Paypal Scams

by john on June 12, 2003

Get home after being gone for the week and what do I find? A couple of new Paypal scams in my inbox.

paypal1.jpg

This first one came as an HTML form, with the form processed by http://www.paypal-service.net/index.php. A whois search reveals an Administrative contact of paypal187@hotmail.com, I guess you have to give him some credit for putting Paypal somewhere in there. The Technical contact seems like a genuine hosting business and I’ve sent them a complaint email.

The email spoofs secure@paypal.com but the email header shows the email coming from Received: from bgp481345bgs.summit01.nj.comcast.net ([68.37.162.100]), which appears to be a cable modem user in New Jersey. Figures.

paypal2.jpg

The second one took a couple of different tactics. Rather than being a form it was an HTML email with a link to another site. The URL for the link is http://www.paypal.com.cgi-bin-webscr@poypol.com/access/?B59n4uDo. Some users may glance at that quickly and see the paypal.com at the beginning and think everything is OK but a closer look would show them you are actually being sent to poypol.com. Not positive, but I doubt that’s where you have your money. At least their whois record looks a bit more professional than the other scam.

This one spoofed support@paypal.com with the header showing Received: from mail.paypal.com (modemcable168.11-130-66.mtl.mc.videotron.ca[66.130.11.168](untrusted sender)). As you can see they did a little better spoof actually trying to show the from as coming from paypal, but again it would appear to be from a cable modem user, this time in California.

Both scams rely on screens that look authentic and could easily fool less sophisticated users into revealing their paypal account names and passwords.

Be careful out there.

{ 2 comments }

Mary McGeever October 22, 2003 at 10:18 am

John,
I’m a producer with WCBS-TV in NY working on a story about PayPal. I’m trying to find some people in the NYC area who have had problems with the service…any suggestions. Thank you, Mary

none July 31, 2005 at 10:57 am

Notification of Limited Account Access – Security Measures ?

Can anyone explain e-mails with the subject of:
“Notification of Limited Account Access – Security Measures ”

and links going to:

http://www.paypal.com.wscm.tk/us/webscr/Loginx.php

http://www.paypal.com.cgi-bin.wsst.tk/us/webscr/Loginx.php

Is this what this blog is talking about in regards to spoof e-mails ?

Name: http://www.paypal.com.wscm.tk
Address: 216.81.70.151

OrgName: Vortech Inc.
OrgID: VTC1
Address: 106 S. Semoran Blvd.
City: Orlando
StateProv: FL
PostalCode: 32807
Country: US

NetRange: 216.81.64.0 – 216.81.79.255
CIDR: 216.81.64.0/20
NetName: VORTECH-BLK-2
NetHandle: NET-216-81-64-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: DNS.ANONYMOUS-SERVERS.COM
NameServer: DNS2.ANONYMOUS-SERVERS.COM

Previous post:

Next post: