#288012 - 09/10/2006 15:36
Well done scam...
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
Hrmmm... see attachment. Unfortunately, a VERY well done phishing sceme. The link is still active, PLEASE don't enter your info.
Attachments
288577-scam.html (222 downloads)
|
Top
|
|
|
|
#288013 - 09/10/2006 16:07
Re: Well done scam...
[Re: lectric]
|
old hand
Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK
|
Did you know the name of the person by any chance? I am waiting for the day when a phisher gets a file of related names (eg. extracted from an address book) and uses them, that would be hugely successful.
Also also note they are linking to PayPal images in the live page - I do wonder why they do this because PayPal must aggregate all instances of Referer headers not matching with any authorised sites and have an instant alert system.
Gareth
|
Top
|
|
|
|
#288014 - 09/10/2006 16:48
Re: Well done scam...
[Re: g_attrill]
|
old hand
Registered: 01/10/2002
Posts: 1039
Loc: Fullerton, Calif.
|
You give paypal too much credit. They sent me a notice once because there was in excess of 3,000 failed access attempts spanning 2 seconds on my account. They seemed to think this was suspicious... Most sites would have cut them off at three failed attempts...
|
Top
|
|
|
|
#288015 - 09/10/2006 19:43
Re: Well done scam...
[Re: lectric]
|
carpal tunnel
Registered: 05/01/2001
Posts: 4903
Loc: Detroit, MI USA
|
I get those a lot. Especiallly from Banks I've never heard of asking me to log in to change my password. I always forward them to Paypal. I think the address is [email protected] At the very least, Paypal can get that site shut down but I doubt they pursue it much. Word of advice is to ALWAYS hover your mouse over a link to see if the url it takes you too looks funny (like that one did).
_________________________
Brad B.
|
Top
|
|
|
|
#288016 - 09/10/2006 20:17
Re: Well done scam...
[Re: SE_Sport_Driver]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
Oh, no kidding, and no, the name was not familiar. You are correct, if it could have the sophistication of some of the worms I've seen, they'd make millions in days. I am well aware of how to detect a spoof, but some of my users are not. At least I have them all trained that if they are even the slightest bit unsure about an email, send it to me. I'll check it out.
It's just that this particular one basically ripped off EXACTLY Paypal's site and even included links to paypals images directly on paypal's servers. Only one line in the entire html makes it a non-official paypal document. What scares me is what if I was a regular paypal user, and just clicked this one because I know I had 5 auctions ending that day. Odds are high I wouldn't even be the slightest suspicious.
|
Top
|
|
|
|
#288017 - 10/10/2006 03:22
Re: Well done scam...
[Re: lectric]
|
old hand
Registered: 07/01/2005
Posts: 893
Loc: Sector ZZ9pZa
|
I simply never click on links in emails supposedly from anywhere I would normally sign in to. Especially eBay, Paypal and my Bank.
If I got what looks like original mail from them, I would open a browser, type the URL for their home page (no bookmarks for those) and log in. Seems the safest way until my DNS server gets 0wned.
|
Top
|
|
|
|
#288018 - 10/10/2006 09:05
Re: Well done scam...
[Re: sein]
|
pooh-bah
Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
|
And the link is obviously fake to someone like me, but I can see it would fool some (space inserted so BBS doesn't link it) http: //www.paypal.com.cgi-bin.websc.cmd.login-run.hk/
_________________________
Christian #40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)
|
Top
|
|
|
|
#288019 - 10/10/2006 11:38
Re: Well done scam...
[Re: Shonky]
|
pooh-bah
Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
|
Quote: And the link is obviously fake to someone like me, but I can see it would fool some (space inserted so BBS doesn't link it) http: //www.paypal.com.cgi-bin.websc.cmd.login-run.hk/
I'll bite- What do you see there and what does it mean to you?
_________________________
10101311 (20GB- backup empeg) 10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)
|
Top
|
|
|
|
#288020 - 10/10/2006 11:50
Re: Well done scam...
