[Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password

Nick Jacobsen nick at ethicsdesign.com
Tue Nov 11 12:59:55 GMT 2003 

I see  this crap posted to the list all the time, and I have to ask,
what does this have to do with computer security?  If someone falls for
one of these scams, it is pure user error.  There are a few exceptions
to this rule, such as if the email uses an exploit of some sort to
change your hosts file, but this is very much not in that category.
These are so common that I am suprised you even noticed getting the damn
thing.
 
Nick Jacobsen
Ethics Design
nick at ethicsdesign.com <mailto:nick at ethicsdesign.com> 
 

	-----Original Message----- 
	From: Michael Linke 
	Sent: Tue 11/11/2003 1:04 AM 
	To: full-disclosure at lists.netsys.com 
	Cc: 
	Subject: [Full-Disclosure] [Full-Disclosure]: Attempt to steal
paypal password
	
	

	There seams to be a new faked Email on the way since today
morning, with the
	subject "PayPal User Agreement 9".
	The Email is in html form and content a Hyperlink named
	
	https://www.paypal.com/cgi-bin/webscr?cmd=login-run
	But under this hyperlink is not paypal, it is:
	
	http://www.paypal.com@64.191.16.16/.
	
	
	So someone is going to collect paypal passwords. Using this
password an
	attacker can send money from there. The whole action seams to be
a spamming
	attempt sent to random email addresses, because the receiver
Email Address
	Michael at smiley-power.de is not registered at paypal.
	
	
	According ARIN Whois the IP Search 64.191.16.16 belongs to:
	
	
	OrgName:    Network Operations Center Inc.
	OrgID:      NOC
	Address:    PO Box 591
	City:       Scranton
	StateProv:  PA
	PostalCode: 18501-0591
	Country:    US
	
	The Email comes from 68.77.201.24.
	(X-RBL-Warning: (dialup.bl.kundenserver.de) this mail has been
received from
	a dialup host.)
	
	
	Email Header below. The Email Msg is attached to this email.
	
	---------------------------------------------
	Return-path: <support at paypal.com>
	Envelope-to: michael at smiley-power.de
	Delivery-date: Tue, 11 Nov 2003 02:46:25 +0100
	Received: from [68.77.201.24]
	(helo=adsl-68-77-201-24.dsl.milwwi.ameritech.net)
	        by mxng14.kundenserver.de with smtp (Exim 3.35 #1)
	        id 1AJNbg-0005Xc-00
	        for michael at smiley-power.de; Tue, 11 Nov 2003 02:46:17
+0100
	Received: from paypal.com (smtp2.sc5.paypal.com [64.4.244.75])
	        by adsl-68-77-201-24.dsl.milwwi.ameritech.net (Postfix)
with ESMTP
	id D7A073BEBC
	        for <michael at smiley-power.de>; Mon, 10 Nov 2003 19:46:12
-0600
	From: Support <support at paypal.com>
	To: Michael <michael at smiley-power.de>
	Subject: PayPal User Agreement 9
	Date: Mon, 10 Nov 2003 19:46:12 -0600
	Message-ID: <110001c3a7f5$1fe9490f$e212810a at paypal.com>
	MIME-Version: 1.0
	Content-Type: text/html
	Content-Transfer-Encoding: quoted-printable
	X-Priority: 1 (Highest)
	X-MSMail-Priority: High
	X-Mailer: Microsoft Outlook, Build 10.0.2616
	Importance: High
	X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
	X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been
received from
	a dialup host.
	-------------------------------------------------------
	

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 6954 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031111/dc1c034c/attachment.bin

Full-Disclosure is hosted and sponsored by Secunia.