Just got a phishing email that claimed a paypal problem. The Phishers duplicated Paypals lingo and look very closely. They also tried to leverage on our tendency to scan pages rather than to read them. The URL is mostly identical to Paypal's. The only difference is a dash instead of a dot and slash. They just made the processing part of paypal (behind the .com ) part of their domain. To masquerade that they encoded it:
h t t p : / / www.paypal-com-cgi-bin-xxx-pp7848%34%31%2E%63%6F%6D (not the real one to protect innocent people).
Which translates to:
h t t p : / / www.paypal-com-cgi-bin-xxx-pp784841.com
The mail was routed:
"from sebsoksa.com.previewmysite.com (localhost [127.0.0.1]) by web5.megawebservers.com (8.12.10/8.12.9) with ESMTP id j835Fiu3017824 for <email@example.com>; Sat, 3 Sep 2005 01:15:50 -0400"
which is fake of course (at least the from part).
What is very confusing: The IP address of the webserver is 18.104.22.168 running on IIS6 in Redmond!!! See for yourself
! Somehow the managed to highjack the server for a reroute!
The true form that pops up is running on a 1 & 1 registered server by Mr. Solis:
Created On:18-Aug-2005 17:35:47 UTC
Expiration Date:18-Aug-2006 17:35:47 UTC
Registrant Name:Felipe Solis
Registrant Street1:415 N. Paseo Flamenco Apt
Registrant City:Rio Rico
Registrant Postal Code:85648
Registrant Email:etareke at hotmail.com
Admin Name:Felipe Solis
Admin Street1:415 N. Paseo Flamenco Apt
Admin City:Rio Rico
Admin Postal Code:85648
Admin Email:etareke at hotmail.com
Nice try Mr. Solis!
Hotmail doesn't care, that their servers are used in a scam. I duly forwarded the message to firstname.lastname@example.org, explaining the problem. First I got a promising (auto) reply: " This is an auto-generated response designed to let you know that our system received your support inquiry and a Support Representative will review your question and respond to you soon.
" About a second later (what a joke, that a support representative would have looked into it) Hotmail told me, that since it is not a hotmail email (rather than their server), they won't look into it: " Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to:
Update 2: I just got an email from 1 & 1 who hosted the destination phishing site: " Dear Sir or Madam, thank you for bringing this matter to our attention. The account in question has been suspended.
Seems some ISP do
care! Well done 1&1.