Interesting URL in PayPal Phish
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Interesting URL in PayPal Phish

  1. #1
    Member
    Join Date
    Oct 2004
    Posts
    92

    Interesting URL in PayPal Phish

    OK, I amnot unfamiliar with these ype of scams and was not fooled by the e-mail, however what I am intrigued by is the URL (if thats what it is) for the scammers site. I (and a few others I have asked) have never seen anything like it before. The link in the e-mail takes you to http://3562341948:82/webscrr/index.php now I know all about the colon that indicates which port to connect to before anyone says that, but what kind of address is 3562341948 it is not an IP address that I am familiar, besides if you ping/tracert it resolves to another IP, nor is it any form of URL I am familiar with, I thought they all had to end in some sort of .com/.org/.etc would anyone here be nice enough to tell me what this address is? Also while you are here why not try filling out that page with random details just to waste a little more of the scammers time:-)



    X-Gmail-Received: 11de23cbc082d5a0e13a8b43d3d6eb647588dd3a
    Delivered-To: jamestech@gmail.com
    Received: by 10.36.224.64 with SMTP id w64cs9222nzg;
    Sat, 13 May 2006 08:23:37 -0700 (PDT)
    Received: by 10.54.140.16 with SMTP id n16mr3602402wrd;
    Sat, 13 May 2006 08:23:37 -0700 (PDT)
    Return-Path: <service@paypal.com>
    Received: from 192.168.111.10 (210-54-89-248.adsl.xtra.co.nz [210.54.89.248])
    by mx.gmail.com with SMTP id 29si10987443wrl.2006.05.13.08.23.23;
    Sat, 13 May 2006 08:23:37 -0700 (PDT)
    Received-SPF: softfail (gmail.com: domain of transitioning service@paypal.com does not designate 210.54.89.248 as permitted sender)
    Received: from 64.66.55.212 by ; Sat, 13 May 2006 14:07:20 -0100
    Message-ID: <TQRSTWUQFKGAIOTUHNWV@aol.com>
    From: "service@paypal.com" <service@paypal.com>
    Reply-To: "service@paypal.com" <service@paypal.com>
    To: jameslicious@gmail.com, jamestech@gmail.com, jan.gralle@gmail.com, janice@gmail.com, jank_fenter@gmail.com, jarod.pulo@gmail.com, jarod.talmont@gmail.com, jasninder@gmail.com, jasonlf@gmail.com
    Subject: New email address added to your PayPal account !
    Date: Sat, 13 May 2006 10:07:20 -0500
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="--6732814673143671"
    X-Priority: 5
    X-MSMail-Priority: Low

    ----6732814673143671
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <HTML>
    <HEAD>
    <META NAME=3D"GENERATOR" Content=3D"Microsoft DHTML Editing Control">
    <TITLE></TITLE>
    </HEAD>
    <BODY>
    <P><FONT face=3D"Courier New" size=3D"2">You have added <A href=3D"http://=
    3562341948:82/webscrr/index.php">
    <FONT face=3D"Courier New" size=3D"2">skramer396@yahoo.com</A> as a new em=
    ail address for<br> your
    PayPal account.<br></p></FONT>

    <P><FONT face=3D"Courier New" size=3D"2">If you did not authorize this cha=
    nge or if you need assistance<br> with
    your account, please contact PayPal customer service at:<br></p></FONT>

    <P><FONT face=3D"Courier New" size=3D"2"><A href=3D"http://3562341948:82/w=
    ebscrr/index.php">
    <FONT face=3D"Courier New" size=3D"2">https://www.paypal.com/us/cgi-bin/we=
    bscr=3D_email-login</A><br></p></FONT>
    <P><FONT face=3D"Courier New" size=3D"2">Thank you for using PayPal!<br>
    The PayPal Team</p></FONT><br>
    <P><FONT face=3D"Courier New" size=3D"2">Please do not reply to this e-mai=
    l. Mail sent to this address cannot<br> be
    answered. For assistance, log in to your PayPal account and choose<br> the=

    "Help" link in the header of any page.<br></p></FONT>
    -----------------------------------------------------------------<br>
    <PRE><FONT face=3D"Courier New" size=3D"2"> PROTECT YO=
    UR PASSWORD</FONT><br></PRE>

    <P><FONT face=3D"Courier New" size=3D"2">NEVER give your password to anyon=
    e and ONLY log in at<br>
    <A href=3D"http://3562341948:82/webscrr/index.php">
    <FONT face=3D"Courier New" size=3D"2">https://www.paypal.com/</A></FONT>.<=
    FONT face=3D"Courier New" size=3D"2"> Protect yourself against fraudulent =
    websites<br>
    by opening a new web browser (e.g. Internet Explorer or Netscape) <br>and =
    typing
    in the PayPal URL every time you log in to your account.<br></p></FONT>
    -----------------------------------------------------------------<br>
    <br>
    <br>
    <p><FONT face=3D"Courier New" size=3D"2">PayPal Email ID PP913137</p></fon=
    t>
    </BODY>=20

