor malletelf@hotmail.com; Sat, 05 Mar 2005 10:38:01 -0500
X-Message-Info: JGTYoYF78jHysFnp1wAsNRb+EIt3aadlPhQOF4RFBPw=
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - linux2.nevidia.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - linux2.nevidia.com
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: nobody@linux2.nevidia.com
X-OriginalArrivalTime: 05 Mar 2005 15:37:42.0286 (UTC) FILETIME=[45184AE0:01C52199]

--------------------------------------------------------------------------------

View E-mail Message Source
Content-Type: text/html
Content-Transfer-Encoding: 8bit


Dear malletelf@hotmail.com
,
We recently noticed one or more attempts to log in to your PayPal account
from a different IP address.
If you recently accessed your account while traveling, the unusual log in
attempts may have been initiated by you. However, if you did not initiate
the log ins, please visit PayPal as soon as possible to check-up your
account information:

http://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Thanks for your patience.
Sincerely,
PayPal
----------------------------------------------------------------
Please do not reply to this e-mail. Mail sent to this address cannot be
answered.
Email ID PP32461

Please note that the link claiming to point to:
"http://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
Actually points to:
"javascript:ol('http://www.joonhyung.com/bbs/main.htm');"

I've already contacted PayPal.com and ReportPhish.org.

Anyone know of any other organizations who would be interested in receiving this?

[MrLinus]

I'd say antiphishing.org and http://www.ic3.gov/ since joonhyung.com is a US based firm:

Checking server [whois.enom.com]
Results:

Registration Service Provided By: ICDSoft.com
Contact: hosting@icdsoft.com
Visit:

Domain name: joonhyung.com

Registrant Contact:

JoonHyung Cho (jhcho@mac.com)
701-277-9182
Fax:
500216thAve.SW#203
Fargo, ND 58103
US

Administrative Contact:
ICDSoft.com
Chan Mui Ping (hosting@icdsoft.com)
+852 97585654
Fax: +852 97585654
POBox 68015
Kowloon East Post Office
Kowloon, HK 852
HK

Technical Contact:

JoonHyung Cho (jhcho@mac.com)
701-277-9182
Fax:
500216thAve.SW#203
Fargo, ND 58103
US

Billing Contact:

JoonHyung Cho (jhcho@mac.com)
701-277-9182
Fax:
500216thAve.SW#203
Fargo, ND 58103
US

Status: Locked

Name Servers:
ns1.station171.com
ns2.station171.com

Creation date: 12 Oct 2002 02:54:02
Expiration date: 12 Oct 2005 02:54:02

Although it's interesting to look at the page and see the following code:

PHP Code:

<html>
<head>
<title>PayPal - Login</title>
</head>
<frameset rows="0,*" frameborder="NO" border="0" framespacing="0">
  <frame src="cl.htm" name="topFrame" scrolling="NO" noresize >
  <frame src="http://youngadult.iemmanuel.org/zboard/ver.php" name="mainFrame">
</frameset>
</html> 


That one in turn has this:

Domain ID:D68022846-LROR
Domain Name:IEMMANUEL.ORG
Created On:19-Mar-2001 22:23:06 UTC
Last Updated On:24-Oct-2004 23:55:05 UTC
Expiration Date:19-Mar-2007 22:23:06 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:6050462-NSI
Registrant Name:Emmanuel Church in Philadelphi
Registrant Organization:Emmanuel Church in Philadelphi
Registrant Street1:4723-41 Spruce St.
Registrant Street2:**
Registrant Street3:
Registrant City:Philadelphia
Registrant State/Province:PA
Registrant Postal Code:19139
Registrant Country:US
Registrant Phone:+1.2154760330
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:pitl153@hotmail.com
Admin ID:6050462-NSI
Admin Name:Emmanuel Church in Philadelphi
Admin Organization:Emmanuel Church in Philadelphi
Admin Street1:4723-41 Spruce St.
Admin Street2:**
Admin Street3:
Admin City:Philadelphia
Admin State/Province:PA
Admin Postal Code:19139
Admin Country:US
Admin Phone:+1.2154760330
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:pitl153@hotmail.com
Tech ID:5358805-NSI
Tech Name:Network Solutions, LLC.
Tech Organization:Network Solutions, LLC.
Tech Street1:13200 Woodland Park Drive
Tech Street2:
Tech Street3:
Tech City:Herndon
Tech State/Province:VA
Tech Postal Code:20171-3025
Tech Country:US
Tech Phone:+1.188864296
Tech Phone Ext.:
Tech FAX:+1.5714344620
Tech FAX Ext.:
Tech Email:customerservice@networksolutions.com
Name Server:NS2.IXWEBHOSTING.COM
Name Server:NS1.IXWEBHOSTING.COM

Which apparently has some security issues. Moving up one directory shows the contents and one file, system.php, has rather interesting details.

[mmkhan]

hi all,
@ malletelf

Please note that the link claiming to point to:
"http://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
Actually points to:
"java scriptl('http://www.joonhyung.com/bbs/main.htm');"

how did u got this?? because i go thru the source and didn't find anything like that and same in the case of etheral i didn't find anything. Can u explain the method from which u got this.

