Paypal Scam Alert - Update Paypal Appears To Have Shut Them Down

[carmann]

I don't even have a Paypal acct but I just rec'd a message from Paypal Periodical with the subject line "Get a Great Rate On Your Money Now". If you receive this msg, DO NOT CLICK THE LINKS AND LOG IN TO YOUR ACCT! It takes you to http://www.paypaldom.com.

**Update**
url can no longer be accessed. I guess Paypal jumped on them quick.

 

[XFreebie]

log in with fake information to flood their data base. im mr. fugger, password azzh0le

why does a paypal scam pop up every 2 weeks? is it the same ppl?!

 

[SirDante]

wow, this is a weekly thing.

 

[carmann]

XFreebie, that's exactly what I was doing

btw...here's the IP address - 170.9.161.19

 

[Frosty3799]

start->run->cmd->ping -t -l 5000 170.9.161.19

run that while you sleep

 

[Sunmansfx]

I got one from Paypal Periodicals, but its from the "real" paypal <PayPal Periodical [announcements-newsletter@paypal.com]>, also it has a different subject heading too.

just an FYI

 

[labgeek]

<< start->run->cmd->ping -t -l 5000 170.9.161.19

run that while you sleep >>



It is no longer at that IP address. It's now resolving to 64.29.137.170 But realize these sleezebags aren't going to be springing for a dedicated server. If you're going to ping it to death, remember you are also going to be affecting up to a couple hundred legitimate sites - all of whom would potentially have recourse against you for the blatent attack. If these are commercial sites, then these are Title 18 offenses - up to 10 years in jail, and 2x damages for each! A tracert shows keyconnect.com as the last hop before the host. The whois shows the nameservers as Verio owned. I'd suggest contacting them first before exposing yourself to the potential of few hundred years in jail, and unknown thousands of dollars in damages. Also contact paypal they will certainly want to know.

 

[XFreebie]

so i guess the "great rate on you money" is negative 100% and its not great for you, only them. until they get caught

 

[hx009]

so i guess the "great rate on you money" is negative 100% and its not great for you, only them. until they get caught

Too bad they're probably in Russia or somewhere else, and can disappear without a trace (if they can even be found at all). Why do you think these things keep popping up?

 

[labgeek]

look at what can be seen of the scumbag's code. He passes on the info to paypal for the regular login. It would be nothing for paypal to compare the referral http environment variable against the known good login page urls. They could easily then lock the account until the customer calls, or better yet require a password change! This could easily be stopped by paypal with minimal coding and be pretty effective. The scammers could just not do the login, but then the customer would at least have something that should ring that alarm bell in thier heads.


Also thinking about this. He's using php, which probably means he's emailing the info to some email account somewhere or saving it in a database or file. Let's come up with a page that makes up email addresses and passwords, and auto submits them to his process.php script.... This would be more effective as they would have to attempt to determine which are real and which are not, and potentially flood his email or kill his quota of hard disk space / web data xfer. And should hopefully keep the other sites on the box alive (albeit slowed down a little maybe). Who's up for a little coding this morning???

 

[XFreebie]

so this is what russians do when they dont get gold, they steal it :Q

 

[XFreebie]

here's the source code. the only things i can find that might give a clue are "pp_hotmail.js" and "pp_main.js" but those javascript files cant be downloaded


<META http-equiv=DESCRIPTION
content="PayPal lets you send money to anyone with email. PayPal is free for consumers and works seamlessly with your existing credit card and checking account. You can settle debts, borrow cash, divide bills or split expenses with friends all without going to an ATM or looking for your checkbook.">
<META http-equiv=KEYWORDS content="Send, money, payments, credit, credit card, instant, money, financial services, mobile, wireless, WAP, cell phones, two-way pagers, Windows CE"><LINK href="pp_styles.css" type=text/css rel=stylesheet>
<SCRIPT src="pp_main.js"></SCRIPT>

<SCRIPT src="pp_hotmail.js"></SCRIPT>
<LINK href="/images/pp_favicon.ico" rel="shortcut icon">
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff language=javascript onload=login_form.submit()>
<TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
<TBODY>
<TR vAlign=top>
<TD><A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><IMG height=35
alt=PayPal src="paypal_logo.gif" width=109 border=0></A></TD>
<TD class=pptext align=right><A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><B>Sign
Up</B></A> | <A href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log
In</A> | <A href="http://www.paypal.com/cgi-bin/webscr?cmd=_help-ext">Help</A>
</TD></TR></TBODY></TABLE><IMG height=10 src="pixel.gif" width=10>
<TABLE cellSpacing=0 cellPadding=0 width="100%" align=center bgColor=#336699
border=0>
<TBODY>
<TR>
<TD><IMG height=25 src="pixel.gif" width=1
border=0></TD></TR></TBODY></TABLE><IMG height=10 src="pixel.gif" width=1>

<TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0>
<TBODY>
<TR>
<TD><IMG height=35 src="pixel.gif" width=1 border=0></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD align=right> </TD></TR>
<TR>
<TD vAlign=bottom align=middle><SPAN class=ppbigtext>
<B>Processing Login<IMG
height=12 src="period_ani.gif" width=20 align=baseline border=0></B></SPAN>

