Discussion:
Paypal Phishing Again
(too old to reply)
Nick FitzGerald
2005-05-05 08:14:03 UTC
Permalink
Wasn't sure if anybody spotted this one, ...
Well, given that its three weeks old AND that the login form this scam
points is at a now-closed Netfirms account, I'd suggest that someone
(or more likely, many someones) has not only spotted it, but done
something more useful about it than posting a three-week-late "heads
up" to Full-Disclosure.

About the only thing of any interest in this whole example is that the
open-redirectors at:

http://rds.yahoo.com/*<URL>

and:

http://www.google.<TLD>/url?<stuff>

-- both of which are cunningly used in the HTML form submission that
happens when a victim clicks the "button" in the HTML Email that
apparently will take them to the PayPal login page at:

https://www.paypal.com/cgi-bin/webscr?cmd=_update

<<snip>>
<table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
olor=3D"#FFFFFF" align=3D"center">
<FORM target=3D"_blank" ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px; background:=
#white;" value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
</tr>
</table>
-- are both still fully functional and still being abused by phishers
making their obfuscated URLs look "official" or "kosher" or whatever by
leveraging the good name and reputation of "respected" web presences
such as Yahoo! and Google.

You'd have thought that Yahoo! and Google would being fixing those
ASAP, but apparently there's some dosh at stake, so stupid, sucky,
security-ignorant-to-the-detriment-of-the-rest-of-us design persists
well past when it should have...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Jeremy Heslop
2005-05-05 10:30:07 UTC
Permalink
Jason,

If you suspect a phishing attempt please forward this email to
***@paypal.com. They will send a response letting you know if the
email is legit or not and hopefully they are taking action to shut down
the phishing site and or help with identifying mail relays. I have
forwarded them about 5+ emails so far so I hope something is being done
:) Like some others have pointed out on this list (or Bugtraq) they are
priming the pump so to speak by sending out alot of legit looking Paypal
emails so that people get used to them coming. Then they will start
sending more emails with redirected/phished links contained instead of
the real ones. Just my "not worth much" 2 cents.

Jeremy
Hello all,
Wasn't sure if anybody spotted this one, but here's another phishing
X-Gmail-Received: a932e7e33d8a0c08683926a3e13e50d19a838c91
Received: by 10.54.56.53 with SMTP id e53cs17538wra;
Fri, 15 Apr 2005 10:10:20 -0700 (PDT)
Received: by 10.54.3.49 with SMTP id 49mr221139wrc;
Fri, 15 Apr 2005 10:10:16 -0700 (PDT)
Received: from 64.233.185.114 ([207.44.208.74])
by mx.gmail.com with SMTP id 11si1475393wrl.2005.04.15.10.09.44;
Fri, 15 Apr 2005 10:09:45 -0700 (PDT)
Received-SPF: softfail (gmail.com: domain of transitioning
Received: from c37.s59mx.com (HELO 2r2z) ([45.126.141.83]) by
64.233.185.114 SMTP id 2HvwA26lxKtCAL; Fri, 15 Apr 2005 14:06:47 -0400
Subject: PayPal Account Security Measures
Date: Fri, 15 Apr 05 14:06:47 GMT
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="02FA_603B..9_"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
--02FA_603B..9_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
</style>
</head>
<BODY><TABLE><TR><TD bgcolor=3D"#ffffff">
<table width=3D"600" cellspacing=3D"0" cellpadding=3D"0" border=3D"0"
alig=
n=3D"center">
<tr valign=3D"top">
<td><a href=3D"https://www.paypal.com/us" target=3D"_blank" ><img
src=3D"=
Loading Image..." alt=3D"PayPal"
borde=
r=3D"0"></a></td>
</tr>
</table>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0" border=3D"0">
<tr>
<td background=3D"Loading Image..."
width=3D"10=
0%"><img src=3D"Loading Image..."
height=3D"29" w=
idth=3D"1" border=3D"0"></td>
</tr>
<tr>
<td><img src=3D"http://images.paypal.com/images/pixel.gif"
height=3D"10" =
width=3D"1" border=3D"0"></td>
</tr>
</table>
<table width=3D"600" cellspacing=3D"0" cellpadding=3D"0" border=3D"0"
alig=
n=3D"left">
<tr valign=3D"top">
<td width=3D"400">
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"2"
border=3D"0">
<tr>
<td>Dear PayPal Member,<br><br>
Your account has been randomly flagged in our system as a part of our
rout=
ine security measures. This is a must to ensure that only you have
access and use of your PayPal =
account and to ensure a safe PayPal experience. We require all flagged
acc=
ounts to verify their information on file with us. To verify your
Informat=
ion at this time, please visit our secure server webform by clicking
the h=
<br><br>
<table width=3D"70%" cellpadding=3D"0" cellspacing=3D"0" border=3D"0"
bgco=
lor=3D"#FFFFFF" align=3D"center">
<tr>
<td>
<table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0"
border=3D"0" bgc=
olor=3D"#FFFFFF" align=3D"center">
<FORM target=3D"_blank"
ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq
VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px;
background:=
#white;" value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
</tr>
</table>
</td>
</tr>
</table>
Thank you for using PayPal!<br>
The PayPal Team</td>
</tr>
<tr>
<td>
<hr class=3D"dotted">
</td>
</tr>
<tr>
<td>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0" border=3D"0">
<tr>
<td class=3D"pp_footer">Please do not reply to this e-mail. Mail sent
to this address cannot be answered. For assistance, log
in</a> to your PayPal account and choose the "Help" link in the
footer of any page.<br>
<br class=3D"h10">
To receive email notifications in plain text instead of HTML,
update your preferences <a
href=3D"https://www.paypal.com/us/PREFS-NOTI" t=
arget=3D"_blank" > here</a>.</td>
</tr>
<tr>
<td><img src=3D"Loading Image..."
height=3D=
"10" width=3D"1" border=3D"0"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td><br><span class=3D"pp_footer">PayPal Email ID
PP478<br><br></span></t=
d>
</tr>
</table>
</td>
<td><img src=3D"http://images.paypal.com/en_US/i/scr/pixel.gif"
height=3D"=
1" width=3D"10" border=3D"0"></td>
<td width=3D"190" valign=3D"top">
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"1" border=3D"0"
bgc=
olor=3D"#CCCCCC">
<tr>
<td>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0"
border=3D"0" bg=
color=3D"#ffffff">
<tr>
<td>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"5"
border=3D"0" b=
gcolor=3D"#EEEEEE">
<tr>
<td class=3D"pp_sidebartextbold" align=3D"center">Protect Your
Account I=
nfo</td>
</tr>
</table>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"5" border=3D"0">
<tr>
<td class=3D"pp_sidebartext">Make sure you never provide your
password to fraudulent websites.<br>
<br>
To safely and securely access the PayPal website or your account,
open up a new web browser (e.g. Internet Explorer or Netscape) and
type in the PayPal URL (http://www.paypal.com/).<br>
<br>
PayPal will never ask you to enter your password in an email.<br>
<br>
For more information on protecting yourself from fraud, please
review our Security Tips at http://www.paypal.com/securitytips<br>
<img src=3D"Loading Image..." height=3D
"5" width=3D"1" border=3D"0"></td>
</tr>
</table>
</td>
</tr>
--02FA_603B..9_--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Nick FitzGerald
2005-05-05 12:43:39 UTC
Permalink
Jeremy Heslop wrote:

<<snip>>
Post by Jeremy Heslop
:) Like some others have pointed out on this list (or Bugtraq) they are
priming the pump so to speak by sending out alot of legit looking Paypal
emails so that people get used to them coming. Then they will start
sending more emails with redirected/phished links contained instead of
the real ones. Just my "not worth much" 2 cents.
Huh???

You didn't look too closely at that one did you?

When rendered in an HTML-capable MUA, the message has a link or button
that looks as if it takes you to the (once) "legitimate" Paypal login
page at:

https://www.paypal.com/cgi-bin/webscr?cmd=_update

In reality, clicking that link led to a now long-closed page (this
particular phish was spammed nearly three weeks ago) hosted at
netfirms.com via a triple redirection (Yahoo! to Google to Yahoo! to
netfirms) cleverly constructed with HTML form submission logic so that
the full URL is not actually present in one piece in the HTML code.
(It also uses some further obfuscation of parts of the URL by inserting
entity-encoded HTML white-space characters.)