Thanks

[malletelf]

@ mmkhan,
Well, the reason I put that in the post is because the link supposedly pointing to
"http://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
wasn't actually pointing there. The email was in HTML format, and when I hovered the mouse over the link,
"java script:ol('http://www.joonhyung.com/bbs/main.htm');"
showed up in its stead.

Cheers

[shaggy100]

I just got 2 of these dodgy paypal emails source below

<span id=z>
<xhtml><head><title>PayPal</title></head>
<style type="text/css">#obmessage .dummy {}
#z BODY, #z TD {font-family: verdana,arial,helvetica,sans-serif;
font-size:12px;color: #000000;}
</style>
<table width=680 align=center>
<tr><td><A target="_blank"href="https://www.paypal.com/us"><IMG src="http://images.paypal.com/en_US/i/logo/email_logo.gif" alt=PayPal border=0></A></td></tr>
</table>
<table width="100%" cellpadding=0>
<tr><td background="http://images.paypal.com/images/bg_clk.gif" width=100%><img src="http://images.paypal.com/images/pixel.gif"height=29 width=1 border=0></td></tr>
</table>
<br>
<table align=center>
<tr>
<td width=400>
<table>
<tr><td>Information Regarding Your account:</td></tr>
<tr><td><b>Dear PayPal Member:<br><br>Attention! Your PayPal account has been violated!<br><br>Someone with ip address 149.225.126.87 tried to access your personal account!</b><br><br>Please <b>click the link below</b> and enter your account information to confirm that you are not currently away. You have 3 days to confirm account information or your account will be locked.<br><br>
<table width="80%" cellspacing=0 border=0 bgcolor="#FFE65C" align=left>
<tr><td>
<table width="100%" cellpadding=4 bgcolor="#FFFECD" align=center>
<tr><td class="pp_sansserif" align=center><a target="_blank" href="http://204.8.221.194/~cold8/">Click here to activate your account</a></td></tr>
</table>
</td></tr>
</table>
<br><br><BR>You can also confirm your email address by logging into your PayPal account at <a target="_blank" href="http://204.8.221.194/~cold8/"><br>http://paypal-userpage.com/</a>. Click on the "Confirm email" link in the Activate Account box and then enter this confirmation number: 1036-8535-4511-9500-3892<br><br>Thank you for using PayPal!<br>The PayPal Team
</td></tr>
<tr><td><hr class=dotted></td></tr>
<tr><td>
<tr><td class="pp_footer">Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, <a href="http://204.8.221.194/~cold8/">log in</a> to your PayPal account and choose the "Help" link in the footer of any page.<br></td></tr><tr><td><img src="http://images.paypal.com/en_US/i/scr/pixel.gif" height=10 width=1 border=0></td></tr>
</td></tr>
<tr><td>PayPal Email ID PP059</td></tr>
</table>
</td>
<td width=190 valign=top>
<table cellspacing=0 cellpadding=1 bgcolor="#cccccc">
<td>
<table cellspacing=0 cellpadding=0 bgcolor="#ffffff">
<tr><td>
<table width="100%" cellpadding=5 bgcolor="#eeeeee">
<tr><td align=center>Protect Your Account Info</td></tr>
</table>
<table cellpadding=5>
<tr><td>Make sure you never provide your password to fraudulent websites.<br><br>To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal login page (http://paypal.com/) to be sure you are on the real PayPal site.<br><br>PayPal will never ask you to enter your password in an email.<br><br>For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips<br></td></tr>
</table></td></tr>
<tr><td>
<table width="100%" cellpadding=5 bgcolor="#eeeeee">
<tr><td align=center>Protect Your Password</td></tr>
</table>
<table cellpadding=5>
<tr><td>You should never give your PayPal password to anyone.<br></td></tr>
</table>
</td></tr>
</table>
</td></tr>
</table>
</td></tr>
</table>
</xhtml></span>


check out the dodgy link (DO NOT CLICK THIS LINK ITS DODGY) http:\\204.8.221.194\~cold8\ (DO NOT CLICK THIS LINK ITS DODGY) (DONT ENTER ANY INFO HERE)

some of the graphics are different, and some are missing entirely from the real page, http:\\www.paypal.com but my real question is I've reported it to the abuse people at Paypal but do they actually do anything about it?? Id hate to think less conscious people would get sucked in....is there anywhere else that investigates these people...

[MrLinus]

They often do something about it. All the sites I reported were removed. Given that this one is in the US they'll probably be able to address it quickly.

OrgName: JustEdge Networks
OrgID: JUSTE
Address: 71 Ackerman Ave #161
City: Clifton
StateProv: NJ
PostalCode: 07011
Country: US

ReferralServer: rwhois://rwhois.justedge.net:4321

NetRange: 204.8.216.0 - 204.8.223.255
CIDR: 204.8.216.0/21
NetName: JE-BLK-1
NetHandle: NET-204-8-216-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.JUSTEDGE.NET
NameServer: NS2.JUSTEDGE.NET
Comment:
RegDate: 2004-08-19
Updated: 2004-08-19

OrgTechHandle: JUSTE-ARIN
OrgTechName: JustEdge
OrgTechPhone: +1-866-458-7833
OrgTechEmail: info@justedge.net

You could also notify http://www.ic3.gov/

[shaggy100]

thanks Ms M...I'm doing so right now...