|
Author
|
Topic: PayPal Lookalike Scam
|
b0b
Sysop From: Cloverdale, California, USA
|
posted 11 November 2003 08:45 AM
profile
I got this email, but didn't take the bait: 
Closer examination revealed that the entire message was a GIF image, and clicking anywhere on it would invoke the following: http://www.paypal.com.cgi-bin.webscr.cmd=_rav-form@211.47.191.125:199/cgi/index.htm
(Don't try it!) The important thing here is that it's not really sending anything to PayPal. There is a machine somewhere with an IP address of 211.47.191.125 waiting to collect your credit card data on port 199.
If you need to check the status of your PayPal or Ebay account, the best thing to do is to go dierectly to PayPal.com or Ebay.com and log in. Don't trust an email to give you a "shortcut" into those systems.
This scam was pretty clever - it took me a while to figure out what was going on. Don't be fooled. The weakest link in any scam is a willing victim. ------------------
 Bobby Lee
-b0b- quasar@b0b.com System Administrator
|
Colm Chomicky
Member From: Prairie Village, Kansas, USA
|
posted 11 November 2003 09:31 AM
profile
Got a very similar one. .gif with text linked to the con job site. I sent it to spoof@ebay.com. |
Gene Jones
Member From: Oklahoma City, OK USA
|
posted 11 November 2003 10:45 AM
profile
* [This message was edited by Gene Jones on 19 January 2005 at 04:50 AM.] |
Roy Ayres
Member From: Starke, Florida, USA
|
posted 11 November 2003 04:32 PM
profile
I received one today claiming to be from CitiBank asking me to punch in my account number and the password used with my ATM card. I'm just old; I ain't stupid. |
Ernie Renn
Member From: Brainerd, Minnesota USA
|
posted 11 November 2003 05:47 PM
profile
From what I've heard and read, both PayPal and Ebay never send mail asking you to click here to give information. I have received a few policy updates, but they always say to log in and see what they are. ------------------
My best,
Ernie
www.buddyemmons.com
|
Don Walters
Member From: Regina, SK, Canada
|
posted 12 November 2003 06:22 AM
profile
It's a safe assumption that no legitimate businesses/organizations ever ask for account information, passwords, etc. by e-mail. If you get such a message, delete it!! |
Bobby Lee
Sysop From: Cloverdale, North California, USA
|
posted 12 November 2003 03:35 PM
profile
Got another one today proporting to be from the "eBay Billing Depatment team". They say my billing information is out of date. The link pointed to an IP address: 210.119.235.149.I hope nobody here is foolish enough to click into one of these. ------------------
 Bobby Lee - email: quasar@b0b.com - gigs - CDs, Open Hearts
Sierra Session 12 (E9), Williams 400X (Emaj9, D6), Sierra Olympic 12 (C6add9),
Sierra Laptop 8 (D13), Fender Stringmaster (E13, A6),
Roland Handsonic, Line 6 Variax |
Lyle Bradford
Member From: Gilbert WV USA
|
posted 12 November 2003 07:31 PM
profile
Exactly what Gene said!! |
Doug Beaumier
Member From: Northampton, MA
|
posted 12 November 2003 09:44 PM
profile
I've been getting 3 or 4 a week for about a year now... eBay "spoof emails" I used to inform Ebay every time, but I don't bother anymore. These bogus email are from crooks looking for account information. Lately there have been a lot of phoney "PayPal" emails too. I get over 300 emails a day because I do a lot of internet business. I set up a JUNK folder in Outlook Express with about 200 keywords to separate the spam as it comes in. It works pretty good... snags about 75% of the crap. The eBay and PayPal "spoofs" still download into the regular Inbox however. I guess there's no way to prevent that. ------------------
My Site - Instruction | Doug's Free Tab | Steels and Accessories
|
Al Marcus
Member From: Cedar Springs,MI USA
|
posted 13 November 2003 09:56 PM
profile
Bobby-I got one of those from Ebay billing.
I looked it over and deleted it. Good thing I guess....al  ------------------
My Website..... www.cmedic.net/~almarcus/ |
Russ Young
Member From: Seattle, Washington, USA
|
posted 19 November 2003 06:33 AM
profile
I just received a bogus message supposedly from PayPal.This one said I needed to open an attachment in order to renew my account information ... My guess is the attachment was probably spyware that would allow them to capture my password the next time I used PayPal. |
Bobby Lee
Sysop From: Cloverdale, North California, USA
|
posted 19 November 2003 12:15 PM
profile
I have heard that this particular email is actually a virus. DON'T CLICK IT! |
Jim Landers
Member From: Spokane, Wash.
|
posted 07 January 2005 07:46 PM
profile
I get at least 2 or 3 of these a week and usually double that when I have just recently bought or sold something on Ebay.A legitimate PayPal notice 'always' addresses you you by your full name (Dear MR.John Smith) and 'never' asks you to give them info via an email link. The same for Ebay. When in doubt just forward the suspect email to spoof@paypal.com or spoof@ebay.com. You will recieve an anwer usually within 10 or 15 minutes confirming your suspicion that this email was not sent by PayPal or Ebay. Jim |
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 08 January 2005 01:39 PM
profile
I did a Whois on b0b's scam email and here is the source:WHOIS results for 211.47.191.125
Generated by www.DNSstuff.com Country: KOREA-KR ARIN says that this IP belongs to APNIC; I'm looking it up there. APNIC says that this IP belongs to KRNIC; I'm looking it up there. Using 0 day old cached answer (or, you can get fresh results).
