Credit Card Up For Renewal? Then Beware This Phish...

| | Comments (0)

Today I received an interesting phish that only caught my eye purely because of a chance circumstance involving my credit card. What I ended up with was three websites (at least one of which has likely been hacked), two phishes and a collection of screenshots for you to look at after the jump...

Normally I ignore emails from Paypal, but because my credit card is due to expire, this one caught my eye:

http://blog.spywareguide.com/upload/2008/05/paypal1-thumb.jpg
Click to Enlarge

"Your credit card information has been changed!
On Apr. 28, 2008, your credit card was removed from your PayPal account.

You are receiving this email notification because this email address is listed as the administrative contact email for your PayPal account. If you belive this is an error, for assistance click the link below, log in to your PayPal account and follow the instructions.

https://www.paypal.com/us/cgi-bin/helpweb?cmd=_help

Please do not reply to this email. This mailbox is not monitored and you will not receive a response.

Sincerely,
PayPal"

If I wasn't aware of phish attacks, I might have thought Paypal had a feature where credit cards that have just expired are automatically removed from their system, and logged into the fake site thinking I was about to update my details. I wonder how many people have been caught out by this? Of course, hovering over the supposed Paypal URL reveals a somewhat different final destination:

redirphish.jpg

A main site (in the URL above) redirects you to a fake Paypal website at a second domain, which would be this:

http://blog.spywareguide.com/upload/2008/05/paypal2-thumb.jpg
Click to Enlarge

The site hosting the Paypal phish has possibly been hacked, and all content has been removed save for the Paypal page:

paypal3.jpg

Shall we check out what lies on the first domain performing the redirects?

http://blog.spywareguide.com/upload/2008/05/paypal4-thumb.jpg
Click to Enlarge

That doesn't look like a scammers website. In fact, it's an Indian company that (according to one of their other websites) "is India's leading manufacturer of oleochemicals and makes more than a hundred chemicals for use in over two dozen industries."

Whoops.

Checking out the directory we're looking for gives us this:

paypal5.jpg

Now, we've already seen that Redir1.html takes us to the above Paypal phish. Where does "Redir.html" take us?

http://blog.spywareguide.com/upload/2008/05/paypal6-thumb.jpg
Click to Enlarge

Well would you look at that, another Phish page. Like the other site hosting the Paypal phish, this one seems to have been gutted too and no other content remains. The slow process of getting all these sites cleaned up now begins...

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 1, 2008 1:18 PM.

Off-Topic Fun: Videogames Are Awesome was the previous entry in this blog.

The Spectre Of Rogue Facebook Applications, Back Once More is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.