<SPAN class=pptext>
If this page appears for more than 5 seconds <A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-done">click here to
reload.</A> </SPAN></TD></TR></TBODY></TABLE>
<FORM name=login_form action=https://www.paypal.com/cgi-bin/webscr?__track=_login-run/gen/login:_login-submit method=post>
<INPUT type=hidden value=_login-submit name=cmd>
<INPUT type=hidden name=login_cmd>
<INPUT type=hidden name=login_params>
<INPUT type=hidden id=login_email name=login_email value="">
<INPUT type=hidden id=login_password maxLength=40 name=login_password value="">
</FORM>
</BODY>
</HTML>

 

[hx009]

here's the source code. the only things i can find that might give a clue are "pp_hotmail.js" and "pp_main.js" but those javascript files cant be downloaded

Gosh, doing this and this sure was HARD.

 

[Pardus]

another reason i hate paypal.

 

[labgeek]

<< here's the source code. the only things i can find that might give a clue are "pp_hotmail.js" and "pp_main.js" but those javascript files cant be downloaded
...
>>



That's not the source code. That's the html generated by the php script contained in process.php. Inside the script he will be sending the information somewhere... email, file, database, etc. You won't see that appear by "viewing source" because it will get executed at the server side not the client.

My idea was to recreate the initial FORM page with a routine to generate fake login and passwords to flood his database (be it email, file, etc.) with useless data. This should appear to be useful info as much as possible so it's not easily weeded out. The side benefit would be to blow whatever limit there is (mailbox size, file space, bandwidth allocation, etc) to shutdown the site so real users can't get fooled (and doing it with as little disruption to other sites on that host as possible).

 

[divide by zero]

Right clicking on the .js links above and selecting "Save Link As" (using Netscape) lets you save them to disk. Very short.

 

[jonnashville]

Whois registry:

Domain Name: PAYPALDOM.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: NS15A.BOCA15-VERIO.COM
Name Server: NS15B.BOCA15-VERIO.COM
Updated Date: 18-feb-2002
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

[whois.melbourneit.com.au]

Domain Name.......... paypaldom.com
Creation Date........ 2002-02-19
Registration Date.... 2002-02-19
Expiry Date.......... 2003-02-19
Organisation Name.... Confinity, Inc (PAYPAL2-DOM)
Organisation Address. Palo Alto, Inc.
Organisation Address.
Organisation Address. Palo Alto
Organisation Address. 94303
Organisation Address. CA
Organisation Address. UNITED STATES

Admin Name........... PayPal, Inc. Hostmaster
Admin Address........ Palo Alto, Inc.
Admin Address........
Admin Address........ Palo Alto
Admin Address........ 94303
Admin Address........ CA
Admin Address........ UNITED STATES
Admin Email.......... hostmaster@PAYPAL.COM
Admin Phone.......... (650) 251-1100
Admin Fax............ (650) 251-1101

Tech Name............ PayPal, Inc. Hostmaster
Tech Address......... Palo Alto, Inc.
Tech Address.........
Tech Address......... Palo Alto
Tech Address......... 94303
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... hostmaster@PAYPAL.COM
Tech Phone........... (650) 251-1100
Tech Fax............. (650) 251-1101
Name Server.......... ns15a.boca15-verio.com
Name Server.......... ns15b.boca15-verio.com

 

[MrHans]

jeepers, that is a scary page! someone has to have sent PP a missive about this... I'll do it too

 

[OneSyberTroop]

wow

 

[webley]

Is the FTC a good place to report scams like this? At the FTC site http://www.ftc.gov there is a button that says "File a Complaint Online" that leads here and I wondered if that's the best place to report it.

 

[need4spd]

I am sick of this pay pal scam stuff.
and may cancel my paypal account!

I don't like having to look over my shoulder everytime I log in to pp.

 

[jasonja]

I got a similar email from someone claiming to be Ebay, saying that my account has been marked fradulant and I needed to update my information by clicking on some link. It looked like a legit email until you saw the URL they asked you to click on to update your account.

 

[Kipper]

PayPal and the hosting site notified.

 

[MiamiJones]

Please do update us on what Paypal will do. Thet really need to take care of buisness. Or we'll all go back to snail mail and be happy. !!

 

[MrHans]

At PayPal we work hard to protect our customers, and we take reports of
suspicious emails, unauthorized account use, and compromised passwords very
seriously. In order for us to investigate the matter fully, please reply
to this email and provide the following information:

1. A copy of the suspicious email that you received.
2. If the email contained a link to a website, please include the link.
3. Please provide the email address of the person who sent you the
suspicious email.
4. If the email directed you to visit a website, did you enter your email
address and password while visiting the site?

We will send you an email confirming receipt of your complaint. Thank you
for bringing this to our attention.

Sincerely,

The PayPal Team



*******************************
Your original request is below:


Message: here is the url to a fake site that I learned about on anandtech
forums:
http://www.paypaldom.com/
please take action on this, thank you.
regards, hans