Category Archives: Phishing

Phishing: PayPal Notice of Policy Updates

Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.

The malicious link present in the email is:

hxxp://lnko.in/bhqr

The user is redirected to these malicious links (in order):

hxxp://107.6.59.96/recordings/misc/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c

The HTML page of the last malicious link is encrypted:

If the JavaScript is enabled in your browser, the HTML page loads correctly:

When the user enters the login details, the form sends the POST data to a script:

The malicious script is named:

paypal.php

The script is used to collect the login details entered by the user.

This kind of phishing attack can be easily detected because the user can quickly check the address bar of the web browser and notice that the website is not paypal.com (legit) but it is an IP address, plus there is no HTTPS secure connection, and in case the user has JavaScript disabled, the HTML page is blank.

Phishing: PayPal Account Review Department

Leave a reply

Phishing email against PayPal users:

Phishing Email

Header details:

Received: from mail14j.g14.rapidsite.net (mail14j.g14.rapidsite.net [128.121.64.175])
Received: from ca1-mx26.mlpsca01.us.mxservers.net (128.121.64.172) by mail14j.g14.rapidsite.net
Received: from unknown [128.121.143.147] (EHLO mmm1430.rapidsite.net) by ca1-mx26.mlpsca01.us.mxservers.net (mxl_mta-3.1.0-05)
Received: from unknown (HELO mikesmirnoff-%cf%ca.local) (marketing@77.50.19.97)
Subject: Account Review Department
Date: Wed, 13 Jun 2012 12:27:42 +0400
X-SOURCE-IP: [128.121.143.147]
To:undisclosed-recipients:;
Content-Disposition: attachment; filename="Account.zip"

Attached there is a ZIP file named:

File: Account.zip
Size: 6694 bytes
MD5: 6AC253515AB76EE76D1E034AEC75FCD7
SHA1: 485E0A670CFE47F247C0BF6073D089A305BB6BEB
SHA256: 6EE32A16EC8711A741B7E9E74D2289ED91F078D5A91425B7F8BAC74D74BAD9BA
SHA384: A39150F4A3ADBFF90E53D0C9A2DCF36023DB1F7DB9D84AA5B6C54433502A544658F2E323B4064B7451D73058E12D4DFB
SHA512: BFE5443A418DBDF4B051AA7FD92F299A51A8972221B73D8B708AF7174E29F9132F3D3B645E8A7F33616CAC5EE1CCF2DBDE89D7D57B29C69AE47F1B8B979BBD6B

The extracted file is a .HTML file:

File: Account Verification.html
Size: 32224 bytes
MD5: FAF8A01884CC8E3941684659E015E8EB
SHA1: 9B24726C5B982DB8FE7E88E356B6CCDF74187344
SHA256: A5094D44CA1DFCEA0ED5D17DAD9385B2FCF043AB9C52E0C6FC061E38FFEC2E2D
SHA384: 3B64DE5DCED0F7F255298C20852216F4C681E9BD2C8A9B571058528775F45DFA9D1116F3462F50B0F170DD1EA246F4D4
SHA512: 6D07323C6E4AEEEF56F75178F3EC8CDECCACBBAD16F2AC66B173CAD90E2AC6CDEC6501338563E8719398836162E208BDB129A554F10C4E6B9C9890C53F1E652E

The sensitive data filled by the user is sent to this malicious URL:

hxxp:// akamai2.spteiqnaskqliliasnqxikcmenmn .ru /~jeremy/ze.php

Whois Details:

domain:        SPTEIQNASKQLILIASNQXIKCMENMN.RU
nserver:       ns1.nameself.com.
nserver:       ns2.nameself.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGTIME-REG-RIPN
admin-contact: http://whois.webnames.ru
created:       2011.08.17
paid-till:     2012.08.17
free-date:     2012.09.17
source:        TCI

URLVoid report:

http://www.urlvoid.com/scan/spteiqnaskqliliasnqxikcmenmn .ru

Phishing: Attention ! Votre compte PayPal a ete limite

Leave a reply

New phishing email used to spread HTML files with fake PayPal login forms:

