[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1140013063.31763.42.camel@tumbleweed>
Date: Wed Feb 15 14:18:03 2006
From: bpasdar at igxglobal.com (Babak Pasdar)
Subject: Forensic Analysis of a Paypal Phishing Scam
Hello all,
I recently received this e-mail notifying me of a new e-mail address
that was added to my Paypal account. I broke down the steps I took to
analyze the e-mail first to identify that it was a phishing scam and
then to track down the steps this Scammer used and identify the systems
in use.
I have provided the e-mail and a synopsis along with a link to the
original full forensics.
Synopsis:
1. The e-mail was sent from a Comcast network in Indianapolis from a
windows machine running outlook express. The Scammer used a Yahoo name
on the account.
2. The domain was registered through a proxy domain registration company
which uses Yahoo's DNS and provided a web server through Yahoo.
3. The Yahoo web server redirects the user to an Oracle web server on
port 84 running in Seoul, Korea.
4. Finally, when you put in your username and password it tells you the
system is down for maintenance, but does take the time to ask you for
your credit card and pin numbers!
Notes: The Scammer does use an interesting approach in eliminating the
address bar and using a graphics of an address bar in it's place showing
a Paypal login account.
To see the the full analysis click here:
http://dsb.igxglobal.com/plugins/content/content.php?content.37
Babak Pasdar
Founder / Chief Technology & Information Security Officer
Support the Daily Security Briefing Web Site and Register Here:
http://dsb.igxglobal.com
For this week's DSB/Week-in-Review Audio/Video Security Report:
http://dsb.igxglobal.com/news.php?item.50.4
To register for a Daily Security Intelligence e-mail:
http://www.igxglobal.com/dsb/register.html
Get your security news via Podcast:
http://dsb.igxglobal.com/page.php?11
Return-Path: <lilreddtp2@...oo.com>
Received: from groupware.igxglobal.com ([unix socket]) by groupware
(Cyrus v2.1.16) with LMTP; Tue, 14 Feb 2006 11:48:09 -0500
X-Sieve: CMU Sieve 2.2
Received: from mail5.igxglobal.com (unknown [192.168.27.51]) by
groupware.igxglobal.com (Postfix) with ESMTP id 910DD32C082 for
<bpasdar@...global.com>; Tue, 14 Feb 2006 11:48:09 -0500 (EST)
Received: from c-68-58-4-141.hsd1.in.comcast.net (HELO compaq)
([68.58.4.141]) by mail5.igxglobal.com with SMTP; 14 Feb 2006 11:48:09
-0500
Message-Id: <4oasf3$3s8uf@...l5.igxglobal.com>
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.02,114,1139202000"; d="scan'208,217";
a="4072399:sNHT36133904"
Reply-To: lilreddtp2@...oo.com
From: PayPal Security <lilreddtp2@...oo.com>
Subject: New email address added to your account !
Date: Tue, 14 Feb 2006 11:48:06 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
To: undisclosed-recipients : ;
X-Evolution-Source: imap://bpasdar;auth=DIGEST-MD5@....241.202.7/
You've added an additional email address to your PayPal account.
If you don?t agree with this email glasshk32@...cast.net and if you need
assistance with your account,
please click here to login to your account.
To make sure you can use your PayPal account the next time you make a
purchase,
all you need to do is confirm or not your email address.
If your email program has problems with hypertext links,
you may also confirm your email address by logging in to your account.
Thank you for using PayPal!
The PayPal Team
----------------------------------------------------------------
Please do not reply to this email. This mailbox is not monitored and you
will not receive a response.
For assistance, log in to your PayPal account and click the Help link
located in the top right corner of any PayPal page.
----------------------------------------------------------------
PayPal Email ID PP059
HEMFBKCMCUNCRVRFYOEGZWKZKENTMXZBPDSJBD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060215/7a81c3e1/attachment.bin
-------------- next part --------------
_________________________________
igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences. This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information:
https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D
Powered by blists - more mailing lists