Post by: davidnix71 on 12 September 2006, 02:15
The body of the phish/cross-site script is:
Notification of Limited Account Access
As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:
Unusual account activity has made it necessary to limit sensitive account features until additional verification information can be collected.
Click here to verify your account (http://203.144.227.202/.www.paypal.com/index.htm)
Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
Sincerely,
PayPal Account Review Department.
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in (http://203.144.227.202/.www.paypal.com/index.htm) to your PayPal account and choose the "Help" link in the footer of any page.
To receive email notifications in plain text instead of HTML, update your preferences here (http://203.144.227.202/.www.paypal.com/index.htm). (http://images.paypal.com/en_US/i/scr/pixel.gif)
How would I go about finding the true owner of this Apache server? If you go to http://203.144.227.202:80 (http://203.144.227.202:80) you get the test page.
All the links on the page lead to the real Paypal. The following text is the page source, but I don't see anything useful.
![""]("https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif"){kind=logo}
| |||||||||||
|
!["Welcome"]("https://www.paypalobjects.com/en_US/i/nav/P_on_welcome.gif")
![""]("https://www.paypalobjects.com/en_US/i/scr/pixel.gif"){kind=tracking}
!["Send]("https://www.paypalobjects.com/en_US/i/nav/P_off_send_money.gif")
!["Request]("https://www.paypalobjects.com/en_US/i/nav/P_off_request_money.gif")
!["Merchant]("https://www.paypalobjects.com/en_US/i/nav/P_off_merchant_tools.gif")
!["Auction]("https://www.paypalobjects.com/en_US/i/nav/P_off_auction_tools.gif")
|
![""]("https://www.paypalobjects.com/en_US/i/btn/btn_SignUpNow.gif")
![""]("https://www.paypalobjects.com/en_US/i/header/spot_globe.gif")
![""]("http://www.paypalobjects.com/en_US/i/header/hpPrivacy_shopwoutsharing_563x115.jpg")
![""]("https://www.paypalobjects.com/en_US/i/header/spot_buyerTab_178x29.gif")
![""]("https://www.paypalobjects.com/en_US/i/header/spot_sellMerchTab_374x29.gif")
![""]("http://www.paypalobjects.com/en_US/i/bnr/bnr_mobile_183x50.gif")
!["Truste"]("https://www.paypalobjects.com/en_US/i/logo/trustmark.gif"){kind=logo}
!["Better]("https://www.paypalobjects.com/en_US/i/logo/bbbmark.gif"){kind=logo}
Other than reporting this as a phish/cross-site scripting, is there any 'fun' we can have with this bottom-dwelling filter feeder?
Post by: mobrien_12 on 12 September 2006, 02:42
Non profit site.
Quote
How many phishing emails did you receive today?: I receive 5-10 emails a day that are supposedly from real companies like Paypal
Post by: mobrien_12 on 12 September 2006, 02:49
Quote
[mobrien@hariel ~]$ nslookup 203.144.227.202
Server: 68.87.85.98
Address: 68.87.85.98#53
Non-authoritative answer:
202.227.144.203.in-addr.arpa name = 203-144-227-202.static.asianet.co.th.
Authoritative answers can be found from:
Using WHOIS at http://www.samspade.org
Quote
whois
Whois:
@whois.
Server Used: [ whois.apnic.net ]
203.144.227.202 = [ 203-144-227-202.static.asianet.co.th ]
inetnum: 203.144.128.0 - 203.144.255.255
netname: ASIAINFO-TH
descr: Internet Service Provider
country: TH
admin-c: WP1-AP
tech-c: SK1-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-ASIAINFO-AP
remarks: Aggregated small blocks to be one /17.
changed: [email protected]
20000403
changed: [email protected]
20021216
status: ALLOCATED PORTABLE
source: APNIC
person: Wongchai Piyakavarnich
nic-hdl: WP1-AP
e-mail: [email protected]
address: 14th 27 th floor Fortune Town
address: 1 Ratchadaphisek Road Din Daeng
address: Bangkok 10400
phone: 662-6411800
fax-no: 662-6421557
country: TH
changed: [email protected]
20060412
mnt-by: MAINT-ASIANET-AP
source: APNIC
person: Supachai Kitwongpak
address: 17 th floor Fortune House
address: 1 Ratchadaphisek Road Din Daeng
address: Bangkok 10320
country: TH
phone: 66-2-641-1800
fax-no: 66-2-642-1540
e-mail: [email protected]
nic-hdl: SK1-AP
mnt-by: MAINT-ASIAINFO-AP
changed: [email protected]
19990210
source: APNIC
This is Bangkok. They probably don't care.
Post by: worker201 on 12 September 2006, 02:59
Post by: piratePenguin on 12 September 2006, 03:08
<3 Firefox 2 :)
I hope it's not long before Google check it.
Post by: pofnlice on 12 September 2006, 08:38
Now I get these stupid Your bank account has unusual activity on it, please click here and log in....but I don't have an account with that bank...Bastards....I hope a masked gunman breaks into thier shelters and shoots them in the fingers and the cock!
Post by: obob on 14 September 2006, 04:00
i vote that bush sends the army against phishers as part of the war on terror, I can see approval ratings with 9's in them (either that, or the end of spam, either way, somebody still wins (And it isn't the phishers))
Post by: Calum on 14 September 2006, 20:24
Post by: worker201 on 14 September 2006, 21:25
Quote from: Calum
that would be roughly as intelligent as most of bush's other actions as commander in chief of the US army. i think they should take that office away from the us president and make a law saying only people not born in the US can hold that position.
This just might be the most irrational and poorly considered thing you have ever said. Whatever your intentions are, there must be some reasonable way to accomplish them. Transferring figurehead leadership from one dickhead to another won't really solve anything.