PayPal Phishing

[El Sapo]

I received an email from "PayPal" on Sunday and opened it because I had done numerous transactions through them over the last couple of days.

The email was a brief 'notice' that my account was under some kind of restriction to due to problems that were not mentioned specifically. I have received PayPal scam emails before so I was immediately suspicious of this one. I am still kind of hoping to get my first 419 email but in the meantime...

There were a few discrepancies..

The email was addressed to 'undisclosed' recipients. A mass BCC email meaning that everyone got the same message I did with the same 'official' PayPal reference codes mine came with etc. There was also no use of my name nor any reference to my specific account. I knew it was a scam so looked deeper...

The site itself was no part of the PayPal domain(A bunch of basically random letters.com) & I pulled it up to take a look at it and it was a cut and paste job of the PayPal log in page. There were some red flags in the source code of the page (none of the links worked, they had a weak client side form validation script thrown in and even a yahoo visitor tracking script - which I shortly discovered came courtesy of their hosting).

I looked into the domain name and found that it had been registered 2 days earlier.. it looked like the guy might have even used his real name.. and there was an address in Illinois associated with the account that seemed legit after looking it up.

I logged in to the site using the email address the scammer provided when he registered the domain and chose the password "You are a lousy phisher" which was accepted. The form action was webscr.php (which also doesn't add up) and was taken to a page that asked for complete credit card information. It's worth mentioning that none of these pages were secure, either.

I reported him to the PayPal fraud department within 5 minutes of receiving the email yet his site was just now pulled today. This guy had 3 full days to try to scam people's information.

Here is my question:

What kind of trouble, if any, is a guy like this looking at for creating a site like this? I would think this is serious business - trying to steal people's credit card information- are there any likely repercussions beyond just getting his site shut down?

 

[RabidLonghorn]

I get the same email. Paypal has a way to report the fish emails. If you do any business on the internet you will get them from paypal, ebay, amazon and others.

 

[jbusch]

Bounce those e-mails to [email protected] as soon as you get them. They work with ISPs and various authorities to get those sites taken down.

Do you have the hostnames or IPs of the links that were in the e-mail? With that, it's possible to see where it was hosted (assuming DNS is still resolving) and find out more about it. If the site was hosted outside the US, chances are that nothing will happen to the fraudster. In the US, chances are that they'll face charges and possible jail time.

It's possible though that they were able to sell a batch or two of paypal logins, or even use those logins to hijack valid paypal and ebay accounts.

 

[runner]

Phishing is a pretty good business. The odds of getting caught are minimal, and even if they do catch you, the odds of getting prosecuted are also minimal. Their business model is to divide the jobs into small pieces so that law enforcement is dealing with a lot of little fish instead of one big fish (there are certainly exceptions to this -- and those guys have been caught and prosecuted). So, one guy will create a phishing kit (good ones for PayPal and eBay are available for about $5), others will sell email lists, others will offer hijacked computers or even botnets, then the phisher will offer the stolen credentials to those who will use the accounts in a variety of ways to get actual money out.

Phishing, though, is so 2005. Yes, it still happens, and yes, they still get stolen credentials, but it is harder to make a living at this than it was a few years ago. due to companies getting smarter and education of the masses. Increasingly, other forms of malware are where the real threat lies, specifically trojans. I can infect a computer with a trojan quite easily, and when a user on that computer goes to paypal or ebay (using their bookmark, not clicking on a link), using html injection, they'll be presented not only with a request for userid & password, but also for credit card & pin (or whatever other data I'd like to collect). That data is sent to a drop zone and the end user is then allowed access to the site just as normal. Everything seems just fine because it is the real site.

Fraudsters will work as hard as we make them work. The emergence of trojans is a real threat, and they are getting quite clever in their approaches. Have anti-virus protection? Ha! I laugh at you! Before deploying my trojan, I will go to the site that can test my trojan against 27 of the top AV vendor's protection. If I find one that can detect my trojan, I simply click on the button that says "Fix it" and I immediately create a variant that has a signature that is not recognized.

 

[Fried JJ Pickles]

In reply to:

---

---

 

[BattleshipTexas]

What I don't understand is why Obama or McCain or Hillary hasn't made this a big issue. Ebay tries to stop it, but this needs federal attention. I think it would be very popular, most of us are sick of becoming computer experts to guard our IDs.