So, your take that this was a "non-malicious" phishing precursor is
quite wrong.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
V***@vt.edu
2005-05-05 15:01:56 UTC
Permalink
Post by Nick FitzGerald
netfirms.com via a triple redirection (Yahoo! to Google to Yahoo! to
netfirms) cleverly constructed with HTML form submission logic so that
the full URL is not actually present in one piece in the HTML code.
OOH. Devious and nasty. ;)
Post by Nick FitzGerald
(It also uses some further obfuscation of parts of the URL by inserting
entity-encoded HTML white-space characters.)
Discussing the fact somebody is phishing is pretty off-topic. But sounds
like critiquing it for style might be good for a go. ;)

Todd Towles
2005-05-05 13:09:10 UTC
Permalink
I would guess that almost everyone on this list, can spot a phishing
e-mail. I reported one to Paypal yesterday, and another the day before
that. I would say that I can around 8-10 a week. Should I post them all
on FD? It doesn't help. The phishing site will be down in a matter of
days (perhaps hours)..and it will be put up on another zombie that is in
the botnet.

Report these to paypal and to the anti-phishing group. FD is a place to
talk about phishing, but not to report each e-mail...just my 2 cents.
-----Original Message-----
Of Jason Weisberger
Sent: Wednesday, May 04, 2005 9:33 PM
Subject: [Full-disclosure] Paypal Phishing Again
Hello all,
Wasn't sure if anybody spotted this one, but here's another
X-Gmail-Received: a932e7e33d8a0c08683926a3e13e50d19a838c91
Received: by 10.54.56.53 with SMTP id e53cs17538wra;
Fri, 15 Apr 2005 10:10:20 -0700 (PDT)
Received: by 10.54.3.49 with SMTP id 49mr221139wrc;
Fri, 15 Apr 2005 10:10:16 -0700 (PDT)
Received: from 64.233.185.114 ([207.44.208.74])
by mx.gmail.com with SMTP id
11si1475393wrl.2005.04.15.10.09.44;
Fri, 15 Apr 2005 10:09:45 -0700 (PDT)
Received-SPF: softfail (gmail.com: domain of transitioning
permitted sender)
Received: from c37.s59mx.com (HELO 2r2z) ([45.126.141.83]) by
64.233.185.114 SMTP id 2HvwA26lxKtCAL; Fri, 15 Apr 2005 14:06:47 -0400
Subject: PayPal Account Security Measures
Date: Fri, 15 Apr 05 14:06:47 GMT
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="02FA_603B..9_"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
--02FA_603B..9_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
</style>
</head>
<BODY><TABLE><TR><TD bgcolor=3D"#ffffff"> <table
width=3D"600" cellspacing=3D"0" cellpadding=3D"0"
border=3D"0" alig= n=3D"center"> <tr valign=3D"top">
<td><a href=3D"https://www.paypal.com/us"
target=3D"_blank" ><img src=3D"=
http://images.paypal.com/en_US/i/logo/email_logo.gif"
alt=3D"PayPal" borde= r=3D"0"></a></td> </tr> </table>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0"
border=3D"0"> <tr>
<td
background=3D"http://images.paypal.com/images/bg_clk.gif"
width=3D"10= 0%"><img
src=3D"http://images.paypal.com/images/pixel.gif"
height=3D"29" w= idth=3D"1" border=3D"0"></td> </tr> <tr>
<td><img
src=3D"http://images.paypal.com/images/pixel.gif"
height=3D"10" = width=3D"1" border=3D"0"></td> </tr> </table>
<table width=3D"600" cellspacing=3D"0" cellpadding=3D"0"
border=3D"0" alig= n=3D"left"> <tr valign=3D"top">
<td width=3D"400">
<table width=3D"100%" cellspacing=3D"0"
cellpadding=3D"2" border=3D"0">
<tr>
<td>Dear PayPal Member,<br><br>
Your account has been randomly flagged in our system as a
part of our rout= ine security measures.
This is a must to ensure that only you have access and use of
your PayPal = account and to ensure a safe PayPal experience.
We require all flagged acc= ounts to verify their information
on file with us. To verify your Informat= ion at this time,
please visit our secure server webform by clicking the h=
<br><br>
<table width=3D"70%" cellpadding=3D"0" cellspacing=3D"0"
border=3D"0" bgco= lor=3D"#FFFFFF" align=3D"center"> <tr> <td>
<table width=3D"50%" cellpadding=3D"4"
cellspacing=3D"0" border=3D"0" bgc= olor=3D"#FFFFFF" align=3D"center">
<FORM target=3D"_blank"
ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq
VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid
0px; background:= #white;"
value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
</tr>
</table>
</td>
</tr>
</table>
Thank you for using PayPal!<br>
The PayPal Team</td>
</tr>
<tr>
<td>
<hr class=3D"dotted">
</td>
</tr>
<tr>
<td>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"0"
border=3D"0"> <tr> <td class=3D"pp_footer">Please do not
reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in</a> to your PayPal account
and choose the "Help" link in the footer of any page.<br> <br
class=3D"h10"> To receive email notifications in plain text
instead of HTML, update your preferences <a
href=3D"https://www.paypal.com/us/PREFS-NOTI" t=
arget=3D"_blank" > here</a>.</td> </tr>
<tr>
<td><img
src=3D"http://images.paypal.com/en_US/i/scr/pixel.gif"
height=3D= "10" width=3D"1" border=3D"0"></td> </tr> </table>
</td> </tr>
<tr>
<td><br><span class=3D"pp_footer">PayPal Email ID
PP478<br><br></span></t=
d>
</tr>
</table>
</td>
<td><img
src=3D"http://images.paypal.com/en_US/i/scr/pixel.gif"
height=3D"= 1" width=3D"10" border=3D"0"></td> <td
width=3D"190" valign=3D"top"> <table width=3D"100%"
cellspacing=3D"0" cellpadding=3D"1" border=3D"0" bgc=
olor=3D"#CCCCCC"> <tr>
<td>
<table width=3D"100%" cellspacing=3D"0"
cellpadding=3D"0" border=3D"0" bg= color=3D"#ffffff">
<tr>
<td>
<table width=3D"100%" cellspacing=3D"0"
cellpadding=3D"5" border=3D"0" b= gcolor=3D"#EEEEEE">
<tr>
<td class=3D"pp_sidebartextbold"
align=3D"center">Protect Your Account I= nfo</td>
</tr>
</table>
<table width=3D"100%" cellspacing=3D"0" cellpadding=3D"5"
border=3D"0"> <tr> <td class=3D"pp_sidebartext">Make sure you
never provide your password to fraudulent websites.<br> <br>
To safely and securely access the PayPal website or your
account, open up a new web browser (e.g. Internet Explorer or
Netscape) and type in the PayPal URL
(http://www.paypal.com/).<br> <br> PayPal will never ask you
to enter your password in an email.<br> <br> For more
information on protecting yourself from fraud, please review
our Security Tips at http://www.paypal.com/securitytips<br>
<img src=3D"http://images.paypal.com/en_US/images/pixel.gif"
height=3D "5" width=3D"1" border=3D"0"></td> </tr> </table>
</td> </tr>
--02FA_603B..9_--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Todd Towles
2005-05-05 14:25:49 UTC
Permalink
Hey Nick,

