Paypal phishing: take online survey and receive money

Bookmark and Share

Ax3soft can capture phishing messages and target PayPal users. The phishing email is from the fake address "Pay Pal.Inc” <Account0909Sur@pay.com> attached the subject “Confirm refund request – Identity Verification”.

The body of the email:

Dear client,PayPal

CONGRATULATIONS!

You have been chosen by the Online Department to take part in our survey.
In return we will credit $99.0 to your account – Just for your time!

SERVICE: PayPal .Inc Online®
EXPIRATION: October – 29 – 2009

hxxp://www.developmentalfun.com/attachments/paypal.eu/index.php

2009 PayPal ® All Rights Reserved

MEOEXQPRKZJCHFGZMHONBBPUQDRLGHPYOORBYS

If you follow the link, it will bring you to the phishing site with a similar interface to the original PayPal site.

Pay attention to the phishing site  is hosted on a non PayPal domain, and it doesn't have HTTPS connection. I go to the page hxxp://www.developmentalfun.com/attachments/paypal.eu/login.php with the known PayPal progress bar and get a redirect to hxxp://www.developmentalfun.com/attachments/paypal.eu/Revalidate.htm?cmd_submitaccess0023044.submit=data_refund when i fill in a spoofed login and password. I need to fill in personal information for the refund in this page. Totally right.

When I use the spoofed data to fill in the form, I get the page hxxp://www.developmentalfun.com/attachments/paypal.eu/thankyou.html?RXZlbnQyIE9jdDI3RXZlbnQyIE9jdDI3 and I need to redirect to the official PayPal web site. There is no inspection weather my social security number, credit card number and CVV2 is useful.

You are cheated if you have filled your real login, password and other details in the form by now. So the people behind the phishing site get your personal information and go into you PayPal account and they can get what they need. It is not a good idea to do such things as I just did.

The navigation doesn’t point to the PayPal at the top but to hxxp://www.developmentalfun.com/attachments/paypal.eu/thankyou.html?RXZlbnQyIE9jdDI3RXZlbnQyIE9jdDI3 but I got an Internal Server Error. It hosted the web site on the server listening to the IP 64.49.206.169. Now the web site http://www.developmentalfun.com/ is a useful one that leads to hack the hosting account and  host the phishing pages.

 

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm