phishing

eluminator

Flashlight Enthusiast
Joined
Mar 7, 2002
Messages
1,750
Location
New Jersey
I made a purchase via PayPal yesterday. Appparently some criminal intercepted the e-mail from PayPal to me. I just received an e-mail at the e-mail address I registered with PayPal. Of course it claims to come from PayPal.

It wants me to click a link that would take me to .ro land.

I don't understand why e-mails are sent in the clear.

For you collectors out there, here's the phishy e-mail:
phony e-mail
 

KevinL

Flashlight Enthusiast
Joined
Jun 10, 2004
Messages
5,866
Location
At World's End
Hmm... that looks more like a "generic" email, rather than an intercepted email. Interception would be very difficult unless the attacker is directly in the path of the email (ie. has access to the networks, and more likely, the mail server it is stored on).

This email sounds fairly generic, so it is likely they found your account by chance, and coincidentally, just after you've made a purchase. An attacker trying to conduct a man-in-the-middle (MITM) attack would include real details about your payment and your purchase in the mail itself in order to make it look even more legitimate.

Nevertheless, it is good to be vigilant.. email is, by default, insecure since there is no widespread, transparent email encryption standard (PGP is the closest, but not widespread enough, as say, SSL). The best way is always to log in to your Paypal account for statements and such.

/ubbthreads/images/graemlins/goodjob.gif in not falling for it!
 

evan9162

Flashlight Enthusiast
Joined
Apr 18, 2002
Messages
2,639
Location
Boise, ID
Agreed. This is the generic paypal phishing email that everyone gets - it wasn't targeted specifically against you.

Think of it this way - there are paypal transactions happening all the time. Someone spams out a phishing email. There are going to be a certian number of people such that this email appears as if it were related to their recent transaction. This time, it just happened to be you.

Use good passwords, use good judgement with your email, and keep an eye out for things, and you shouldn't have anything to worry about.
 

eluminator

Flashlight Enthusiast
Joined
Mar 7, 2002
Messages
1,750
Location
New Jersey
It's not hard to be vigilant. I just remember two rules.

1. PayPal doesn't put log-in links in their e-mails.
2. Re-read rule #1.

-------------------------------------------------------
Where did they get my PayPal e-mail address? PayPal has it and I have it. Yahoo mail has it inadvertently because they collect my e-mail but they don't know it's my PayPal address, unless they put 2 and 2 together. Nobody else has it.

I use Yahoo Address Guard e-mail addresses and they really work. I've never gotten a single spam e-mail to any of them, and they are all over the internet. Apparently spammers know they are disposable and don't bother. But only PayPal and I (and this criminal) have my PayPal e-mail address.

As I remember, lots of IP hosts get involved dynamically in handling IP traffic. I'd guess there would be a lot of people with access to it.

I wonder about the communication links between IP hosts. It should be easy to tap into. Is this stuff encrypted?

Of course the criminal wasn't targeting me. I figure he was looking for e-mail from PayPal to anyone.
 

Icebreak

Flashlight Enthusiast
Joined
Aug 14, 2002
Messages
4,998
Location
by the river
Phishy bass turds indeed.

I see something interesting about it but please don't think this is conclusive.

What's interesting is that .htm email that was sent to you resides on an amatuerish site with a supposed purpose of helping XP users.

http://www.hypercon.net/~blisscomm

It's the last file in the picture directory.

http://www.hypercon.net/~blisscomm/Pictures

However hypercon is supposed to be a cheap ISP. Likely they offer web hosting.

http://www.hypercon.net

"Steve B" references the blisscom site on a forum for XP annoyances.

http://www.annoyances.org/exec/forum/winxp/t1106843864

WhoIs says this about hypercon.net
________________________________________________________________
Registrant: EZ2 Network, Inc., 484 E. Los Angeles Ave #204 Moorpark, CA 93021 US Registrar: DOTSTER
Domain Name: HYPERCON.NET Created on: 04-FEB-02
Expires on: 04-FEB-10 Last Updated on: 17-DEC-04
Administrative, Technical Contact: Ibrahim, Mounir [email protected] EZ2 Network, Inc.,
484 E. Los Angeles Ave #204 Moorpark, CA 93021
US 805.378.6240 805-378-6238
Domain servers in listed order: SHADOW2.EZ2.NET ENYO2.EZ2.NET
-----------------------------------------------------------------
In 2001 EZ2 Network was sent this DEMAND LETTER for Subscriber Identity:

http://www.supremelaw.org/copyrite/ez2net.net/subid.htm

I'm not saying any of the folks or sites mentioned above are up to no good. It could be that the Phishermen somehow put that .htm file on that site without the owner's knowledge and use it at will.

<font color="brown">Could it be that simply asking hypercon to have blisscomm remove that file would save a few others from recieving it?</font>

From hypercon: "Management - To reach a key decision maker and provide us your feedback, please email the company president [email protected]. You can also call the corporate office at (888) 817-8323 ext 225 from 9am-5pm PST M-F."