    ----6732814673143671--
    I\'m Dying To Find Out The Hard Way

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Also while you are here why not try filling out that page with random details just to waste a little more of the scammers time:-)
    Hi,
    Probably not a good idea to go to sites linked to in suspected phishing emails. If you have an unpatched vulnerability or there is a zero-day exploit that they know about and you don't it could mean trouble for you. Going to their site means you're walking on their home ground.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I believe that it is the IP address in decimal notation.

    Using the tools found here: http://www.dnsstuff.com/

    It appears to resolve to the London Borough of Hillingdon

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Interesting.... wget recognizes or translates this as an IP address and the site is still online.
    C:\temp>wget http://3562341948:82/webscrr/index.php
    --22:22:52-- http://3562341948:82/webscrr/index.php
    => `index.php'
    Connecting to 3562341948|212.85.6.60|:82... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/html]

    [ <=> ] 16,639 45.96K/s

    22:22:53 (45.88 KB/s) - `index.php' saved [16639]
    Thanks for the site Nihil.

    I pulled the page down and am analyzing it and I'm not finding any URLs in there but a lot of what looks to be encoded addresses. Anyone know what these mean? (spaces inserted to avoid formatting probs)
    h r e f=(double quote)5v6fw20lpt1t4ypk7o8tjpu1b9h72zgqt8lnak0ficbz392u3fc(double quote)
    h r e f=(double quote)?cmd=goiys8qptwgalzkoq7dcapq0w0zwn4z85w2oew3a4tchawq9ltl(double quote)

  5. #5
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    nihil is indeed correct that it's an IP Address in decimal notation.... Check out http://www.iowight.com/iwindex/decimal.php3 for more information

    ric-o: These are just links to other pages.... Usually sites like paypal have cmd= or a large session key.... they're just trying to mimic this... because there's no http:// it'll just be appended onto the current site... that's why it looks really messed up... their just trying to make it harder for anti-phishers to investigate... but it's not really bothering anyone except the end-users... but I guess that's the real problem..

    You can do something like

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Banned
    Join Date
    May 2006
    Posts
    20
    Deobfusicated URL: http://212.85.6.60:82/webscrr/index.php
    Plain IP: 212.85.6.60
    Webserver Port: 82
    WHOIS Results: http://www.dnsstuff.com/tools/whois....e.net&email=on
    Abuse Email: abuse@equinoxsolutions.com

    I've reported it to the abuse address. And signed up with some fake data just to annoy the phisher. Making sure I used my LiveCD with my HDD unplugged on my second computer, just to be safe.

  7. #7
    Senior Member
    Join Date
    Mar 2005
    Posts
    175
    Google Anti-phishing thing in ff works good.
    \"And life is what we make it. Always has been, always will be.\"

  8. #8
    Member
    Join Date
    Oct 2004
    Posts
    92
    Thanks for the feedback guys, I have never heard of an IP address in decimal notation before, I guess you do learn something new every day. Hmmmm... London thats interesting, you sort of assume these sites are all based in nigera (nothing against nigerians, it just seems to be where all the paypal/ebay/bank scams come from). I suppose I could ring the police and let them know, but then again, I have rang them before when someone had thousands taken from their account and they wasn't interested until the bank contacted them. I am also aware that just because the server is based in london (if thas correct) it doesn't necesarily mean the scammers are there. Once again thanks for the info!
    I\'m Dying To Find Out The Hard Way

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi C0br4,

    London thats interesting, you sort of assume these sites are all based in nigera (nothing against nigerians, it just seems to be where all the paypal/ebay/bank scams come from). I suppose I could ring the police and let them know
    Actually the webserver could be anywhere, it just needs to be vulnerable for these guys to use it.

    We had a member post only two or three days ago about his games server being compromised in a similar fashion. IIRC he was located in the USA.

    I think that these people work in a very similar way to spammers. They would particularly look for .gov (which the Hillingdon borough council will be) and .edu domains, for example, as there is a good chance that they are unmanned and unmonitored over the weekend?

    Once the punter has visited the site, and entered the info. the damage has been done.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by Chazwazza1337
    I've reported it to the abuse address. And signed up with some fake data just to annoy the phisher. Making sure I used my LiveCD with my HDD unplugged on my second computer, just to be safe.
    Cool. I reported it to the Fried Phish folks at CastleCops - http://www.castlecops.com/pirt

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides