John’s Jottings

Get home after being gone for the week and what do I find? A couple of new Paypal scams in my inbox.

This first one came as an HTML form, with the form processed by http://www.paypal-service.net/index.php. A “whois search”:http://www.coolwhois.com/?d=paypal-service.net reveals an Administrative contact of paypal187@hotmail.com, I guess you have to give him some credit for putting Paypal somewhere in there. The Technical contact seems like a genuine hosting business and I’ve sent them a complaint email.

The email spoofs secure@paypal.com but the email header shows the email coming from Received: from bgp481345bgs.summit01.nj.comcast.net ([68.37.162.100]), which appears to be a cable modem user in New Jersey. Figures.

The second one took a couple of different tactics. Rather than being a form it was an HTML email with a link to another site. The URL for the link is http://www.paypal.com.cgi-bin-webscr@poypol.com/access/?B59n4uDo. Some users may glance at that quickly and see the paypal.com at the beginning and think everything is OK but a closer look would show them you are actually being sent to poypol.com. Not positive, but I doubt that’s where you have your money. At least their “whois record”:http://www.coolwhois.com/?d=poypol.com looks a bit more professional than the other scam.

This one spoofed support@paypal.com with the header showing Received: from mail.paypal.com (modemcable168.11-130-66.mtl.mc.videotron.ca[66.130.11.168](untrusted sender)). As you can see they did a little better spoof actually trying to show the from as coming from paypal, but again it would appear to be from a cable modem user, this time in California.

Both scams rely on screens that look authentic and could easily fool less sophisticated users into revealing their paypal account names and passwords.

Be careful out there.