radwin.org -> Michael J. Radwin -> blog -> I almost fell victim to an identity-stealing scam Search
The Web Sucks | April 30, 2003 06:31 PM | Comments (1)

I got this email today, and I almost believed it. It's a typical http://user:password@hostname/ trick. In this case, the user is tricked into thinking that http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/ is a PayPal URL when in fact it's actually a website served up by http://p9.da.ru/

Here's the full source of the email message:

Return-Path: <anonymous@m1.netfirms.com>
Received: from m1.netfirms.com (m1.netfirms.com [66.48.76.114])
        by netspace.org (8.11.6/8.11.6) with SMTP id h410rTR11497
        for <webmaster@hebcal.com>; Wed, 30 Apr 2003 20:53:29 -0400
Received: (qmail 48211 invoked from network); 1 May 2003 00:53:51 -0000
Received: from unknown (@192.168.60.10)
  by m1.netfirms.com with QMQP; 1 May 2003 00:53:51 -0000
Date: 1 May 2003 00:53:51 -0000
Message-ID: <20030501005351.31268.qmail@cgi1>
To: "" <webmaster@hebcal.com>
From: "PayPal Staff" <staff@paypal.com>
Subject: PayPal System Update *Urgent Please Read*
Content-type: text/html
X-Spam-Status: No, hits=3.7 required=5.0
        tests=CTYPE_JUST_HTML,DEAR_SOMEBODY,HTTP_USERNAME_USED,NO_FEE,
              PLEASE_READ,SPAM_PHRASE_08_13
        version=2.44
X-Spam-Level: ***

<P>Dear PayPal User,</P>
<P>Today we had some trouble with one of our computer systems. While 
the trouble appears to be minor, we are not taking any chances. We decided to
take the troubled system offline and replace it with a new system. Unfortunately
this caused us to lose some member data. Please follow the link below and log
into your account to make sure your information is not affected. Account
balances have not been affected.</P>
<P>Because of the inconvenience this causes we are giving all users that
repair their missing data their next two incoming transfers for free! You will pay
no fees for your next two incoming transfers*. </P>
<P><A
href="http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/">
http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/</A></P>
<P>
Thank you for using PayPal!</P>
<P><BR>* - If fees would normally apply, you will not pay anything
for the next two incoming transfers you receive. </P>
<P>PayPal Security</P>
<P>PROTECT YOUR PASSWORD<BR>NEVER give your password to
anyone and ONLY log in at PayPal's website. If anyone asks for your
password, please follow the Security Tips instructions on the PayPal
website.<BR></P>

I don't know who has the power to do this, but p9.da.ru should be shut down ASAP.

In the meantime, I'm going to crank up the score for HTTP_USERNAME_USED in my SpamAssassin user_prefs file.

Archives
Comments

We've been getting a very similar scam in Australia except for the targets are internet banking users. A lot of people fell for it too!

Posted by Mike at April 30, 2003 09:51 PM
Copyright © 2007 Michael J. Radwin. Some rights reserved.