[Re: Robotic]
|
veteran
Registered: 25/04/2000
Posts: 1525
Loc: Arizona
|
He's referring to the fact that the domain isn't PayPal - instead of slashes to separate directories, the .s just continue the domain name to something in Hong Kong. A lot of people would miss that, they'll just see the paypal.com and think it is legitimate.
|
Top
|
|
|
|
#288021 - 10/10/2006 19:49
Re: Well done scam...
[Re: Tim]
|
pooh-bah
Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
|
Yes. Just the URL has stuff after the paypal.com. There seem to be quite a few in Hong Kong these days. The link is just a page looking like paypal saying you've received payment from someone and you need to log in to accept it or something like that.
That is the reason some banks say type in their URL or only use a bookmark, like sein mention.
Phishing sites are rarely set up to take advantage of any browser vulnerabilities in my experience. They are just relying on human vulnerabilities.
_________________________
Christian #40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)
|
Top
|
|
|
|
#288022 - 10/10/2006 20:08
Re: Well done scam...
[Re: Shonky]
|
pooh-bah
Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
|
although the smart phishers are now moving away from relying entirely on human stupidity. We are seeing far more Trojan based attacks - still very easy to infect millions of Winblows PCs and all an attacker needs to do is either key log or alter your browser to log in to 'badsite.com' (tm) and pretend you are at 'yourbank.com'
And although some banks are going down the route of using SecurID or similar we have already seen successful attacks against them (even though the attack window has been reduced to 30 seconds from days!)
Fun times ahead - a good time to be an infosec professional. I know I need more people in my team...anyone interested?
_________________________
Rory MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi MkII, 240Gb in Mark Lord dock MkII, 80Gb SSD in dock
|
Top
|
|
|
|
#288023 - 10/10/2006 22:46
Re: Well done scam...
[Re: frog51]
|
Anonymous
Unregistered
|
Quote: We are seeing far more Trojan based attacks - still very easy to infect millions of Winblows PCs and all an attacker needs to do is either key log or alter your browser to log in to 'badsite.com' (tm) and pretend you are at 'yourbank.com'
All they have to do is add an entry in the system's hosts file to specify an IP address for the targetted domain, and the user will never be able to tell they're looking at a scammer's site. Macs are vulnerable too.
I think it would make for a great browser feature/plug-in that pops up a warning message anytime you visit a domain who's address was resolved locally. "WARNING: You might be getting scammed."
Quote: Fun times ahead - a good time to be an infosec professional. I know I need more people in my team...anyone interested?
Yeah, I am.
|
Top
|
|
|
|
#288024 - 10/10/2006 23:33
Re: Well done scam...
[Re: ]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Quote: All they have to do is add an entry in the system's hosts file to specify an IP address for the targetted domain, and the user will never be able to tell they're looking at a scammer's site. Macs are vulnerable too.
Looks like this is already happening, JS/QHosts21-A is one trojan I found. As far as the Mac side (or any Unix variant), the trojan would have to have root access to touch the hosts file, and if it has that, the system is screwed anyhow.
Quote: I think it would make for a great browser feature/plug-in that pops up a warning message anytime you visit a domain who's address was resolved locally. "WARNING: You might be getting scammed."
I couldn't find any info on if Firefox 2 or IE 7 offer this at all. However, one potential fix is to change the resolution order of the system. Simply either remove the hosts file from the resolution table, or move it after the DNS system. Looks like this is doable on Windows the same as Unix.
|
Top
|
|
|
|
#288025 - 11/10/2006 21:44
Re: Well done scam...
[Re: drakino]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: move it after the DNS system
Even so, there are bound to be a lot of people who would never notice that the link is to "bankotamerica.com" or "wachovia,com". It would probably make more sense, as you suggest, to just disable hosts altogether by default, and make the people who need it aware of the consequences.
_________________________
Bitt Faulk
|
Top
|
|
|
|
|
|