Posted by: lectric
Well done scam... - 09/10/2006 15:36
Hrmmm... see attachment. Unfortunately, a VERY well done phishing sceme. The link is still active, PLEASE don't enter your info.
Posted by: g_attrill
Re: Well done scam... - 09/10/2006 16:07
Did you know the name of the person by any chance? I am waiting for the day when a phisher gets a file of related names (eg. extracted from an address book) and uses them, that would be hugely successful.
Also also note they are linking to PayPal images in the live page - I do wonder why they do this because PayPal must aggregate all instances of Referer headers not matching with any authorised sites and have an instant alert system.
Gareth
Posted by: larry818
Re: Well done scam... - 09/10/2006 16:48
You give paypal too much credit. They sent me a notice once because there was in excess of 3,000 failed access attempts spanning 2 seconds on my account. They seemed to think this was suspicious... Most sites would have cut them off at three failed attempts...
I get those a lot. Especiallly from Banks I've never heard of asking me to log in to change my password.
I always forward them to Paypal. I think the address is
[email protected] At the very least, Paypal can get that site shut down but I doubt they pursue it much.
Word of advice is to ALWAYS hover your mouse over a link to see if the url it takes you too looks funny (like that one did).
Posted by: lectric
Re: Well done scam... - 09/10/2006 20:17
Oh, no kidding, and no, the name was not familiar. You are correct, if it could have the sophistication of some of the worms I've seen, they'd make millions in days. I am well aware of how to detect a spoof, but some of my users are not. At least I have them all trained that if they are even the slightest bit unsure about an email, send it to me. I'll check it out.
It's just that this particular one basically ripped off EXACTLY Paypal's site and even included links to paypals images directly on paypal's servers. Only one line in the entire html makes it a non-official paypal document. What scares me is what if I was a regular paypal user, and just clicked this one because I know I had 5 auctions ending that day. Odds are high I wouldn't even be the slightest suspicious.
Posted by: sein
Re: Well done scam... - 10/10/2006 03:22
I simply never click on links in emails supposedly from anywhere I would normally sign in to. Especially eBay, Paypal and my Bank.
If I got what looks like original mail from them, I would open a browser, type the URL for their home page (no bookmarks for those) and log in. Seems the safest way until my DNS server gets 0wned.
Posted by: Shonky
Re: Well done scam... - 10/10/2006 09:05
And the link is obviously fake to someone like me, but I can see it would fool some (space inserted so BBS doesn't link it)
http: //www.paypal.com.cgi-bin.websc.cmd.login-run.hk/
Posted by: Tim
Re: Well done scam... - 10/10/2006 11:50
He's referring to the fact that the domain isn't PayPal - instead of slashes to separate directories, the .s just continue the domain name to something in Hong Kong. A lot of people would miss that, they'll just see the paypal.com and think it is legitimate.
Posted by: Shonky
Re: Well done scam... - 10/10/2006 19:49
Yes. Just the URL has stuff after the paypal.com. There seem to be quite a few in Hong Kong these days. The link is just a page looking like paypal saying you've received payment from someone and you need to log in to accept it or something like that.
That is the reason some banks say type in their URL or only use a bookmark, like sein mention.
Phishing sites are rarely set up to take advantage of any browser vulnerabilities in my experience. They are just relying on human vulnerabilities.
Posted by: frog51
Re: Well done scam... - 10/10/2006 20:08
although the smart phishers are now moving away from relying entirely on human stupidity. We are seeing far more Trojan based attacks - still very easy to infect millions of Winblows PCs and all an attacker needs to do is either key log or alter your browser to log in to 'badsite.com' (tm) and pretend you are at 'yourbank.com'
And although some banks are going down the route of using SecurID or similar we have already seen successful attacks against them (even though the attack window has been reduced to 30 seconds from days!)
Fun times ahead - a good time to be an infosec professional. I know I need more people in my team...anyone interested?
Posted by: Anonymous
Re: Well done scam... - 10/10/2006 22:46
Quote:
We are seeing far more Trojan based attacks - still very easy to infect millions of Winblows PCs and all an attacker needs to do is either key log or alter your browser to log in to 'badsite.com' (tm) and pretend you are at 'yourbank.com'
All they have to do is add an entry in the system's hosts file to specify an IP address for the targetted domain, and the user will never be able to tell they're looking at a scammer's site. Macs are vulnerable too.
I think it would make for a great browser feature/plug-in that pops up a warning message anytime you visit a domain who's address was resolved locally. "WARNING: You might be getting scammed."
Quote:
Fun times ahead - a good time to be an infosec professional. I know I need more people in my team...anyone interested?
Yeah, I am.