Full Disclosure mailing list archives

RE: [Full-Disclosure] [Full-disclosure]: Attempt to steal paypal password

From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Tue, 11 Nov 2003 04:59:55 -0800
I see  this crap posted to the list all the time, and I have to ask,
what does this have to do with computer security?  If someone falls for
one of these scams, it is pure user error.  There are a few exceptions
to this rule, such as if the email uses an exploit of some sort to
change your hosts file, but this is very much not in that category.
These are so common that I am suprised you even noticed getting the damn
thing.
 
Nick Jacobsen
Ethics Design
nick () ethicsdesign com <mailto:nick () ethicsdesign com> 
 

        -----Original Message----- 
        From: Michael Linke 
        Sent: Tue 11/11/2003 1:04 AM 
        To: full-disclosure () lists netsys com 
        Cc: 
        Subject: [Full-Disclosure] [Full-Disclosure]: Attempt to steal
paypal password
        
        

        There seams to be a new faked Email on the way since today
morning, with the
        subject "PayPal User Agreement 9".
        The Email is in html form and content a Hyperlink named
        
        https://www.paypal.com/cgi-bin/webscr?cmd=login-run
        But under this hyperlink is not paypal, it is:
        
        http://www.paypal.com@64.191.16.16/.
        
        
        So someone is going to collect paypal passwords. Using this
password an
        attacker can send money from there. The whole action seams to be
a spamming
        attempt sent to random email addresses, because the receiver
Email Address
        Michael () smiley-power de is not registered at paypal.
        
        
        According ARIN Whois the IP Search 64.191.16.16 belongs to:
        
        
        OrgName:    Network Operations Center Inc.
        OrgID:      NOC
        Address:    PO Box 591
        City:       Scranton
        StateProv:  PA
        PostalCode: 18501-0591
        Country:    US
        
        The Email comes from 68.77.201.24.
        (X-RBL-Warning: (dialup.bl.kundenserver.de) this mail has been
received from
        a dialup host.)
        
        
        Email Header below. The Email Msg is attached to this email.
        
        ---------------------------------------------
        Return-path: <support () paypal com>
        Envelope-to: michael () smiley-power de
        Delivery-date: Tue, 11 Nov 2003 02:46:25 +0100
        Received: from [68.77.201.24]
        (helo=adsl-68-77-201-24.dsl.milwwi.ameritech.net)
                by mxng14.kundenserver.de with smtp (Exim 3.35 #1)
                id 1AJNbg-0005Xc-00
                for michael () smiley-power de; Tue, 11 Nov 2003 02:46:17
+0100
        Received: from paypal.com (smtp2.sc5.paypal.com [64.4.244.75])
                by adsl-68-77-201-24.dsl.milwwi.ameritech.net (Postfix)
with ESMTP
        id D7A073BEBC
                for <michael () smiley-power de>; Mon, 10 Nov 2003 19:46:12
-0600
        From: Support <support () paypal com>
        To: Michael <michael () smiley-power de>
        Subject: PayPal User Agreement 9
        Date: Mon, 10 Nov 2003 19:46:12 -0600
        Message-ID: <110001c3a7f5$1fe9490f$e212810a () paypal com>
        MIME-Version: 1.0
        Content-Type: text/html
        Content-Transfer-Encoding: quoted-printable
        X-Priority: 1 (Highest)
        X-MSMail-Priority: High
        X-Mailer: Microsoft Outlook, Build 10.0.2616
        Importance: High
        X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
        X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been
received from
        a dialup host.
        -------------------------------------------------------
<<winmail.dat>>
Current thread:

RE: [Full-Disclosure] [Full-disclosure]: Attempt to steal paypal password Nick Jacobsen (Nov 11)