PayPal Lookalike Scam

b0b · Post by **b0b** » 11 Nov 2003 8:45 am

I got this email, but didn't take the bait:

Closer examination revealed that the entire message was a GIF image, and clicking anywhere on it would invoke the following:

http://www.paypal.com.cgi-bin.webscr.cmd=_rav-form@211.47.191.125:199/cgi/index.htm

(Don't try it!) The important thing here is that it's not really sending anything to PayPal. There is a machine somewhere with an IP address of 211.47.191.125 waiting to collect your credit card data on port 199.

If you need to check the status of your PayPal or Ebay account, the best thing to do is to go dierectly to PayPal.com or Ebay.com and log in. Don't trust an email to give you a "shortcut" into those systems.

This scam was pretty clever - it took me a while to figure out what was going on. Don't be fooled. The weakest link in any scam is a willing victim.

------------------
<img align=left src="http://b0b.com/Officeb0b.gif" border="0"> Bobby Lee
-b0b- quasar@b0b.com 

System Administrator

Colm Chomicky · Post by **Colm Chomicky** » 11 Nov 2003 9:31 am

Got a very similar one. .gif with text linked to the con job site. I sent it to spoof@ebay.com.

Gene Jones · Post by **Gene Jones** » 11 Nov 2003 10:45 am

* [This message was edited by Gene Jones on 19 January 2005 at 04:50 AM.]

Roy Ayres · Post by **Roy Ayres** » 11 Nov 2003 4:32 pm

I received one today claiming to be from CitiBank asking me to punch in my account number and the password used with my ATM card. I'm just old; I ain't stupid.

Ernie Renn · Post by **Ernie Renn** » 11 Nov 2003 5:47 pm

From what I've heard and read, both PayPal and Ebay never send mail asking you to click here to give information.

I have received a few policy updates, but they always say to log in and see what they are.

------------------
My best,
Ernie

www.buddyemmons.com

Don Walters · Post by **Don Walters** » 12 Nov 2003 6:22 am

It's a safe assumption that no legitimate businesses/organizations ever ask for account information, passwords, etc. by e-mail.

If you get such a message, delete it!!

Bobby Lee · Post by **Bobby Lee** » 12 Nov 2003 3:35 pm

Got another one today proporting to be from the "eBay Billing Depatment team". They say my billing information is out of date. The link pointed to an IP address: 210.119.235.149.

I hope nobody here is foolish enough to click into one of these.

------------------
<img align=right src="http://b0b.com/Hotb0b.gif" width="96 height="96">Bobby Lee - email: quasar@b0b.com - gigs - CDs, Open Hearts
Sierra Session 12 (E9), Williams 400X (Emaj9, D6), Sierra Olympic 12 (C6add9),
Sierra Laptop 8 (D13), Fender Stringmaster (E13, A6),
Roland Handsonic, Line 6 Variax

Lyle Bradford · Post by **Lyle Bradford** » 12 Nov 2003 7:31 pm

Exactly what Gene said!!

Doug Beaumier · Post by **Doug Beaumier** » 12 Nov 2003 9:44 pm

I've been getting 3 or 4 a week for about a year now... eBay "spoof emails" I used to inform Ebay every time, but I don't bother anymore. These bogus email are from crooks looking for account information. Lately there have been a lot of phoney "PayPal" emails too.

I get over 300 emails a day because I do a lot of internet business. I set up a JUNK folder in Outlook Express with about 200 keywords to separate the spam as it comes in. It works pretty good... snags about 75% of the crap. The eBay and PayPal "spoofs" still download into the regular Inbox however. I guess there's no way to prevent that.

------------------
My Site - Instruction | Doug's Free Tab | Steels and Accessories

Al Marcus · Post by **Al Marcus** » 13 Nov 2003 9:56 pm

Bobby-I got one of those from Ebay billing.
I looked it over and deleted it. Good thing I guess....al

------------------
My Website..... www.cmedic.net/~almarcus/

Russ Young · Post by **Russ Young** » 19 Nov 2003 6:33 am

I just received a bogus message supposedly from PayPal.

This one said I needed to open an attachment in order to renew my account information ...

My guess is the attachment was probably spyware that would allow them to capture my password the next time I used PayPal.

Bobby Lee · Post by **Bobby Lee** » 19 Nov 2003 12:15 pm

I have heard that this particular email is actually a virus. DON'T CLICK IT!

Jim Landers · Post by **Jim Landers** » 7 Jan 2005 7:46 pm

I get at least 2 or 3 of these a week and usually double that when I have just recently bought or sold something on Ebay.

A legitimate PayPal notice 'always' addresses you you by your full name (Dear MR.John Smith) and 'never' asks you to give them info via an email link. The same for Ebay.

When in doubt just forward the suspect email to spoof@paypal.com or spoof@ebay.com. You will recieve an anwer usually within 10 or 15 minutes confirming your suspicion that this email was not sent by PayPal or Ebay.

Jim

Wiz Feinberg · Post by **Wiz Feinberg** » 8 Jan 2005 1:39 pm

I did a Whois on b0b's scam email and here is the source:

WHOIS results for 211.47.191.125
Generated by www.DNSstuff.com

Country: KOREA-KR

ARIN says that this IP belongs to APNIC; I'm looking it up there.

APNIC says that this IP belongs to KRNIC; I'm looking it up there.

Using 0 day old cached answer (or, you can get fresh results).
Displaying E-mail address (use sparingly -- this will make it more likely that you will trigger our rate limiting system).