It looks like they have http://www.ez2.net/company.html hosting web pages but I don't see Genesee Tech or blisscom listed there.

Anyway. Interesting email you got. Gotta love that domain name, hyperCON.
 

evan9162

Flashlight Enthusiast
Joined
Apr 18, 2002
Messages
2,639
Location
Boise, ID
[ QUOTE ]
eluminator said:
It's not hard to be vigilant. I just remember two rules.

1. PayPal doesn't put log-in links in their e-mails.
2. Re-read rule #1.

-------------------------------------------------------
Where did they get my PayPal e-mail address? PayPal has it and I have it. Yahoo mail has it inadvertently because they collect my e-mail but they don't know it's my PayPal address, unless they put 2 and 2 together. Nobody else has it.

I use Yahoo Address Guard e-mail addresses and they really work. I've never gotten a single spam e-mail to any of them, and they are all over the internet. Apparently spammers know they are disposable and don't bother. But only PayPal and I (and this criminal) have my PayPal e-mail address.

As I remember, lots of IP hosts get involved dynamically in handling IP traffic. I'd guess there would be a lot of people with access to it.

I wonder about the communication links between IP hosts. It should be easy to tap into. Is this stuff encrypted?

Of course the criminal wasn't targeting me. I figure he was looking for e-mail from PayPal to anyone.

[/ QUOTE ]


Is your email address a name or word, or a name or word followed by 1 or 2 numbers? If so, they probably dictionary brute-forced it. You generate an email list consisting of combinations of names/words and numbers, then spew those user IDs out to the most common mail hosts. If it gets bounced, toss it. Otherwise, mail gets successfully delivered - boom - they've got a valid email.

My gmail account started getting spam because they brute-forced my email address. I stupidly decided to use their common [email protected] for my address - since that's a format that gmail suggests (and so many people use), it was easy to brute force, and now I'm getting a lot of spam from a single source (the same 3 emails over and over). But, gmail's spam recoginition is very good, so they all end up in my spam inbox.
 

eluminator

Flashlight Enthusiast
Joined
Mar 7, 2002
Messages
1,750
Location
New Jersey
Icebreak. That amateur is me. Please be kind. I never said I was a professional. /ubbthreads/images/graemlins/smile.gif I use my website at my ISP to store stuff. The link in my first post goes there. I guess you missed that one /ubbthreads/images/graemlins/smile.gif

But the real question is, did you find my PayPal e-mail address anywhere?

I still say the criminal has situated himself somewhere that handles IP traffic and is just reading the mail. The phony e-mail uses the exact from address and the exact to address that PayPal used a few hours earlier.
 

Icebreak

Flashlight Enthusiast
Joined
Aug 14, 2002
Messages
4,998
Location
by the river
Oh my. I'm truly impressive ain't I. Boy, I surefire tracked you down. The site isn't that bad at all. No, I couldn't find your PayPal email on your site.

For my next trick... /ubbthreads/images/graemlins/blush.gif
 

eluminator

Flashlight Enthusiast
Joined
Mar 7, 2002
Messages
1,750
Location
New Jersey
I don't think it was a brute force cracking. My address doesn't have numbers. The thing is, I have around 15 Address Guard e-mail addresses. I've never gotten any spam or phishing e-mails on any of them. Today I got this one on my PayPal address that was phishing for my PayPal account access.

I still want to know why everyone is still using the incredibly stupid SMTP for e-mail. A 6 year old retard could come up with something better. It should be easy to implement. Yahoo mail, or some other e-mail service could come up with a better protocol for accepting e-mails. It would run along side SMTP. Anyone wanting to use encrypted e-mail could use it. In the meantime regular e-mail would be handled as always.

They have done this for POP accounts many times. We're now up to POP3, and it was painless. I'm sure the e-mail servers will still handle POP2, etc.

One of the really stupid things about SMTP is there is no real provision for attachments. If you knew how attachments were handled, you would gag. Binary attachments are the worst. SMTP doesn't allow any binary so all binary files have to be encoded in a manner that changes everything to displayable ASCII.

Hell, a tree frog could come up with something better than this just by jumping on the keyboard for a while.
 

AlexGT

Flashlight Enthusiast
Joined
Jan 15, 2001
Messages
3,651
Location
Houston, Texas
Today I recieved this email in my spam email account (The one I use to register to sites):

+++++++++++++++++++++++++++++++++++++++++
Dear CitiFinancial customer,

Due to malfunction of our database server some of the vital data related to your account has been lost. Click here to prove your identity.

Please, update your account information in 3 days or your account will be suspended.

Copyright © 1997 – 2004 CitiFinancial
+++++++++++++++++++++++++++++++++++

The click here leads you to another page

DISCLAIMER: THE FOLLOWING SITE (URL) IS A FAKE SITE!!!, I DO NOT ASSUME ANY RESPONSABILITY IF YOU ARE DUMB ENOUGH TO ENTER ANY INFORMATION ON IT.

I have firewall installed and other computer protections to shield me from harm. It didn't set off any alarms, but click at your own risk.

http://citifinancupd.com/billinginfo/

As you can see it looks really legit. even has links to the official citi financial page, but this actual page is phony, and is not a secure site (Does not have the HTTPS)I even tried to enter a made up number to see what happened next and it seems to have the algorithm to check the last verifying digit of a card.

I hope this guys end up as fish food somewhere. And you be very weary of this type of fraud and not be a victim.

Sincerely:
AlexGT
 

AlexGT

Flashlight Enthusiast
Joined
Jan 15, 2001
Messages
3,651
Location
Houston, Texas
BTW eluminator your computer may be hacked if it sounds too much of coincidence, why dont you check for spyware.

www.spywareinfo.com click on the left where it says online spyware scanner.

Get spybotsearch and destroy and lavasoft adaware, look it up on a search engine, it's free.

Dowunload and install the hostfile in "spyad" look it up on the internet.

Get spywareblaster and install it, its free

Get a firewall Zone alarm for instance, there is a free version too.

That will give you peace of mind while surfing.

AlexGT
 

ACMarina

Flashlight Enthusiast
Joined
Sep 10, 2004
Messages
3,119
Location
Brookston, IN
My buddy got an email from an Ebay seller (from out of country with no feedback to be heard of) saying that someone was selling stuff on their account with his username (Hmmm. .). And being nice, they said they wouldn't take action unless my friend didn't email them back. In the meantime, according to this person, it would be wise for my friend to log in to all of his passworded websites like Ebay, Paypal, banking, etc. and change them.

I asked him to forward the email to Ebay, Paypal and me. As soon as I got it my AV software popped up with a keylogger in the email. Luckly my friend uses a non-standard email program and his computer wasn't infected, but for anybody running sub-par AV and a MS Email program it would be a problem.

Just to let everybody know. .
 

eluminator

Flashlight Enthusiast
Joined
Mar 7, 2002
Messages
1,750
Location
New Jersey
AlexGT. I have SpyBot, AdAware, ZoneAlarm and SpywareBlaster. I don't think I've been hacked. Why hack me when you can hack an IP host machine and collect millions of addresses?

I'll try the on-line scanner after I've gotten more recommendations. In the meantime how do I know if SpywareInfo is actually downloading spyware to my machine? See, I'm real paranoid /ubbthreads/images/graemlins/smile.gif
 

sunspot

Flashlight Enthusiast
Joined
Aug 22, 2001
Messages
2,707
Location
Graham, NC
I got that Paypal email also. It went to my non-Paypal address so I knew it was phony and dumped it.
 

AlexGT

Flashlight Enthusiast
Joined
Jan 15, 2001
Messages
3,651
Location
Houston, Texas
You can visit the spywareinfo forums or wilderssecurity forums or any reputable security forum if you want a 2nd opinion of their thrustworthiness.

They are nice people and have come thru several times I had to fix a problem on a computer. and if they are giving you spyware, how come adaware didn't pick it up? or xclean the ones that do the online spyware scanner?

Also you might want to download high jack this that will let you know places in your computer's file and registry where spyware might hide and give you the option to remove it.

Just my $0.02 worth.

AlexGT
 

James S

Flashlight Enthusiast
Joined
Aug 27, 2002
Messages
5,078
Location
on an island surrounded by reality
I do paypal from my Mac. There are no currently circulating virus or spyware or other malware software for the machine. I have not been hacked, I'm fairly certain of this because I used to do unix security at a previous job and this Mac is mostly a unix machine so a lot of the same knowledge applies.

And with all that I still get the paypall scam phishing emails every time I buy something on ebay. There must be a way to get the email address of someone who purchased something, even though my email is completely different than my ebay ID or anything like that.

So, you should definitely run the various scanners and blockers and whatnot that are necessary to safely run that other OS on the internet /ubbthreads/images/graemlins/wink.gif But just because you're getting this email doesn't mean that they are in your system or hacked the email servers somehow. I get one periodically just doing nothing, but when i actually use ebay, I get dozens of them the next few days.

So rest easy, and just never click on a link in an email from paypal or citibank /ubbthreads/images/graemlins/smile.gif (I get those too and don't even have an account when them, so it's fairly easy to know it's a scam there)
 

eluminator

Flashlight Enthusiast
Joined
Mar 7, 2002
Messages
1,750
Location
New Jersey
Interesting you get them every time. It sounds like you are now in their database. Maybe its an inside job at PayPal.

I have now gotten three of these e-mails in 24 hours. I never had this happen before. I guess I'm in their database now. If this happens on subsequent PayPal transactions, I will change my e-mail address and see what happens.

This phishing thing must be the world's oldest computer scam. Back in the 1970s there was a worm or something that would run some software on another Unix user's terminal. It looked like the Unix login stuff. But when the user would enter his username and password, it would be transmitted to some other nefarious character.

There's one thing I learned a long time ago. "Things ain't always what they seem to be".
 
Top