I have been seeing a lot of e-mail from random address with a body like
the following

-----------------------------
"Hey, I tried to send a message to this address but it was bocked. Is
there a e-mail file size limit?"

Oman
-----------------------------

Looks like DHAs, pretending to be more real, then the normal one word
body and one word title.
-----Original Message-----
Of Nick FitzGerald
Sent: Thursday, May 05, 2005 3:14 AM
Subject: Re: [Full-disclosure] Paypal Phishing Again
Wasn't sure if anybody spotted this one, ...
Well, given that its three weeks old AND that the login form
this scam points is at a now-closed Netfirms account, I'd
suggest that someone (or more likely, many someones) has not
only spotted it, but done something more useful about it than
posting a three-week-late "heads up" to Full-Disclosure.
About the only thing of any interest in this whole example is
http://rds.yahoo.com/*<URL>
http://www.google.<TLD>/url?<stuff>
-- both of which are cunningly used in the HTML form
submission that happens when a victim clicks the "button" in
the HTML Email that apparently will take them to the PayPal
https://www.paypal.com/cgi-bin/webscr?cmd=_update
<<snip>>
<table width=3D"50%" cellpadding=3D"4"
cellspacing=3D"0" border=3D"0"
bgc= olor=3D"#FFFFFF" align=3D"center">
<FORM target=3D"_blank"
ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq
VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px;
background:= #white;"
value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
</tr>
</table>
-- are both still fully functional and still being abused by
phishers making their obfuscated URLs look "official" or
"kosher" or whatever by leveraging the good name and
reputation of "respected" web presences such as Yahoo! and Google.
You'd have thought that Yahoo! and Google would being fixing
those ASAP, but apparently there's some dosh at stake, so
stupid, sucky,
security-ignorant-to-the-detriment-of-the-rest-of-us design
persists well past when it should have...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...