Email header:

Subject: Update your PayPal account Information
Date: Mon, 16 Jan 2012 00:43:26 +0100
Received: from WIN-QJ6LOAE77N1 (unknown [109.169.70.227])

The malicious link is:

hxxp://technologyprojects. org/wp-rss.php

That redirects to:

HTTP/1.1 302 Moved Temporarily
Date: Mon, 16 Jan 2012 01:08:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Location: hxxp://paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g484iky4mn86we8r46d4h38df4b83m48hg3ui4ty84s83f4xcb78.norenterprises .com/us/webser/us
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Note the long subdomain name that begins with “paypal.com”:

paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g484iky4mn86we8r46d4h38df4b83m48hg3ui4ty84s83f4xcb78.norenterprises. com

The ip address of the malicious domain is:

67.220.209.21 / server23.verygoodserver.com

Typical message content, but they usually give you a (fraudulent) link to follow. Not this time, they attach an HTML file which will open in any browser. I opened the file in a safe environment, all looks very convincing.

Now, not only would PayPal never ask you to reactivate your account in this manner, they would never ask for your credit card & personal details.

When you click the Submit button it will send all the details you entered to this script.

hxxp://202.181.105.217/~info/AccountVerification/cf.php

Which displays this output.

So in conclusion, if you ever are worried your PayPal account has been accessed by a third party and needs reactivating, phone them.

Below there are some examples of subjects used in the scam emails:

Subject: Important Update
Subject: Security Check
Subject: Update your profile
Subject: Urgent Notice
Subject: Profile update
Subject: Security Warning
Subject: Update your Account
Subject: Update your Password

While I was checking the headers of the emails, I noticed that most of the IP addresses of the senders come from Chinese (.CN) domains:

mail.bnu.edu.cn (mail.bnu.edu.cn [219.142.99.2])
58.185.112.164 (HELO user) (58.185.112.164) by 219.142.99.2
mailqd.cmr.com.cn (unknown [211.100.42.132])
User ([212.62.45.71]) by mailqd.cmr.com.cn
mail0.shift.edu.cn (unknown [61.152.219.51])
User ([58.185.112.164]) by mail0.shift.edu.cn
mail.smu.ac.kr (smu.ac.kr [203.237.168.13])
User ([58.185.112.164]) (authenticated (0 bits)) by mail.smu.ac.kr
idrgroup-nx0i3d.idrgroup.local (servera210.opencom.com [121.78.88.210])
User ([58.185.112.164]) by idrgroup-nx0i3d.idrgroup.local
mail.fudan.edu.cn (unknown [61.129.42.10])
User ([212.62.45.71]) by mail.fudan.edu.cn

Some of the malicious links used for phishing attacks are the following:

1
2
3
4
5

hxxp://zoahaza.isfreeweb.com/tt/style/setup/image/m2u.htm
hxxp://www.dobongn.kr/gnuboard4/bbs/m2u.htm
hxxp://central-groove.co.uk/images/M_images/www.maybank2u.com.my/m2u.htm
hxxp://zoahaza.isfreeweb.com/tt/components/m2u.htm
hxxp://womabkr.com.tw/Ch/img/main.htm

Not all the links are still active and fortunately there are also links that are detected and blocked by Mozilla Firefox but keep in mind that there are always links that are not blocked or that are not detected by any antispam filter!

Remember always to NOT insert sensitive data in unknown websites and to never click in links contained in unknown emails. When you receive this kind of emails, example from your Bank, and you are requested to insert sensitive data make sure to give a call to your bank before insert any kind of data in the suspicious website.

Malicious links used for phishing attacks:

1
2

hxxp://217.24.231.33/login.html
hxxp://79.39.132.165/poste/index.htm

Message

Promemoria eBay per oggetto non pagato numero 3104678753291

Gentile member,
alenf ha segnalato di non avere ancora ricevuto il pagamento per il seguente
oggetto: numero 3104678753291

Al momento non viene intrapresa alcuna azione nei confronti del tuo account.
Tuttavia, ti ricordiamo che quando fai un’offerta o acquisti un oggetto su eBay,
prendi un impegno vincolante con il venditore. Se la situazione non verr? risolta
entro 7 giorni dalla ricezione di questo promemoria, riceverai un ammonimento per
oggetto non pagato…

Header

Received: from hsenc.co.kr (unknown [211.215.20.40])
Received: from User (80.229.253.105)
by hsenc.co.kr (211.215.20.40) with [Nmail V3.6]
Subject: Promemoria eBay per oggetto non pagato numero 3104678753291
Date: Thu, 29 Jan 2009 15:25:31 -0000

Received: from 419revolution.org (unknown [211.106.23.71])
Received: from User ([])
by 419revolution.org (Merak 6.1.0)
Subject: Promemoria eBay per oggetto non pagato numero 292567831524
Date: Mon, 28 Jan 2009 14:38:18 -0000

Received: from mail.quike.com.cn (unknown [202.75.222.151])
Received: from User ([80.229.253.105])
by 211.155.233.151 with ESMTP
Subject: Hai ricevuto un ammonimento per Oggetto non pagato 260300220759
Date: Mon, 28 Jan 2009 14:38:18 -0000

Received: from topinfo.com.cn (unknown [211.157.2.61])
Received: from User [80.229.253.105] by topinfo.com.cn
Subject: Promemoria eBay per oggetto non pagato numero 299010852347
Date: Mon, 17 Nov 2008 10:51:59 -0000

Make sure to not fall in this scam, check always the address of the site before write sensitive data in web forms and analyze always the header of the emails.

• Use always maximum attenction when reading the email
• Never click on http links or images
• Never download attachments
• Analyze the header of the email
• Check the email of the sender on google to see if you find bad info
• Check the info of the sender’s site on google
• Report the email to your local authorities
• Report the email to PhishTank
• Delete the email