Author Topic: How to look up Paypal phish?  (Read 5392 times)

davidnix71

  • Member
  • **
  • Posts: 760
  • Kudos: 501
How to look up Paypal phish?
« on: 12 September 2006, 02:15 »
I got a phish last week, but didn't see it until today because my isp put it in a junk mail folder.  Oddly enough, it's still up. Here's the link http://203.144.227.202/.www.paypal.com/index.htm


The body of the phish/cross-site script is:

              Notification of Limited Account Access                                                                          
         
          As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:
         
         Unusual account activity has made it necessary to limit sensitive account            features until additional verification information can be collected.
          We have            been notified that            a card associated with your account has been reported as lost or            stolen, or that there were additional problems with your card.           Case ID Number: PP-071-362-996            
           

                                                                                                             Click here to verify  your account                                                                                  
         
     
          Please understand that this is a  security measure intended to help protect you and your account. We apologize for  any inconvenience.  
         
                     
          If you choose to ignore our request, you leave us no choice but to           temporary suspend your account.
         
          Sincerely,
PayPal Account Review Department.  

                                                                                                            Please do not reply to this e-mail. Mail               sent to this address cannot be answered. For assistance,               log in to your  PayPal account and choose the "Help" link in               the footer of any page.
             
               To receive email notifications in plain text instead of HTML,               update your preferences               here.                                                        

How would I go about finding the true owner of this Apache server? If you go to http://203.144.227.202:80 you get the test page.

All the links on the page lead to the real Paypal. The following text is the page source, but I don't see anything useful.

http://www.w3.org/TR/html4/loose.dtd">




PayPal - Welcome


https://www.paypalobjects.com/css/xptLite.css">
https://www.paypalobjects.com/css/xptlive.css">

https://www.paypalobjects.com/en_US/i/icon/pp_favicon_x.ico">





















http://www.paypal.com/cgi-bin/webscr?cmd=_home">https://www.paypalobjects.com/en_US/i/nav/P_on_welcome.gif" border="0" alt="Welcome">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">http://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_send_money.gif" border="0" alt="Send Money">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">http://www.paypal.com/cgi-bin/webscr?cmd=p/req/index-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_request_money.gif" border="0" alt="Request Money">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">http://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_merchant_tools.gif" border="0" alt="Merchant Tools">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">http://www.paypal.com/cgi-bin/webscr?cmd=_auction-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_auction_tools.gif" border="0" alt="Auction Tools">
""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1">


























Member Log-In
""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="15" height="1">https://www.paypal.com/cgi-bin/webscr?cmd=_email-recovery">Forgot your email address?
https://www.paypal.com/cgi-bin/webscr?cmd=_forgot-password','popupWin','scrollbars,resizable,toolbar,status,width=640,height=700,left=50,top=50');return false;">Forgot your password?
""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1">




















Email Address""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="11" height="1">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1">
""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1">
Password""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="11" height="1">

""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1">







Join PayPal Today

Now Over
100 million accounts

""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1">
https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run">https://www.paypalobjects.com/en_US/i/btn/btn_SignUpNow.gif" border="0" alt="">





""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="10" height="1">https://www.paypalobjects.com/en_US/i/header/spot_globe.gif" border="0" alt="">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="5" height="1">
Learn more about
https://www.paypal.com/cgi-bin/webscr?cmd=_display-approved-signup-countries-outside">PayPal Worldwide











https://www.paypal.com/cgi-bin/webscr?cmd=xpt/bizui/WhatIsPayPal-outside">http://www.paypalobjects.com/en_US/i/header/hpPrivacy_shopwoutsharing_563x115.jpg" border="0" alt="">

https://www.paypalobjects.com/en_US/i/header/spot_buyerTab_178x29.gif" border="0" alt="">""https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="11" height="1">https://www.paypalobjects.com/en_US/i/header/spot_sellMerchTab_374x29.gif" border="0" alt="">












https://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside">Send money to anyone with an email address in 55 countries.

PayPal is https://www.paypal.com/cgi-bin/webscr?cmd=p/auc/new_ebay_buyer_intro-outside">free to use.

Your information is kept https://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside">secure.

Learn about https://www.paypal.com/cgi-bin/webscr?cmd=p/auc/new_ebay_buyer_intro-outside">sending payments through PayPal.

https://www.paypal.com/cgi-bin/webscr?cmd=_auction-outside">Free eBay tools make selling easier.

PayPal works hard to help https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/bizui/BusinessSecurity-outside">protect sellers.

PayPal simplifies https://www.paypal.com/cgi-bin/webscr?cmd=p/ship/center-outside">shipping and tracking.

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/auctions/PaypalPreferred-outside">Earn cashback with PayPal Preferred Rewards.

https://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">Accept credit cards on your website using PayPal.

https://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">Compare our solutions to merchant accounts and gateways

https://www.paypal.com/cgi-bin/webscr?cmd=_display-receiving-fees-outside">Low fees make PayPal the affordable choice.

Learn why PayPal is https://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">good for business.










https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/bizui/EnterpriseSolutions-outside">http://www.paypalobjects.com/en_US/i/bnr/bnr_mobile_183x50.gif" border="0" alt="">



http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/privacy-outside">https://www.paypalobjects.com/en_US/i/logo/trustmark.gif" alt="Truste">http://www.bbbonline.org/cks.asp?id=20111061155818568">https://www.paypalobjects.com/en_US/i/logo/bbbmark.gif" alt="Better Business Bureau Online">








Other than reporting this as a phish/cross-site scripting, is there any 'fun' we can have with this bottom-dwelling filter feeder?

mobrien_12

  • VIP
  • Member
  • ***
  • Posts: 2,138
  • Kudos: 711
    • http://www.geocities.com/mobrien_12
Re: How to look up Paypal phish?
« Reply #1 on: 12 September 2006, 02:42 »
http://www.phishfighting.com

Non profit site.

Quote

How many phishing  emails did you receive today?:  I receive 5-10 emails a day that are supposedly from real companies like Paypal
In brightest day, in darkest night, no evil shall escape my sight....

mobrien_12

  • VIP
  • Member
  • ***
  • Posts: 2,138
  • Kudos: 711
    • http://www.geocities.com/mobrien_12
Re: How to look up Paypal phish?
« Reply #2 on: 12 September 2006, 02:49 »
Quote

[mobrien@hariel ~]$ nslookup 203.144.227.202
Server:         68.87.85.98
Address:        68.87.85.98#53

Non-authoritative answer:
202.227.144.203.in-addr.arpa    name = 203-144-227-202.static.asianet.co.th.

Authoritative answers can be found from:



Using WHOIS at http://www.samspade.org

Quote


whois

Whois:
@whois.

Server Used: [ whois.apnic.net ]

203.144.227.202 = [ 203-144-227-202.static.asianet.co.th ]
 
  inetnum:      203.144.128.0 - 203.144.255.255
  netname:      ASIAINFO-TH
  descr:        Internet Service Provider
  country:      TH
  admin-c:       WP1-AP
  tech-c:        SK1-AP
  mnt-by:        APNIC-HM
  mnt-lower:     MAINT-ASIAINFO-AP
  remarks:      Aggregated small blocks to be one /17.
  changed:      [email protected]
 20000403
  changed:      [email protected]
 20021216
  status:       ALLOCATED PORTABLE
  source:       APNIC
  person:       Wongchai Piyakavarnich
  nic-hdl:       WP1-AP
  e-mail:       [email protected]
 
  address:      14th 27 th  floor  Fortune Town
  address:      1 Ratchadaphisek Road  Din Daeng
  address:      Bangkok 10400
  phone:        662-6411800
  fax-no:       662-6421557
  country:      TH
  changed:      [email protected]
 20060412
  mnt-by:        MAINT-ASIANET-AP
  source:       APNIC
  person:       Supachai Kitwongpak
  address:      17 th floor  Fortune House
  address:      1 Ratchadaphisek Road  Din Daeng
  address:      Bangkok 10320
  country:      TH
  phone:        66-2-641-1800
  fax-no:       66-2-642-1540
  e-mail:       [email protected]
 
  nic-hdl:       SK1-AP
  mnt-by:        MAINT-ASIAINFO-AP
  changed:      [email protected]
 19990210
  source:       APNIC



This is Bangkok.  They probably don't care.
In brightest day, in darkest night, no evil shall escape my sight....

worker201

  • Global Moderator
  • Member
  • ***
  • Posts: 2,810
  • Kudos: 703
    • http://www.triple-bypass.net
Re: How to look up Paypal phish?
« Reply #3 on: 12 September 2006, 02:59 »
Considering the sorts of exotic things(people) you can reportedly buy in Bangkok, it isn't surprising that you can also buy phish/spam service.

piratePenguin

  • VIP
  • Member
  • ***
  • Posts: 3,027
  • Kudos: 775
    • http://piratepenguin.is-a-geek.com/~declan/
Re: How to look up Paypal phish?
« Reply #4 on: 12 September 2006, 03:08 »
It took a whole 3 clicks to report it.

<3 Firefox 2 :)

I hope it's not long before Google check it.
"What you share with the world is what it keeps of you."
 - Noah And The Whale: Give a little love



a poem by my computer, Macintosh Vigilante
Macintosh amends a damned around the requested typewriter. Macintosh urges a scarce design. Macintosh postulates an autobiography. Macintosh tolls the solo variant. Why does a winter audience delay macintosh? The maker tosses macintosh. Beneath female suffers a double scum. How will a rat cube the heavier cricket? Macintosh calls a method. Can macintosh nest opposite the headache? Macintosh ties the wrong fairy. When can macintosh stem the land gang? Female aborts underneath macintosh. Inside macintosh waffles female. Next to macintosh worries a well.

pofnlice

  • Member
  • **
  • Posts: 999
  • Kudos: 650
Re: How to look up Paypal phish?
« Reply #5 on: 12 September 2006, 08:38 »
I got something similar once. I used http://www.whois.net/. After I found out where it came from, somewhere in California, I emailed the host with a complaint, the who is register and a copy of the email. I never heard anything back. But I never got that email again.

Now I get these stupid Your bank account has unusual activity on it, please click here and log in....but I don't have an account with that bank...Bastards....I hope a masked gunman breaks into thier shelters and shoots them in the fingers and the cock!
Quote from: "Orethrius"
After all, running Windows without a decent anti-virus is like walking through a Red Light District after eating five metric tonnes of Viagra.

obob

  • Member
  • **
  • Posts: 86
  • Kudos: 122
Re: How to look up Paypal phish?
« Reply #6 on: 14 September 2006, 04:00 »
LOL!!!

i vote that bush sends the army against phishers as part of the war on terror, I can see approval ratings with 9's in them (either that, or the end of spam, either way, somebody still wins (And it isn't the phishers))

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Re: How to look up Paypal phish?
« Reply #7 on: 14 September 2006, 20:24 »
that would be roughly as intelligent as most of bush's other actions as commander in chief of the US army. i think they should take that office away from the us president and make a law saying only people not born in the US can hold that position.
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

worker201

  • Global Moderator
  • Member
  • ***
  • Posts: 2,810
  • Kudos: 703
    • http://www.triple-bypass.net
Re: How to look up Paypal phish?
« Reply #8 on: 14 September 2006, 21:25 »
Quote from: Calum
that would be roughly as intelligent as most of bush's other actions as commander in chief of the US army. i think they should take that office away from the us president and make a law saying only people not born in the US can hold that position.

This just might be the most irrational and poorly considered thing you have ever said.  Whatever your intentions are, there must be some reasonable way to accomplish them.  Transferring figurehead leadership from one dickhead to another won't really solve anything.