| |
|
|
| |
31-Aug-2004
| Summary |
| Email title: |
'PayPal account Limited' |
| Scam target: |
Paypal users |
| Email format: |
HTML e-mail (the source HTML of the message can be seen here) |
| Sender: |
Spoofed |
| Scam call to action: |
'We recently reviewed your account, and suspect that your PayPal account
may
have been accessed by an unauthorized third party... Please click on the link below to confirm your information...' |
| Scam goal: |
Getting victim's credit card information (CC number, PIN, expiration date) , Paypal username/password; contact information (name, address, phone, etc.) |
| Call to action format: |
URL Link |
| Visible link: |
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run |
| Called link : |
http://www.lawncom.co.kr/.update/hide/index2.htm |
| Phish website hosted on: |
www.lawncom.co.kr |
|
| |
| E-mail |
| |
| This phish message tries to break the 'anonymous address' trend among phishing - it puts the recipient's e-mail address after 'Dear'. This could be enough to convince some people, but remember - a legitimate institution DOES know your name, and will reffer to you only in the accepted formal manner. Everything else should be taken with suspicion: |
| |
_email.jpg) |
| |
| The sender is spoofed, as to look like it comes from the legitimate domain. In fact, it is not. |
| |
| Web Site |
| Visible link: |
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run |
| Called link : |
http://www.lawncom.co.kr/.update/hide/index2.htm |
| Phish website hosted on: |
www.lawncom.co.kr |
|
| |
| tThe phish site is a dangerous one, too. It uses a Java program to overwrite the entire address bar of your IE browser (firstly, the phish does a browser recognition. It closes if the browser is not IE): |
| |
_site1.jpg) |
| |
| The overwritten address bar remains during the entire phish. After the 'log in', the following page is displayed to convince you in the credibility of the undertaken activity: |
| |
_site2.jpg) |
| |
The next page is the actual phish page, where the site demands your personal information. Notice that even that the address bar (which is faked, remember?) starts with 'https', there is no browser indication of being on a secure site: |
| |
_site3.jpg) |
| |
| At the end, to make the scam aven more believable, there is a nice login screen: |
| |
_site4.jpg) |
| |
The phish site then redirects to the legitimate Paypal site.
This scam is hosted on a server in Korea - something common among phishing: |
| |
| WHOIS data: |
Domain Name : lawncom.co.kr
Registrant : Cheongpung
Registrant Address : Sugok-dong Cheongju -si Heungdeok-gu Chungcheongbuk-do Korea Sugok-dong Cheongju -si Heungdeok-gu Chungcheongbuk-do Korea
Registrant Zip Code : 361150
Administrative Contact(AC): Oh gyu seop
AC E-Mail : kafma@hanmail.net
AC Phone Number : 043-284-0164
Registered Date : 2002. 11. 25.
Last updated Date : 2003. 12. 01.
Expiration Date : 2004. 11. 25.
Publishes : Y
Authorized Agency : Asadal, Inc. (http://www.asadal.co.kr)
Primary Name Server
Host Name : ns3.blueweb.co.kr
IP Address : 211.202.2.3
Secondary Name Server
Host Name : nis.blueweb.co.kr
IP Address : 210.205.6.4 |
|
| |
|
| |
|
