RE-2: [Dshield] Paypal fraud revisited: bit more info

John Sage jsage at
Tue Oct 28 19:31:08 GMT 2003

On Wed, Oct 29, 2003 at 04:18:44AM +1300, AAA wrote:
> Here is the original email I received.
> Now, I use a commercial email firewall (MXtreme), encrypted, and
> (should) accept text only......not html..
> The incoming email text from the fraudulent Paypal site looks like a
> normal email, but is actually an http ref (see email)
> The rubbish text thereunder does not show up in html, but becomes only
> visible when responding or forwarding (MXtreme only does that in text
> only mode), so probably incoming email rubbish text has font colour set
> same as background.
> Just checking a bit further:
> .htm

Realize that everything *before* the ampersand (@) in this url is
utterly irrelevant:

Thus this reduces to:

[jsage at sparky /storage/virii] $ lynx -head -dump

HTTP/1.1 200
Content-Length: 27777
Last-modified: Wed, 22 Oct 2003 00:31:50 GMT
Content-Type: text/html
Connection: Keep-Alive

So there's something there... let's see what:

[jsage at sparky /storage/virii] $ lynx -source |less

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>PayPal - Random Account Verification</TITLE>
<META content="text/html; charset=windows-1251" http-equiv=Content-Type>
<LINK href="/images/pp_favicon.ico" rel="shortcut icon">
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
/* snip */
<BODY bgColor=#ffffff>

<FORM action="verify.php" method=post >

<TABLE align=center border=0 cellPadding=0 cellSpacing=0 width=600>
<TD noWrap><A href=""><IMG
border=0 src="pp.files/paypal_logo.gif"></A></TD>
<TD align=middle class=pptext width="100%">&nbsp;</TD>
<TD align=right class=pptext noWrap><A
/* snip */
All the above is bogus..
..and here's where the mischief begins:
/* snip */
<TABLE align=center border=0 cellPadding=0 cellSpacing=0 width=600>
<TD class=ppheading width="100%">Random Account Verification</TD>
<TD class=ppsmalltext noWrap>Secure Verification&nbsp;</TD>
/* snip */
<TD width=7><IMG height=6 src="PayPal - Log In.files/pixel.gif"
<TD align=left class=pptext width="588"><p><SPAN class=pptext>Your credit/debit
card information along with your personal information will be verified
instantly. </SPAN></p>
/* snip */
<TD align=right class=pplabel><LABEL for=login_email>Card type
<TD><BR class=field_spacer></TD>
<TD class=ppsmalltext><SELECT name=cc_type>
<option value=Visa>Visa</option>
<option value=MasterCard>MasterCard</option>
<option value=Amex>American Express</option>
<option value=Discover>Discover</option>
<input type="radio" name=cc_type1 value="credit">
<input type="radio" name=cc_type1 value="debit"></TD>
<TD align=right class=pplabel><LABEL for=login_email>Issue Bank Name
/* snip */
Here's where the deed is done...
/* snip */
<TD width=6><IMG height=6 src="pp.files/pixel.gif"
<TD class=ppsmalltext width="100%">&nbsp;</TD>

<TD><INPUT name=submit type=submit value="Continue">

<TD width=6><IMG height=6 src="pp.files/pixel.gif"
/* snip */

- John
"Most people don't type their own logfiles; but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list