lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1140013063.31763.42.camel@tumbleweed>
Date: Wed Feb 15 14:18:03 2006
From: bpasdar at igxglobal.com (Babak Pasdar)
Subject: Forensic Analysis of a Paypal Phishing Scam


Hello all,

I recently received this e-mail notifying me of a new e-mail address
that was added to my Paypal account.  I broke down the steps I took to
analyze the e-mail first to identify that it was a phishing scam and
then to track down the steps this Scammer used and identify the systems
in use.  

I have provided the e-mail and a synopsis along with a link to the
original full forensics.

Synopsis:  
1. The e-mail was sent from a Comcast network in Indianapolis from a
windows machine running outlook express.  The Scammer used a Yahoo name
on the account.

2. The domain was registered through a proxy domain registration company
which uses Yahoo's DNS and provided a web server through Yahoo.

3. The Yahoo web server redirects the user to an Oracle web server on
port 84 running in Seoul, Korea.

4. Finally, when you put in your username and password it tells you the
system is down for maintenance, but does take the time to ask you for
your credit card and pin numbers! 

Notes: The Scammer does use an interesting approach in eliminating the
address bar and using a graphics of an address bar in it's place showing
a Paypal login account. 

To see the the full analysis click here:
http://dsb.igxglobal.com/plugins/content/content.php?content.37


Babak Pasdar
Founder / Chief Technology & Information Security Officer

Support the Daily Security Briefing Web Site and Register Here:
http://dsb.igxglobal.com

For this week's DSB/Week-in-Review Audio/Video Security Report:
http://dsb.igxglobal.com/news.php?item.50.4

To register for a Daily Security Intelligence e-mail:
http://www.igxglobal.com/dsb/register.html

Get your security news via Podcast:
http://dsb.igxglobal.com/page.php?11



Return-Path: <lilreddtp2@...oo.com>
Received: from groupware.igxglobal.com ([unix socket]) by groupware
(Cyrus v2.1.16) with LMTP; Tue, 14 Feb 2006 11:48:09 -0500
X-Sieve: CMU Sieve 2.2
Received: from mail5.igxglobal.com (unknown [192.168.27.51]) by
groupware.igxglobal.com (Postfix) with ESMTP id 910DD32C082 for
<bpasdar@...global.com>; Tue, 14 Feb 2006 11:48:09 -0500 (EST)
Received: from c-68-58-4-141.hsd1.in.comcast.net (HELO compaq)
([68.58.4.141]) by mail5.igxglobal.com with SMTP; 14 Feb 2006 11:48:09
-0500
Message-Id: <4oasf3$3s8uf@...l5.igxglobal.com>
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.02,114,1139202000";  d="scan'208,217";
a="4072399:sNHT36133904"
Reply-To: lilreddtp2@...oo.com
From: PayPal Security <lilreddtp2@...oo.com>
Subject: New email address added to your account !
Date: Tue, 14 Feb 2006 11:48:06 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
To: undisclosed-recipients : ;
X-Evolution-Source: imap://bpasdar;auth=DIGEST-MD5@....241.202.7/


You've added an additional email address to your PayPal account.

If you don?t agree with this email glasshk32@...cast.net and if you need
assistance with your account, 

please click here to login to your account.

 

To make sure you can use your PayPal account the next time you make a
purchase,

all you need to do is confirm or not your email address. 

If your email program has problems with hypertext links, 

you may also confirm your email address by logging in to your account.

 
Thank you for using PayPal! 

The PayPal Team

----------------------------------------------------------------

Please do not reply to this email. This mailbox is not monitored and you
will not receive a response.

For assistance, log in to your PayPal account and click the Help link
located in the top right corner of any PayPal page. 

----------------------------------------------------------------

PayPal Email ID PP059

HEMFBKCMCUNCRVRFYOEGZWKZKENTMXZBPDSJBD

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060215/7a81c3e1/attachment.bin
-------------- next part --------------


_________________________________
igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences.  This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information:

https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