Phishing Email

Header details:

Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153])
Received: by ns3.komvos.gr (Postfix, from userid 48)
Subject: Attention ! Votre compte PayPal a été limité !
From: Service Paypal
Date: Mon,  4 Jun 2012 13:00:12 +0300 (EEST)
Content-Disposition: attachment; filename="Informations Compte Paypal .zip"

There is a ZIP file attached:

File: Informations Compte Paypal .zip
Dimensione: 5391 bytes
MD5: 2C573252C917A4E4FFC2138E48B50F2B
SHA1: 28B36A51D9215F143AC449984A27A74D520679B7
SHA256: 5E45F7E1988AE2F1B8721226D88AB7DD9EB8A395FB4C501E145554F49655C8C9
SHA384: EE4D4201B65716A986162D43F289FA695263B9BC3EB839F08F185F2B1A1DEC777C68439D91C068DAA80768712B53D80E
SHA512: BA111FCB751F40837E58F50F76314380E8D52FD97B5E98F7855D813433C8FFCDDD26AF58DEE7894F4BC4D2AF53760268FBE25C650FCDC55B0796F6D316E5147A

The extracted file is a .HTML file:

File: Informations Compte Paypal .html
Dimensione: 22525 bytes
MD5: 0500506DEDA37FBC1A7CD19C22173764
SHA1: AB7F78D2A70460418E858E4783F5D3F5376CF2E2
SHA256: F81D8AAA2996D7FB13320FD6F05C37AA1A1CD7BA7BCD29823B03731ED3A067E2
SHA384: 7EEA087DEEEE72203E81F7F606CDAD90F4F5EB1233A95DC692556AFE6AA5B94426E7B84881101F21BF84730B0E132EE3
SHA512: 0B858A75C10EBDBFC9A6D7CDE4C1AB34199B67A51999AB59E85086182C93EF66C20956BA62E68647C27B91704D5A2D4E2EA68749C77ED39DF4AB1F679245BE18

From this HTML code:

<form action="hxxp:// byrongoldworks .com /mainbody.php" method="post" name="zaz" onsubmit="return verif_formulaire()">

We can see that the sensitive data of the form is sent to:

hxxp:// byrongoldworks .com /mainbody.php

Report from URLVoid:

Phishing: Abbiamo limitato l’accesso visa/mastercard account.

Leave a reply

Another phishing email against Italian users of Mastercard / Visa:

Phishing Email

Header details:

Received: from mail.oceano.hn (mail.oceano.hn [63.161.65.43])
Received: from User ([62.215.140.237]) by oceano.hn with MailEnable ESMTP; Fri, 25 May 2012 08:04:39 -0600
Subject: Abbiamo limitato l'accesso visa/mastercard account. Si prega di attenersi alla seguente procedura per risolvere. (Case # PP-001-546-712-069 - ORM001)
Date: Fri, 25 May 2012 17:04:41 +0300
To: undisclosed-recipients:;
Content-Type: application/octet-stream; name="visaita.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="visaita.html"

There is a .HTML file attached:

File: visaita.html
Size: 25970 bytes
MD5: C6D16F0B6693AB2831E2BA70534C85BE
SHA1: AB4175E9B97A6E822E3D616BD4DDD5285AC70B39
SHA256: 7B8417D0A420DB5710B44252CF5B4813295EE1B8A51552BD6D5B847AC4AD9E85
SHA384: 4DB62497B232418E708AD8C5278BCDD48DD2E593CAAC01FC0963749EFA3B300BF116A539C222FB389020F61C2A516959
SHA512: 691B828A1FC25EE938114ECA74FFF5690AFE3F8F79AF4D13BB438C064663276CE97D5BED0BDDA3143A9D682FDF67E55C9F46CB1DAE69D5747297C9BF32B491F7

Phishing: Periodic Maintenance (PayPal)

Leave a reply

Another phishing email targets PayPal users:

Phishing Email

Email header details:

