RE-2: [Dshield] Paypal fraud revisited: bit more info

John Sage jsage at finchhaven.com
Tue Oct 28 19:31:08 GMT 2003


On Wed, Oct 29, 2003 at 04:18:44AM +1300, AAA wrote:
> Here is the original email I received.
> 
> Now, I use a commercial email firewall (MXtreme), encrypted, and
> (should) accept text only......not html..
> 
> The incoming email text from the fraudulent Paypal site looks like a
> normal email, but is actually an http ref (see email)
> 
> The rubbish text thereunder does not show up in html, but becomes only
> visible when responding or forwarding (MXtreme only does that in text
> only mode), so probably incoming email rubbish text has font colour set
> same as background.
> 
> Just checking a bit further:
> http://www.paypal.com.cgi-bin.webscr.cmd=_rav-form@211.59.7.86:278/index
> .htm

Realize that everything *before* the ampersand (@) in this url is
utterly irrelevant:

http://www.paypal.com.cgi-bin.webscr.cmd=_rav-for@211.59.7.86:278/index.htm

Thus this reduces to:

211.59.7.86:278/index.htm


[jsage at sparky /storage/virii] $ lynx -head -dump
  http://211.59.7.86:278/index.htm

HTTP/1.1 200
Content-Length: 27777
Last-modified: Wed, 22 Oct 2003 00:31:50 GMT
Content-Type: text/html
Connection: Keep-Alive


So there's something there... let's see what:

[jsage at sparky /storage/virii] $ lynx -source
  http://211.59.7.86:278/index.htm |less

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>PayPal - Random Account Verification</TITLE>
<META content="text/html; charset=windows-1251" http-equiv=Content-Type>
<LINK href="/images/pp_favicon.ico" rel="shortcut icon">
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<style>
/* snip */
<BODY bgColor=#ffffff>

<FORM action="verify.php" method=post >

<TABLE align=center border=0 cellPadding=0 cellSpacing=0 width=600>
<TBODY>
<TR>
<TD noWrap><A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><IMG
border=0 src="pp.files/paypal_logo.gif"></A></TD>
<TD align=middle class=pptext width="100%">&nbsp;</TD>
<TD align=right class=pptext noWrap><A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run"><SPAN
class=ppem106>Sign&nbsp;Up</SPAN></A>&nbsp;|&nbsp;<A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log&nbsp;In</A>&nbsp;|&nbsp;<A
href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&amp;source_page=_login-run">Help</A></TD></TR></TBODY></TABLE>
/* snip */
All the above is bogus..
..and here's where the mischief begins:
/* snip */
<TABLE align=center border=0 cellPadding=0 cellSpacing=0 width=600>
<TBODY>
<TR>
<TD class=ppheading width="100%">Random Account Verification</TD>
<TD class=ppsmalltext noWrap>Secure Verification&nbsp;</TD>
/* snip */
<TD width=7><IMG height=6 src="PayPal - Log In.files/pixel.gif"
width=6></TD>
<TD align=left class=pptext width="588"><p><SPAN class=pptext>Your credit/debit
card information along with your personal information will be verified
instantly. </SPAN></p>
/* snip */
<TD align=right class=pplabel><LABEL for=login_email>Card type
</LABEL>
:</TD>
<TD><BR class=field_spacer></TD>
<TD class=ppsmalltext><SELECT name=cc_type>
<option value=Visa>Visa</option>
<option value=MasterCard>MasterCard</option>
<option value=Amex>American Express</option>
<option value=Discover>Discover</option>
</select>
Credit
<input type="radio" name=cc_type1 value="credit">
Debit
<input type="radio" name=cc_type1 value="debit"></TD>
</TR>
<TR>
<TD align=right class=pplabel><LABEL for=login_email>Issue Bank Name
</LABEL>
:</TD>
/* snip */
Here's where the deed is done...
/* snip */
<TR>
<TD width=6><IMG height=6 src="pp.files/pixel.gif"
width=6></TD>
<TD class=ppsmalltext width="100%">&nbsp;</TD>

<TD><INPUT name=submit type=submit value="Continue">

<TD width=6><IMG height=6 src="pp.files/pixel.gif"
width=6></TD></TR>
<TR>
/* snip */



- John
-- 
"Most people don't type their own logfiles; but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list