Phoney paypal message

Howard Tate · Post by **Howard Tate** » 28 Nov 2004 9:20 am

We use paypal quite a bit, and my wifes computer got an email saying congratulations, paypal has succesfully withdrawn $170 from your account. There was a clickable box to check for details. Instead of clicking it, she selected the whole thing and sent to paypal. They checked it out and there was a virus if you clicked.

------------------
Howard, 'Les Paul Recording, Zum S12U, Vegas 400, Boss ME-5, Boss DM-3
http://Charmedmusic.com

mickd · Post by **mickd** » 28 Nov 2004 11:52 am

I get these all the time - from "Paypal", "Ebay", my "bank" etc.
They're all phoney.
The safe way to tell is just to hold your mouse pointer over the link in the email (do NOT click on it). As you do this, look at the bottom of the screen, where your browser will display the address of the link. Instead of saying something like "www.ebay.com/xxxxx" it'll typically say something like "123.100.99.98/xxx" indicating a dodgy site.[This message was edited by mickd on 28 November 2004 at 11:52 AM.]

Bill Llewellyn · Post by **Bill Llewellyn** » 28 Nov 2004 1:42 pm

Mic,

I use that method, too. Sometimes the link shown in these bogus "eBay", "PayPal", or bank messages looks legitimate (that is, instead of just saying "Click Here" there is a very valid looking web address in the message), but when you mouse over the link and look a the readout at the bottom of the browser window, the actual link is much different than the apparent link. And usually the domain in the real link is just a series of numbers, like you pointed out.

------------------
Bill, steelin' since '99 | Steel page | My music | Steelers' birthdays | Over 50?

Howard Tate · Post by **Howard Tate** » 28 Nov 2004 1:52 pm

Yes, that's what we do too. Since I'd never seen that particular one I thought I'd post it in case someone did not know. My wife hosts a machine knitters web site, and gets hundreds of emails a day, a lot of them have virus'. I don't know how she can stand it, it drives me nuts, a short trip.

------------------
Howard, 'Les Paul Recording, Zum S12U, Vegas 400, Boss ME-5, Boss DM-3
http://Charmedmusic.com

CrowBear Schmitt · Post by **CrowBear Schmitt** » 29 Nov 2004 12:37 am

Wizardo, turned me on to this:
each email that one gets has an "Internet Header"
if you right click on the email title & click options, you will see the Internet header
now if you go here: http://www.dnsstuff.com/
and insert the ID numbers that are between the square brackets ( there are more than 1 too !)on the Internet header in : "WHOIS lookup" you will know where that email comes from.
Don't forget to report these SOBs
Thanx Wizardo

[This message was edited by CrowBear Schmitt on 29 November 2004 at 12:38 AM.]

Al Marcus · Post by **Al Marcus** » 30 Nov 2004 9:03 am

Howard-Thanks for the information you gave us. I didnt know that.

Crowbear-Thanks for your info too. I appreciate that.

Isn't this Forum Great!....al

------------------
My Website..... www.cmedic.net/~almarcus/

Gene Jones · Post by **Gene Jones** » 30 Nov 2004 9:46 am

An example of how phoney and random those paypal messages are, is that I receive two or three of them a week and I have NEVER even had a paypal account!

www.genejones.com

Howard Tate · Post by **Howard Tate** » 30 Nov 2004 10:34 am

Crowbear, I did not know about that site, thanks a lot.

------------------
Howard, 'Les Paul Recording, Zum S12U, Vegas 400, Boss ME-5, Boss DM-3
http://Charmedmusic.com

Bobby D. Hunter · Post by **Bobby D. Hunter** » 30 Nov 2004 6:13 pm

Crowbear;
Thanks for mentioning me and telling the guys about tracking down Slimeball Game!

For those who don't know about what I am doing, see this Post, http://steelguitarforum.com/Forum13/HTML/001207.html on the Forum News Page. Read all three items. The second and third explain about how to obtain raw headers. Once you find some IP addresses you copy and paste them into the Whois Lookup field at www.dnsstuff.com and hit Enter.

The last IP down is usually the first in the delivery chain, and is probably the sender's home ISP. However, Slimeballs sometimes relay email through Open Relays, or Open Proxies, most of which are in Europe and Asia. A lot of them mask their real location by using NewSkies Satellite Services, especially Nigerian scammers.

If you try to do a Whois Lookup, at dnsstuff, but the results tell you that your request was denied by RIPE for overuse, just go to RIPE itself and do the IP lookup. The Ripe WHois lookup page is at: http://www.ripe.net/perl/whois

If your s(p/c)ammer is from asia/pacific, you can do a Whois at the APNIC, at: http://www.apnic.net/apnic-bin/whois.pl

------------------
Bobby D. Hunter
Security for SGF
Hunting down Slimeball Game

Jon Light (deceased) · Post by **Jon Light (deceased)** » 1 Dec 2004 12:33 pm

Don't get me wrong--I would send a bomb through the wires and snuff these scumbags if I could--this particular scam really impresses me. Or variants such as "your credit card transaaction has been processed" or something like that. It really grabs your attention and makes you go into high gear because you know that something isn't right. And even someone like myself--just slightly brighter than an above average doorknob--might click on something before I know what I'm doing. It's hard to just ignore the trash. It's like letting the phone ring and not picking it up. Fortunately I do know better but like I said, these scams are geared for people who wouldn't fall for the more obvious crap.