Displaying E-mail address (use sparingly -- this will make it more likely that you will trigger our rate limiting system). Çѱ¹ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(www.nic.or.kr)¿¡¼ Á¦°øÇÏ´Â Whois ¼ºñ½º ÀÔ´Ï´Ù. query: 211.47.191.125 # ENGLISH KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the IPv4 address. IPv4 Address : 211.47.191.96-211.47.191.127
Network Name : HANINTERNET-LLINE-VISIONGRA
Connect ISP Name : HANINTERNET
Connect Date : 20040220
Registration Date : 20040220 [ Organization Information ]
Organization ID : ORG380591
Org Name : VISIONGRA
State : SEOUL
Address : Pil-dong 1(il)-ga , Jung-gu
Zip Code : 100-271 [ Admin Contact Information]
Name : BADA JUNG
Org Name : VISIONGRA
State : SEOUL
Address : Pil-dong 1(il)-ga , Jung-gu
Zip Code : 100-271
Phone : +82-2-2272-6872
E-Mail : webmaster@yoonfont.co.kr [ Technical Contact Information ]
Name : BADA JUNG
Org Name : VISIONGRA
State : SEOUL
Address : Pil-dong 1(il)-ga , Jung-gu
Zip Code : 100-271
Phone : +82-2-2272-6872
E-Mail : webmaster@yoonfont.co.kr -------------------------------------------------------------------------------- If the above contacts are not reachable, please see the following ISP contacts
for further information or network abuse. [ ISP IPv4 Admin Contact Information ]
Name : ipadministrator
Phone : +82-2-860-8143
Fax : +82-2-852-8535
E-Mail : iservice@haninternet.co.kr [ ISP IPv4 Tech Contact Information ]
Name : ipmanager
Phone : +82-2-860-8144
Fax : +82-2-852-8535
E-Mail : ip@haninternet.co.kr [ ISP Network Abuse Contact Information ]
Name : Sangwon So
Phone : +82-2-860-8002
Fax : +82-2-852-8535
E-Mail : support@haninternet.co.kr Wiz[This message was edited by Wiz Feinberg on 08 January 2005 at 01:40 PM.] |
Dave Potter
Member From: Republic of Texas (near San Antonio)
|
posted 10 January 2005 05:17 PM
profile
<< I did a Whois on b0b's scam email and here is the source:Er, well,...maybe. Probably more likely is it's one of our own stateside pillars of society, who's just using that Korean server to proffer his junk. |
Bobby D. Hunter
Member From: USA
|
posted 10 January 2005 09:54 PM
profile
Dave Potter wrote:
quote:
Er, well,...maybe.Probably more likely is it's one of our own stateside pillars of society, who's just using that Korean server to proffer his junk.
Here are the results of my SpamCop lookup to see if any reports were received lately from this CIDR. All are negative. The IP is not listed in any blocklist used by SC.
-------------------------------------------
SpamCop v 1.397 (c) SpamCop.net, Inc. 1998-2004 All Rights Reserved
Parsing input: 211.47.191.125
host 211.47.191.125 (getting name) no name
No recent reports, no history available
Routing details for 211.47.191.125
[refresh/show] Cached whois for 211.47.191.125 : support@haninternet.co.kr dk_suh@e2b.co.kr iservice@haninternet.co.kr ip@haninternet.co.kr
Using abuse net on support@haninternet.co.kr
abuse net haninternet.co.kr = abuse@haninternet.co.kr
Using best contacts abuse@haninternet.co.kr
Statistics:
211.47.191.125 not listed in bl.spamcop.net
More Information..
211.47.191.125 not listed in dnsbl.njabl.org
211.47.191.125 not listed in dnsbl.njabl.org
211.47.191.125 not listed in cbl.abuseat.org
211.47.191.125 not listed in dnsbl.sorbs.net
211.47.191.125 not listed in relays.ordb.org.Reporting addresses:
abuse@haninternet.co.kr ------------------
Bobby D. Hunter
Security for SGF
Hunting down Slimeball Game[This message was edited by Bobby D. Hunter on 10 January 2005 at 09:54 PM.] |
b0b
Sysop From: Cloverdale, California, USA
|
posted 10 January 2005 11:27 PM
profile
Remember, I received this 14 months ago. The IP could have been reassigned since then. |
Jody Carver
Member From: The Knight Of Fender Tweed~ Dodger Blue Forever
|
posted 11 January 2005 07:37 AM
profile
I open everything..I figure maybe someone found my Levi's I lost at Wal-Mart. |
b0b
Sysop From: Cloverdale, California, USA
|
posted 11 January 2005 10:01 AM
profile
That's a very bad idea, Jody. If you open everything, it's a near certainty that you'll end up with something you really don't want on your PC. But even worse: if you respond to one of these spoofs, you'll be giving away your credit cards and maybe even your bank account.
Forget about the pants.  |
Gene Jones
Member From: Oklahoma City, OK USA
|
posted 11 January 2005 10:23 AM
profile
*[This message was edited by Gene Jones on 25 January 2005 at 09:09 AM.] |
Colm Chomicky
Member From: Prairie Village, Kansas, USA
|
posted 16 January 2005 05:58 PM
profile
I get about 100 to 200 spams a day. I get frequent paypal or ebay scams like this, not to mention City Bank and other banks. I forward the paypal and ebay to spoof@paypal or spoof@ebay. (but I suspect they get so many reports, they are buried in up to their armpits. But I suspect there is not much Ebay or Paypal can do other than to have that address shutdown. I've never heard that any of these guys get caught. |
The Steel Guitar Forum
