CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 952
Comments: 28
block bottom
spacer spacer
image News by the Boss!: False PayPal Charges! image
Phishing

False PayPal Charges!


By Robin Laudanski
September 9, 2005

 Imagine my suprise when I got a receipt from Paypal telling me I just paid $175.85 for a Nokia phone. Of course I know I didn't just buy a phone and I know Paul didn't just buy a phone, we both have perfectly good phones. Which means one of two things either a) Our Paypal account was fraudulently used or b) it is yet another phishing scam. A quick perusal of the email proved it to be the latter.

Here are the headers of the email in question:
Return-Path:
Received: from 62.193.214.122 (vds-378825.amen-pro.com [62.193.214.122])
by bugsbunny.castlecops.com (8.13.4/8.13.4) with SMTP id j89IAfnh004347
for ; Fri, 9 Sep 2005 14:10:42 -0400
Received: from dns12.inbox.ru (dns12.inbox.ru [73.148.198.193]) by with SMTP;
Fri, 09 Sep 2005 15:10:51 -0400
Date: Fri, 09 Sep 2005 18:02:51 -0100
From: "PayPal"
Reply-To: "PayPal"
Message-ID: <70802275387.409843025699815240819@stopcock>
To: Charmaine Subject: This email confirms that you paid MICROBAZAR (sales@microbazaar.com) $175.85 USD using PayPal
X-Mailer: jura interdict
Organization: anomaly dilettantes from 8953
X-NOD32Result: clean
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
bugsbunny.castlecops.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.8 required=5.2 tests=BAYES_50,FULL_REFUND,
HTML_80_90,HTML_MESSAGE,IP_LINK_PLUS,NORMAL_HTTP_TO_IP,
RCVD_IN_NJABL_SPAM,RCVD_NUMERIC_HELO autolearn=no version=3.0.4
X-Spam-DCCB: CTc-dcc1
X-Spam-DCCR: bugsbunny.castlecops.com 1030; Body=2 Fuz1=2 Fuz2=2
Status:
X-Antivirus: AVG for E-mail 7.0.344 [267.10.19]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-4321D1057A0F======="
A few things that should trigger bells and whistles right away:

I haven't changed my name to Charmaine (neither has Paul)
I've never heard of Microbazaar.com
Paypal hasn't stopped using their own email servers for inbox.ru servers

The email itself is like most of the current phishing scams where the images are pulled directly from the originating source. Tables are the same as they would be in a real receipt. Take a look at the email below there is something wrong with it.
PayPal
 
Protect Your Account Info

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips
Protect Your Password
You should never give your PayPal password to anyone, including PayPal employees.

Dear PayPal member,

This email confirms that you have paid MICROBAZAR $175.85 USD using PayPal.

This credit card transaction will appear on your bill as "PAYPAL MICROBAZAR.*"

Thank you for your purchase!

PayPal Shopping Cart Contents:                                         

Item Name: Nokia N90

Quantity: 1

TOTAL: $175.85 USD

------------------------------------------------------------------------

If you haven`t authorized this charge, click the link below to cancel the payment and get a full refund:

 

www.paypal.com/seg7645try56dfs/paypal-ssl/login.html

-----------------------------------------------------------------------



Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and choose the Help link located in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, update your preferences here.




PayPal Email ID PP4122
 
Mouse over the link that starts with paypal.com you'll notice it doesn't go to PayPal at all. I took the time to follow the link through, it does go to a fake PayPal site. Everyone should be aware that this like all scams I write about has been reported to the FBI for investigation. I haven't personally seen this tactic used before, thus the reason for the article. Certainly PayPal being used in phishing scams isn't new, but trying to get people to divuldge information via a fake website because the think they have been charged for something they haven't isn't as common. Normally emails suggest that your account will be suspended or needs to be updated for security purposes.

If you get an email like this, even if it does look real do yourself a favor by not signing in via the links in the email. The login page this email points to looks real, but is not. The best thing you can do is open a new browser window and type the url of the site in directly. Do not copy and paste the link from the email. If you don't know the direct url of the site, do a google search for it.

If you have been a victim of a Phishing scam and would like to share with the community please send Feedback to Robin with some details and I will contact you. If you would like to ask specific questions related to Phishing, or have information to share please visit CastleCops Phishing, Fraud and Dastardly Deeds forum. If you would like to write a review on an Anti-Phishing Product, please submit your review to our Anti-Phishing Product Reviews Section.
Posted on Friday, 09 September 2005 @ 14:42:01 UTC by Robin (34722 reads)
[ Trackback ]		image

"News by the Boss!: False PayPal Charges!" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· PHP HomePage
· HotScripts
· Google Search Engine
· W3 Consortium
· HTML Standard
· Spam Cop
· More about Phishing
· News by Robin

Most read story about Phishing:
False PayPal Charges!
block bottom
Article Rating
spacer
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
189ppm 0.505s (0.009s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer