PayPal phishing attempt.

 CastleCops -> Phishing, Fraud and Dastardly Deeds
Author: OracLocation: Third stone from the Sun PostPosted: Wed Jul 02, 2008 2:33 pm    Post subject: PayPal phishing attempt.
Details
Quote:
Return-Path: <akstcacesemnsdgs@acese.com>
Delivered-To: 29-****@*********.com
Received: (qmail 3897 invoked from network); 2 Jul 2008 06:29:42 +0000
Received: from e176102064.adsl.alicedsl.de (HELO shri-fm6d2dbkts) (85.176.102.64)
by malwareremoval.com with SMTP; 2 Jul 2008 06:29:41 +0000
Received-SPF: none (malwareremoval.com: domain at acese.com does not designate permitted sender hosts)
Received: from [85.176.102.64] by mail.acese.com; Wed, 2 Jul 2008 07:29:40 +0100
Date: Wed, 2 Jul 2008 07:29:40 +0100
From: abuse@intl.paypal.com
X-Mailer: The Bat! (v3.71.04) Home
Reply-To: akstcacesemnsdgs@acese.com
X-Priority: 3 (Normal)
Message-ID: <190841254.59227895522953@acese.com>
To: ****@**********.com
Subject: PayPal Security Measures
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit
X-NAS-Bayes: #0: 4.62939E-035; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 42965
X-NAS-Validation: {18FA6F6D-E771-4733-B913-C2DDDD6D3B88}



Source
Quote:

Return-Path: <akstcacesemnsdgs@acese.com>
Delivered-To: 29-****@**********.com
Received: (qmail 3897 invoked from network); 2 Jul 2008 06:29:42 +0000
Received: from e176102064.adsl.alicedsl.de (HELO shri-fm6d2dbkts) (85.176.102.64)
by malwareremoval.com with SMTP; 2 Jul 2008 06:29:41 +0000
Received-SPF: none (malwareremoval.com: domain at acese.com does not designate permitted sender hosts)
Received: from [85.176.102.64] by mail.acese.com; Wed, 2 Jul 2008 07:29:40 +0100
Date: Wed, 2 Jul 2008 07:29:40 +0100
From: abuse@intl.paypal.com
X-Mailer: The Bat! (v3.71.04) Home
Reply-To: akstcacesemnsdgs@acese.com
X-Priority: 3 (Normal)
Message-ID: <190841254.59227895522953@acese.com>
To: ****@*********.com
Subject: PayPal Security Measures
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit
X-NAS-Bayes: #0: 4.62939E-035; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 42965
X-NAS-Validation: {18FA6F6D-E771-4733-B913-C2DDDD6D3B88}

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

<html>
<TABLE cellSpacing=0 cellPadding=0 width=350 border=0>
<TBODY>
<TR>
<TD><IMG height=50 alt="" src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif" width=200></TD>
</TR>
<TR>
<TD bgColor=#f3f1e9 rowSpan=2>
<TABLE cellSpacing=2 cellPadding=5 width=350 border=0>
<TBODY>
<TR>
<TD><P><FONT face=Arial size=2><b>Dear PayPal holder,<b></FONT></P>
<P><FONT face=Arial size=1>
PayPal Online Department has recently reviewed your account,<br> and suspect that your

PayPal account may have been<br> accessed from an unauthorized computer or by a third

party.<br> This may be due to changes in your IP address or location.<br> Protecting the

security of your account and the PayPal network<br> is our primary concern.<br><br>

Therefore, for your account protection and integrity,<br> PayPal Online Department has temporarily locked your account and recommends

you to login and report any unnoticed password changes, unauthorized withdrawals, and check

your account profile to make sure no changes have been made.<br><br>

To protect your account, please keep in mind these instructions:<br><br>

&nbsp;* Do not share your password with other users.<br><br>

 * Log off and close the Internet explorer window after using your<br> online account,

especially if you are in a public place.<br><br>

Please follow the link below to verify your identity and unlock your account:<br><br>

<a href="http://paypal.data-update.com"

target="_blank">https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit&dispatch=5885d80a13c0db1f1ff80d546411d7f823b5265b6559fc2aae010bfb00cf3c64</a><br><br>

<br>We apologize for any inconvenience this may cause, and appreciate your assistance in

helping us maintaining the integrity of the entire PayPal system.
<TD><FONT face=Arial size=2></FONT></TD></TR>
<TR>
<TD><FONT face=Arial size=2></FONT></TD></TR>
<TR>
<TD><FONT face=Arial size=2></FONT></TD></TR>
<TR>
<TD><FONT face=Arial size=2> </FONT></TD></TR>
<TR>
<TD><FONT face=Arial size=2> </FONT></TD></TR>
<TR>
<TD>
<FORM name=login><B> </B><BR></FORM></TD></TR></TBODY></TABLE></TD>
</TR>
</TBODY></TABLE></CENTER>
</html>

</BODY></HTML>


Email address obfuscated for obvious reasons.
Author: AlphaCentauri PostPosted: Wed Jul 02, 2008 3:37 pm    Post subject:
The correct place to post this is CastleCops Link/pirt
That will fetch the source code for the site itself and will put it into the queue to have one of the PIRT handlers work on it. They gather evidence for law enforcement and look for ways to stop the personal data that victims have already entered from being collected by the phishers.
CastleCops -> Phishing, Fraud and Dastardly Deeds

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group