Re: [Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password
From: Lan Guy (rlanguy_at_hotmail.com)
Date: 11/11/03
- Previous message: Feher Tamas: "[Full-Disclosure] Re: IE obvject vuln"
- In reply to: Michael Linke: "[Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password"
- Next in thread: Nick Jacobsen: "RE: [Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Michael Linke" <ml@intract.org>, <full-disclosure@lists.netsys.com> Date: Tue, 11 Nov 2003 12:17:48 +0200
At least the page has been taken offline already:
I got
http://ubrick1.hostnoc.net/suspended.page/
Not Found
The requested URL /suspended.page/ was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
--------------------------------------------------------------------------------
Apache/1.3.28 Server at ubrick1.hostnoc.net Port 80
----- Original Message -----
From: Michael Linke
To: full-disclosure@lists.netsys.com
Sent: Tuesday, November 11, 2003 11:04 AM
Subject: [Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password
There seams to be a new faked Email on the way since today morning, with the
subject "PayPal User Agreement 9".
The Email is in html form and content a Hyperlink named
https://www.paypal.com/cgi-bin/webscr?cmd=login-run
But under this hyperlink is not paypal, it is:
http://www.paypal.com@64.191.16.16/.
So someone is going to collect paypal passwords. Using this password an
attacker can send money from there. The whole action seams to be a spamming
attempt sent to random email addresses, because the receiver Email Address
Michael@smiley-power.de is not registered at paypal.
According ARIN Whois the IP Search 64.191.16.16 belongs to:
OrgName: Network Operations Center Inc.
OrgID: NOC
Address: PO Box 591
City: Scranton
StateProv: PA
PostalCode: 18501-0591
Country: US
The Email comes from 68.77.201.24.
(X-RBL-Warning: (dialup.bl.kundenserver.de) this mail has been received from
a dialup host.)
Email Header below. The Email Msg is attached to this email.
---------------------------------------------
Return-path: <support@paypal.com>
Envelope-to: michael@smiley-power.de
Delivery-date: Tue, 11 Nov 2003 02:46:25 +0100
Received: from [68.77.201.24]
(helo=adsl-68-77-201-24.dsl.milwwi.ameritech.net)
by mxng14.kundenserver.de with smtp (Exim 3.35 #1)
id 1AJNbg-0005Xc-00
for michael@smiley-power.de; Tue, 11 Nov 2003 02:46:17 +0100
Received: from paypal.com (smtp2.sc5.paypal.com [64.4.244.75])
by adsl-68-77-201-24.dsl.milwwi.ameritech.net (Postfix) with ESMTP
id D7A073BEBC
for <michael@smiley-power.de>; Mon, 10 Nov 2003 19:46:12 -0600
From: Support <support@paypal.com>
To: Michael <michael@smiley-power.de>
Subject: PayPal User Agreement 9
Date: Mon, 10 Nov 2003 19:46:12 -0600
Message-ID: <110001c3a7f5$1fe9490f$e212810a@paypal.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: High
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been received from
a dialup host.
-------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Feher Tamas: "[Full-Disclosure] Re: IE obvject vuln"
- In reply to: Michael Linke: "[Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password"
- Next in thread: Nick Jacobsen: "RE: [Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
