Phishing gets more sophisticated
Just got a phishing email that claimed a paypal problem. The Phishers duplicated Paypals lingo and look very closely. They also tried to leverage on our tendency to scan pages rather than to read them. The URL is mostly identical to Paypal's. The only difference is a dash instead of a dot and slash. They just made the processing part of paypal (behind the .com ) part of their domain. To masquerade that they encoded it:
h t t p : / / www.paypal-com-cgi-bin-xxx-pp7848%34%31%2E%63%6F%6D (not the real one to protect innocent people).
Which translates to:
h t t p : / / www.paypal-com-cgi-bin-xxx-pp784841.com
The mail was routed:
"from sebsoksa.com.previewmysite.com (localhost [127.0.0.1]) by web5.megawebservers.com (8.12.10/8.12.9) with ESMTP id j835Fiu3017824 for <stephan@wissel.net>; Sat, 3 Sep 2005 01:15:50 -0400"
which is fake of course (at least the from part).
What is very confusing: The IP address of the webserver is 65.54.132.254 running on IIS6 in Redmond!!! See for yourself! Somehow the managed to highjack the server for a reroute!
The true form that pops up is running on a 1 & 1 registered server by Mr. Solis:
Domain ID:D10723261-LRMS
Domain Name:ID-PP75216122155155554454.INFO
Created On:18-Aug-2005 17:35:47 UTC
Expiration Date:18-Aug-2006 17:35:47 UTC
Sponsoring Registrar:R113-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C11011092-LRMS
Registrant Name:Felipe Solis
Registrant Street1:415 N. Paseo Flamenco Apt
Registrant City:Rio Rico
Registrant State/Province:AZ
Registrant Postal Code:85648
Registrant Country:US
Registrant Phone:+1.5205484584
Registrant Email:etareke at hotmail.com
Admin ID:C11011092-LRMS
Admin Name:Felipe Solis
Admin Street1:415 N. Paseo Flamenco Apt
Admin City:Rio Rico
Admin State/Province:AZ
Admin Postal Code:85648
Admin Country:US
Admin Phone:+1.5205484584
Admin Email:etareke at hotmail.com
Nice try Mr. Solis!
Update: Hotmail doesn't care, that their servers are used in a scam. I duly forwarded the message to abuse@hotmail.com, explaining the problem. First I got a promising (auto) reply: " This is an auto-generated response designed to let you know that our system received your support inquiry and a Support Representative will review your question and respond to you soon." About a second later (what a joke, that a support representative would have looked into it) Hotmail told me, that since it is not a hotmail email (rather than their server), they won't look into it: " Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to:
abuse@hotmail.com".
Update 2: I just got an email from 1 & 1 who hosted the destination phishing site: " Dear Sir or Madam, thank you for bringing this matter to our attention. The account in question has been suspended."
Seems some ISP do care! Well done 1&1.
h t t p : / / www.paypal-com-cgi-bin-xxx-pp7848%34%31%2E%63%6F%6D (not the real one to protect innocent people).
Which translates to:
h t t p : / / www.paypal-com-cgi-bin-xxx-pp784841.com
The mail was routed:
"from sebsoksa.com.previewmysite.com (localhost [127.0.0.1]) by web5.megawebservers.com (8.12.10/8.12.9) with ESMTP id j835Fiu3017824 for <stephan@wissel.net>; Sat, 3 Sep 2005 01:15:50 -0400"
which is fake of course (at least the from part).
What is very confusing: The IP address of the webserver is 65.54.132.254 running on IIS6 in Redmond!!! See for yourself! Somehow the managed to highjack the server for a reroute!
The true form that pops up is running on a 1 & 1 registered server by Mr. Solis:
Domain ID:D10723261-LRMS
Domain Name:ID-PP75216122155155554454.INFO
Created On:18-Aug-2005 17:35:47 UTC
Expiration Date:18-Aug-2006 17:35:47 UTC
Sponsoring Registrar:R113-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C11011092-LRMS
Registrant Name:Felipe Solis
Registrant Street1:415 N. Paseo Flamenco Apt
Registrant City:Rio Rico
Registrant State/Province:AZ
Registrant Postal Code:85648
Registrant Country:US
Registrant Phone:+1.5205484584
Registrant Email:etareke at hotmail.com
Admin ID:C11011092-LRMS
Admin Name:Felipe Solis
Admin Street1:415 N. Paseo Flamenco Apt
Admin City:Rio Rico
Admin State/Province:AZ
Admin Postal Code:85648
Admin Country:US
Admin Phone:+1.5205484584
Admin Email:etareke at hotmail.com
Nice try Mr. Solis!
Update: Hotmail doesn't care, that their servers are used in a scam. I duly forwarded the message to abuse@hotmail.com, explaining the problem. First I got a promising (auto) reply: " This is an auto-generated response designed to let you know that our system received your support inquiry and a Support Representative will review your question and respond to you soon." About a second later (what a joke, that a support representative would have looked into it) Hotmail told me, that since it is not a hotmail email (rather than their server), they won't look into it: " Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to:
abuse@hotmail.com".
Update 2: I just got an email from 1 & 1 who hosted the destination phishing site: " Dear Sir or Madam, thank you for bringing this matter to our attention. The account in question has been suspended."
Seems some ISP do care! Well done 1&1.
Posted by Stephan H Wissel on 04 September 2005 | Comments (0) | categories: Gone Phisching