ÇÑ±¹ÀÎÅÍ³ÝÁ¤º¸¼¾ÅÍ(www.nic.or.kr)¿¡¼ Á¦°øÇÏ´Â Whois ¼ºñ½º ÀÔ´Ï´Ù.

query: 211.47.191.125

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the IPv4 address.

IPv4 Address : 211.47.191.96-211.47.191.127
Network Name : HANINTERNET-LLINE-VISIONGRA
Connect ISP Name : HANINTERNET
Connect Date : 20040220
Registration Date : 20040220

[ Organization Information ]
Organization ID : ORG380591
Org Name : VISIONGRA
State : SEOUL
Address : Pil-dong 1(il)-ga , Jung-gu
Zip Code : 100-271

[ Admin Contact Information]
Name : BADA JUNG
Org Name : VISIONGRA
State : SEOUL
Address : Pil-dong 1(il)-ga , Jung-gu
Zip Code : 100-271
Phone : +82-2-2272-6872
E-Mail : webmaster@yoonfont.co.kr

[ Technical Contact Information ]
Name : BADA JUNG
Org Name : VISIONGRA
State : SEOUL
Address : Pil-dong 1(il)-ga , Jung-gu
Zip Code : 100-271
Phone : +82-2-2272-6872
E-Mail : webmaster@yoonfont.co.kr

--------------------------------------------------------------------------------

If the above contacts are not reachable, please see the following ISP contacts
for further information or network abuse.

[ ISP IPv4 Admin Contact Information ]
Name : ipadministrator
Phone : +82-2-860-8143
Fax : +82-2-852-8535
E-Mail : iservice@haninternet.co.kr

[ ISP IPv4 Tech Contact Information ]
Name : ipmanager
Phone : +82-2-860-8144
Fax : +82-2-852-8535
E-Mail : ip@haninternet.co.kr

[ ISP Network Abuse Contact Information ]
Name : Sangwon So
Phone : +82-2-860-8002
Fax : +82-2-852-8535
E-Mail : support@haninternet.co.kr

Wiz[This message was edited by Wiz Feinberg on 08 January 2005 at 01:40 PM.]

Dave Potter · Post by **Dave Potter** » 10 Jan 2005 5:17 pm

<< I did a Whois on b0b's scam email and here is the source:

Er, well,...maybe.

Probably more likely is it's one of our own stateside pillars of society, who's just using that Korean server to proffer his junk.

Bobby D. Hunter · Post by **Bobby D. Hunter** » 10 Jan 2005 9:54 pm

Dave Potter wrote:
<BLOCKQUOTE>quote:<HR>
Er, well,...maybe.

Probably more likely is it's one of our own stateside pillars of society, who's just using that Korean server to proffer his junk.
<HR></BLOCKQUOTE>
Here are the results of my SpamCop lookup to see if any reports were received lately from this CIDR. All are negative. The IP is not listed in any blocklist used by SC.
-------------------------------------------
SpamCop v 1.397 (c) SpamCop.net, Inc. 1998-2004 All Rights Reserved
Parsing input: 211.47.191.125
host 211.47.191.125 (getting name) no name
No recent reports, no history available
Routing details for 211.47.191.125
[refresh/show] Cached whois for 211.47.191.125 : support@haninternet.co.kr dk_suh@e2b.co.kr iservice@haninternet.co.kr ip@haninternet.co.kr
Using abuse net on support@haninternet.co.kr
abuse net haninternet.co.kr = abuse@haninternet.co.kr
Using best contacts abuse@haninternet.co.kr
Statistics:
211.47.191.125 not listed in bl.spamcop.net
More Information..
211.47.191.125 not listed in dnsbl.njabl.org
211.47.191.125 not listed in dnsbl.njabl.org
211.47.191.125 not listed in cbl.abuseat.org
211.47.191.125 not listed in dnsbl.sorbs.net
211.47.191.125 not listed in relays.ordb.org.

Reporting addresses:
abuse@haninternet.co.kr

------------------
Bobby D. Hunter
Security for SGF
Hunting down Slimeball Game[This message was edited by Bobby D. Hunter on 10 January 2005 at 09:54 PM.]

b0b · Post by **b0b** » 10 Jan 2005 11:27 pm

Remember, I received this 14 months ago. The IP could have been reassigned since then.

Jody Carver · Post by **Jody Carver** » 11 Jan 2005 7:37 am

I open everything..I figure maybe someone found my Levi's I lost at Wal-Mart.

b0b · Post by **b0b** » 11 Jan 2005 10:01 am

That's a very bad idea, Jody. If you open everything, it's a near certainty that you'll end up with something you really don't want on your PC. But even worse: if you respond to one of these spoofs, you'll be giving away your credit cards and maybe even your bank account.

Forget about the pants.

Gene Jones · Post by **Gene Jones** » 11 Jan 2005 10:23 am

*[This message was edited by Gene Jones on 25 January 2005 at 09:09 AM.]

Colm Chomicky · Post by **Colm Chomicky** » 16 Jan 2005 5:58 pm

I get about 100 to 200 spams a day. I get frequent paypal or ebay scams like this, not to mention City Bank and other banks. I forward the paypal and ebay to spoof@paypal or spoof@ebay. (but I suspect they get so many reports, they are buried in up to their armpits. But I suspect there is not much Ebay or Paypal can do other than to have that address shutdown. I've never heard that any of these guys get caught.