Received: from mail.artworkdigital.com.br (ns1.artworkdigital.com.br [201.86.117.58])
Received: from User (216-107-107-254.static.networktel.net [216.107.107.254]) by mail.artworkdigital.com.br (Postfix)
Subject: Periodic Maintenance
Date: Fri, 18 May 2012 06:56:14 -0500
To: undisclosed-recipients:;
Content-Disposition: attachment; filename="PayPal_ReactivationFORMay2012.html"

Attached there is a file named:

File: PayPal_ReactivationFORMay2012.html
Size: 10157 bytes
MD5: 9617FF24A5647B20883C7FDA37408156
SHA1: 02C0D8DDEE4AFCC07897A141FFFF7540083B9F44
SHA256: E257318F2B84A08B15F5A431F5A1E1FE112A7D9EF0FBFB3A69AA63784C00F73A
SHA384: B4C63890B4B001D4B02559C0A75DD0472101FAAB306595AB8ADBEBE71CF4504B9026431A98868B1200FB2A517805447E
SHA512: EC5D11EF6509333C492B54D60D6B5D4E9E1FE26A313EAB28B9ADAF3F6154EB6DAE982D00E66486B44C22E4A0CAB9158ED13B48DB70CEEC33EE4F626FE56D8246

Extracted malicious URLs:

hxxp:// adsl-068-157-210-061.sip.bna.bellsouth .net /~jim/style.css
hxxp:// adsl-068-157-210-061.sip.bna.bellsouth .net /~jim/w.php

As we can see, the malicious files are hosted in a DSL hostname:

The website adsl-068-157-210-061.sip.bna.bellsouth.net is hosted at BellSouth.net and its current IP address is 68.157.210.61 (adsl-068-157-210-061.sip.bna.bellsouth.net). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix NET and the keyword of the domain is bellsouth. The organization is BellSouth.net.

URLVoid scan report:

http://urlvoid.com/scan/adsl-068-157-210-061.sip.bna.bellsouth.net/

Phishing: A causa del nostro recente aggiornamento. Verified by Visa

Leave a reply

We have logged other phishing emails used to steal details of Visa users:

From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [91.227.127.33])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184)
Reply-To: sicurela@visaltalia.it
From: "verified by visa" verified@visaitalia.com
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
To: undisclosed-recipients:;

Note from the email header the source of the message:

Received: from ser.just3d.tv (unknown [91.227.127.33])

It has nothing to do with Visa, and note also the emails:

Reply-To: sicurela@visaltalia.it

See the visaltalia.it is a l and not an i.

The message of the email:

Gentile Cliente, 
A causa del nostro recente aggiornamento sui nostri server 
(23/04/2012) e necessario aggiornare il tuo profilo. 
Per una maggiore sicurezza e di accesso, si prega di compilare il 
modulo allegato. 
 
Vi ringraziamo della vostra collaborazione. 
 
Copyright Visa Europe 2012. Tutti i diritti riservati

There is also an attached file named visaitalia.html:

File: visaitalia.html
Size: 20015 bytes
MD5: 2C76E9F667E78C8C32C09DBE1129969E
SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399
SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC
SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02
SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30

The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:

hxxp:// leonidasvancouver .com /admin/plm/plm.html
hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif
hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif
hxxp:// rottenfish .de /vbv/run.php

The malicious websites are classified as detected in URLVoid:

http://www.urlvoid.com/scan/rottenfish .de/
http://www.urlvoid.com/scan/leonidasvancouver .com/

Phishing: Votre carte bancaire est suspendue

Leave a reply

Another email containing malicious URL used for phishing attack against MasterCard and Visa users:

Return-Path: <services@security.com>
Received: from mailrtr1.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr1.deltacom.net (MOS 4.1.10-GA)
From: "visaeurope"<services@security.com>
Subject: Votre carte bancaire est suspendue
Date: Sun, 7 Aug 2011 00:12:08 -0500
To: undisclosed-recipients:;

Email message:

Bonjour clients de visa carte,
 
Votre carte bancaire est suspendue, parce que nous avons rencontre un probleme sur votre diagramme.
Nous avons determine qu'une personne doit peut-etre utiliser votre diagramme sans votre autorisation.
Pour votre protection, nous avons suspendu votre compte bancaire a travers votre carte de credit. Pour soulever cette suspension,
 
Cliquer ici
et suivre le procede indique pour mettre a jour votre compte par la carte de credit.

Malicious URL:

hxxp:// jinwonyc.startlogic. com/vbv/visaeurope.fr/europ-pay/visaeurope/securite/login.aspx/

URLVoid Analysis:

http://www.urlvoid.com/scan/jinwonyc.startlogic.com

Phishing: New Unpaid Item Message from jxavier14: #14027471062

Leave a reply

Phishing attack against eBay users:

Return-Path: <aw-confirm@mail.aby.fr>
Received: from mail.ktmtalk.com (mail.ktmtalk.com [173.74.246.25])
Received: from User [98.175.62.124] by mail.ktmtalk.com with ESMTP
Reply-To: <aw-confirm@mail.aby.fr>
From: "eBay Member jxavier14"<aw-confirm@mail.aby.fr>
Subject: New Unpaid Item Message from jxavier14: #14027471062 -- response required
Date: Sat, 6 Aug 2011 06:34:47 -0500
To: undisclosed-recipients:;

Email message:

Dear member,
 
eBay member charly1 has left you a message regarding item #14020078062
 
View the dispute thread to respond.

The malicious URL points to:

hxxp:// newcastlelimo .net/ebay-fr/eBayISAPI.dll.htm

Image of the phishing page:

Note that the connection is NOT secure and does not use SSL (HTTPS)…

URLVoid Analysis:

http://www.urlvoid.com/scan/newcastlelimo.net
This entry was posted in Phishing and tagged ebay phishing, phishing, scam, spam on August 6, 2011 by admin.

Phishing: Centre de securite PayPal

Leave a reply

Another email that is used to spread a fake PayPal message containing a malicious link used for phishing attack against PayPal users:

Return-Path: <services@security.com>
Received: from mailrtr4.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr4.deltacom.net (MOS 4.1.10-GA)
From: "PayPal"<services@security.com>
Subject: Centre de securite PayPal
Date: Sat, 6 Aug 2011 00:11:18 -0500
To: undisclosed-recipients:;

Malicious URL:

hxxp://www. mulforddance. com/login/paypal.fr/online-security/submit-loging/paypal.fr/frfr/

URLVoid Analysis:

http://www.urlvoid.com/scan/mulforddance.com

Phishing: Your Paypal Account Will Be Limited

Leave a reply

New phishing email related to PayPal accounts:

Return-Path: <servviice@paybal.com>
Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
From: "Paypal"<servviice@paybal.com>
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
To: undisclosed-recipients:;

Message:

Note that the email come from:

From: "Paypal"<servviice@paybal.com>

The domain paybal.com is parked!

Malicious URL that redirects to the phishing PayPal login page:

hxxp://www.doncastersc.vic.edu .au/calendar/paypal.secure.update.service/paypal.secure.login/safe.login.process/language&id=en/80a13c0db1f1ff80d546411d7f8a8350c132bc41e0934c/us/webscr.php?cmd=_login-run&dispatch=3885d80a13c0db1f1ff80d546411d7f8a8350c132bc0

URLVoid domain analysis:

http://www.urlvoid.com/scan/paybal.com
http://www.urlvoid.com/scan/doncastersc.vic.edu.au

URLVoid Blog

Latest news about Internet threats

Category Archives: Phishing

Phishing: PayPal Notice of Policy Updates

Phishing: PayPal Account Review Department

Phishing: Attention ! Votre compte PayPal a ete limite

Phishing: Abbiamo limitato l’accesso visa/mastercard account.

Phishing: Periodic Maintenance (PayPal)

Phishing: A causa del nostro recente aggiornamento. Verified by Visa

Phishing: Votre carte bancaire est suspendue

Phishing: New Unpaid Item Message from jxavier14: #14027471062

Phishing: Centre de securite PayPal

Phishing: Your Paypal Account Will Be Limited