[prev in list] [next in list] [prev in thread] [next in thread]
List: dshield
Subject: Re: RE-2: [Dshield] Paypal fraud revisited: bit more info
From: John Sage <jsage () finchhaven ! com>
Date: 2003-10-28 19:31:08
[Download RAW message or body]
On Wed, Oct 29, 2003 at 04:18:44AM +1300, AAA wrote:
> Here is the original email I received.
>
> Now, I use a commercial email firewall (MXtreme), encrypted, and
> (should) accept text only......not html..
>
> The incoming email text from the fraudulent Paypal site looks like a
> normal email, but is actually an http ref (see email)
>
> The rubbish text thereunder does not show up in html, but becomes only
> visible when responding or forwarding (MXtreme only does that in text
> only mode), so probably incoming email rubbish text has font colour set
> same as background.
>
> Just checking a bit further:
> http://www.paypal.com.cgi-bin.webscr.cmd=_rav-form@211.59.7.86:278/index
> .htm
Realize that everything *before* the ampersand (@) in this url is
utterly irrelevant:
http://www.paypal.com.cgi-bin.webscr.cmd=_rav-for@211.59.7.86:278/index.htm
Thus this reduces to:
211.59.7.86:278/index.htm
[jsage@sparky /storage/virii] $ lynx -head -dump
http://211.59.7.86:278/index.htm
HTTP/1.1 200
Content-Length: 27777
Last-modified: Wed, 22 Oct 2003 00:31:50 GMT
Content-Type: text/html
Connection: Keep-Alive
So there's something there... let's see what:
[jsage@sparky /storage/virii] $ lynx -source
http://211.59.7.86:278/index.htm |less
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>PayPal - Random Account Verification</TITLE>
<META content="text/html; charset=windows-1251" http-equiv=Content-Type>
<LINK href="/images/pp_favicon.ico" rel="shortcut icon">
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<style>
/* snip */
<BODY bgColor=#ffffff>
<FORM action="verify.php" method=post >
<TABLE align=center border=0 cellPadding=0 cellSpacing=0 width=600>
<TBODY>
<TR>
<TD noWrap><A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><IMG
border=0 src="pp.files/paypal_logo.gif"></A></TD>
<TD align=middle class=pptext width="100%"> </TD>
<TD align=right class=pptext noWrap><A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><SPAN
class=ppem106>Sign Up</SPAN></A> | <A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log In</A> | <A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_login-run">Help</A></TD></TR></TBODY></TABLE>
/* snip */
All the above is bogus..
..and here's where the mischief begins:
/* snip */
<TABLE align=center border=0 cellPadding=0 cellSpacing=0 width=600>
<TBODY>
<TR>
<TD class=ppheading width="100%">Random Account Verification</TD>
<TD class=ppsmalltext noWrap>Secure Verification </TD>
/* snip */
<TD width=7><IMG height=6 src="PayPal - Log In.files/pixel.gif"
width=6></TD>
<TD align=left class=pptext width="588"><p><SPAN class=pptext>Your credit/debit
card information along with your personal information will be verified
instantly. </SPAN></p>
/* snip */
<TD align=right class=pplabel><LABEL for=login_email>Card type
</LABEL>
> </TD>
<TD><BR class=field_spacer></TD>
<TD class=ppsmalltext><SELECT name=cc_type>
<option value=Visa>Visa</option>
<option value=MasterCard>MasterCard</option>
<option value=Amex>American Express</option>
<option value=Discover>Discover</option>
</select>
Credit
<input type="radio" name=cc_type1 value="credit">
Debit
<input type="radio" name=cc_type1 value="debit"></TD>
</TR>
<TR>
<TD align=right class=pplabel><LABEL for=login_email>Issue Bank Name
</LABEL>
> </TD>
/* snip */
Here's where the deed is done...
/* snip */
<TR>
<TD width=6><IMG height=6 src="pp.files/pixel.gif"
width=6></TD>
<TD class=ppsmalltext width="100%"> </TD>
<TD><INPUT name=submit type=submit value="Continue">
<TD width=6><IMG height=6 src="pp.files/pixel.gif"
width=6></TD></TR>
<TR>
/* snip */
- John
--
"Most people don't type their own logfiles; but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.
_______________________________________________
list mailing list
list@dshield.org
To change your subscription options (or unsubscribe), see: \
http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic