OT: Funny Stuff from Pay Pal?

Its a criminal fraud called phishing. If you look at the text of the
URL you will see that the link does not match the text of the email.

Paypal NEVER sends out messages of that type.

If you follow the link you should find that the site is down by now.
Otherwise please drop me a line.

my day jod is working out how to stop this particular crime.

>
> So, I don't know if the above is a hoax or the real tomato but ?????
>
> Josie

If you mosey over to news.admin.net-absue.email and Google for
terms like "how to read email headers" you will find out how
easy it is to verify that these are fake.

You can use the same techniques to find out who owns a webpage
(up to a point, the criminals work through fronts but legit
companies do not.)

Of course it is usually pretty easy to identify the fakes just from
the text. They always ask for information a legitimate company
will not, like your PIN or password, Social Security Account Number
and so on.

--

FF

firstjois wrote:
> ...
> >>
> Thanks all! I've emailed my buddies

Crimony!

> and reported it back to Pay Pal, too.
> I've been using the internet for a long time but hadn't seen anything
like
> that before.

Uh, respectfully, people who have been using the internet for a long
time usually know better than to email *all of their budies* about
scams they get in email.

BTW, Craig Shergold got better.

--

FF

>Another recent worm that I've heard about but not seen, is that
>your system gets infected by a virus, which modifies your local hosts
>file, so your system _thinks_ it's getting to paypal.com, but it's
>going to the scammer's site instead. Solution there is (1) don't
>run Windows, or (2) keep up to date (daily) with antivirus and spyware

>scans.

Linux also has a hosts file. The much larger problem on the Windows
boxes was a third-party firewall that had a buggy DNS client that did
not do anti-spoofing properly and would accept and cache DNS spoofed
data from any source without verification.

The paypal 'attack' is nothing new, we were aware of the same problem
back in the days of ASCII only DNS, long before SSL was designed some
joker registered Micros0ft.com and put up an attack site. The problem
identified by Schmoo had actually been anticipated in the design of the
DNS multi-lingual extension, in theory it was not possible to register
DNS names with names from different character sets. In practice there
are some languages where either the Roman or the Cyrilic alphabet may
be used. So one of the registrars had a code page up that accepted both
if you registered a name in Tidjuk.

Oh and the paypal 'attack' only affected Firefox.

A much bigger problem is the phishing gangs registering
bigbank-security.com, bigbank-login.com etc. etc.

Hi Scott,

I never got to thank you for the push sticks. They have come in very
handy. I also realize that I need to get a bandsaw sooner than I
planned.

>I suspect he isn't fighting at the front-line, but rather trying
>to determine methods that would prevent such attempts from
>either being made or being successful.

Absolutely, we have more than enough people playing whack-a-mole. My
job is to work out ways we can fill some of the mole-holes up with
cement so that the mole-whackers have a better chance of clobbering
'em.

In article <[email protected]>, firstjois
<[email protected]> wrote:

> So, I don't know if the above is a hoax or the real tomato but ?

No legitimate company will EVER send you an email of this type. Not
PayPal, not your bank, not your credit card company. NONE of them. They
quite simply DO NOT SEND NOTICES BY EMAIL.

EVERY message like this is an attempt to defraud you.

Every single one.

--
"The thing about saying the wrong words is that A, I don't notice it, and B,
sometimes orange water gibbon bucket and plastic." -- Mr. Burrows

On Sat, 26 Mar 2005 13:41:30 GMT, Rob V <[email protected]> wrote:
> I know these are just phishing expeditions - but can someone explain how the
> link below shoots you to somewhere else and not PayPal??

One new-ish exploit substitutes characters from other languages that
_look_ like English characters into the URL. So, it looks like paypal.com
but it's really {p}aypal.com - where the "p" is the (Russian?) font
character that looks like, but isn't, a "p".

If you get something "from" your bank, paypal, eBay, or anyone else
claiming you need to do something to your account there, go to
your browser, and type in the name of ebay, paypal, or your bank's
site. Don't trust any clickable link for anything as important
as your finances. Sounds paranoid, but they're getting pretty clever.

Another recent worm that I've heard about but not seen, is that
your system gets infected by a virus, which modifies your local hosts
file, so your system _thinks_ it's getting to paypal.com, but it's
going to the scammer's site instead. Solution there is (1) don't
run Windows, or (2) keep up to date (daily) with antivirus and spyware
scans.

On 28 Mar 2005 01:50:17 GMT, Bruce Barnett <[email protected]> wrote:
> Roy Smith <[email protected]> writes:
>
>> ACTION=http://rds.yaho&#010;o.com/*http://www&#009;.google.com/url
>> VALUE=http://rds.yahoo.com/*http://218.57.129.20/%6D%61%6E%75%61%6C/webscr/
>
> I think that the "*" in a URL refers to the username. So everything
> left of the "*" is ignored.

Microsoft was supposed to have fixed that problem 1.5 years ago. This may
only work with very unpatched systems.

On 25 Mar 2005 18:05:45 -0800, Phillip Hallam-Baker <[email protected]> wrote:
> Its a criminal fraud called phishing. If you look at the text of the
> URL you will see that the link does not match the text of the email.
>
> Paypal NEVER sends out messages of that type.
>
> If you follow the link you should find that the site is down by now.
> Otherwise please drop me a line.
>
> my day jod is working out how to stop this particular crime.

Sounds cool. How do I get a gig like that? Would you benefit
from copies of the current phishing attempts I get?

Dave Hinz

On Mon, 28 Mar 2005 11:42:43 -0500, George <george@least> wrote:
>
> "Dave Hinz" <[email protected]> wrote in message
> news:[email protected]...
>> On Sat, 26 Mar 2005 13:41:30 GMT, Rob V <[email protected]> wrote:
>> > I know these are just phishing expeditions - but can someone explain how
> the
>> > link below shoots you to somewhere else and not PayPal??
>>
>> One new-ish exploit substitutes characters from other languages that
>> _look_ like English characters into the URL. So, it looks like paypal.com
>> but it's really {p}aypal.com - where the "p" is the (Russian?) font
>> character that looks like, but isn't, a "p".
>>
>
> Well - "R" if you must know, but unless you have one of the 4 Cyrillic fonts
> activated, and don't notice the difference in the letter, probably will come
> as its equivalent in the Latin character set.

That sounds like the one. Thanks for the cpapification.

On Mon, 28 Mar 2005 17:13:24 GMT, Scott Lurndal <[email protected]> wrote:
> Dave Hinz <[email protected]> writes:
>>On 25 Mar 2005 18:05:45 -0800, Phillip Hallam-Baker <[email protected]> wrote:
>>> Its a criminal fraud called phishing. If you look at the text of the
>>> URL you will see that the link does not match the text of the email.
>>>
>>> Paypal NEVER sends out messages of that type.
>>>
>>> If you follow the link you should find that the site is down by now.
>>> Otherwise please drop me a line.
>>>
>>> my day jod is working out how to stop this particular crime.
>>
>>Sounds cool. How do I get a gig like that? Would you benefit
>
> Quick google search shows that Dr. Hallam-Baker is Principal
> Scientist at VeriSign.

Ah. Glad they're doing that, I didn't know they did more than
site certs and security stuff. Good to have a company with all those
resources actively pursuing the bad guys.

> I suspect he isn't fighting at the front-line, but rather trying
> to determine methods that would prevent such attempts from
> either being made or being successful.

Yes, it's a challenge to find something (a) easy for the users to use,
(b) unspoofable for the bad guys, and (c) likely to be _used_ to check
validity of where the site pretends to be.

"Norman D. Crow" <[email protected]> wrote in message
news:[email protected]...
> 'Nother type of pfishing is the ones where you recieve an e mail message
> saying "Your order #xxxxx is ready", just hoping you get nosy and send
them
> an irate e mail. NOW they have your address, at least.
>

Which they didn't use to contact me in the first place?

Or do you mean that they have confirmed someone at the address?

Sorry, I guess I'm just doing a Cawthorne, I really do understand what you
mean. I just don't understand why they wouldn't continue to send to empty
addresses, it being easier than weeding out, since their cutout mailing
programs don't kick back undeliverables.

"Dave Hinz" <[email protected]> wrote in message
news:[email protected]...
> On Sat, 26 Mar 2005 13:41:30 GMT, Rob V <[email protected]> wrote:
> > I know these are just phishing expeditions - but can someone explain how
the
> > link below shoots you to somewhere else and not PayPal??
>
> One new-ish exploit substitutes characters from other languages that
> _look_ like English characters into the URL. So, it looks like paypal.com
> but it's really {p}aypal.com - where the "p" is the (Russian?) font
> character that looks like, but isn't, a "p".
>

Well - "R" if you must know, but unless you have one of the 4 Cyrillic fonts
activated, and don't notice the difference in the letter, probably will come
as its equivalent in the Latin character set.

> ???? ?? ?? ??? ???? ????? ?????? ???? ?????? ????????? ???? ?????
> ?????????? ?????, ??????? ?? ????? ?? ?? ?????? ?????????? ???? ??????.

"If you had, three years ago, learned only one new English word every day,
you would today know one thousand more English words."

Not that I replied, having no desire to learn English. Now American....

On Fri, 25 Mar 2005 20:35:59 -0500, the inscrutable "firstjois"
<[email protected]> spake:

>Two non-Pay Pal users got this notice today:
--snip--
>So, I don't know if the above is a hoax or the real tomato but ?????

Josie, they're called "spoofs" and are hoaxes; scammers trying to
get you to use your login info so they can empty your account into
theirs.


========================================================
TANSTAAFL: There ain't no such thing as a free lunch.
http://diversify.com Gourmet Web Applications
==========================

Phillip Hallam-Baker wrote:
> Its a criminal fraud called phishing. If you look at the text of the
> URL you will see that the link does not match the text of the email.
>=20
> Paypal NEVER sends out messages of that type.
>=20
> If you follow the link you should find that the site is down by now.
> Otherwise please drop me a line.
>=20
> my day jod is working out how to stop this particular crime.
>=20

Thanks from all of us then.
:-)


--=20
Will R.
Jewel Boxes and Wood Art
http://woodwork.pmccl.com
The power of accurate observation is commonly called cynicism by those=20
who have not got it.=94 George Bernard Shaw

Dave Hinz <[email protected]> writes:
>On Mon, 28 Mar 2005 17:13:24 GMT, Scott Lurndal <[email protected]> wrote:
>> Dave Hinz <[email protected]> writes:
>>>On 25 Mar 2005 18:05:45 -0800, Phillip Hallam-Baker <[email protected]> wrote:
>>>> Its a criminal fraud called phishing. If you look at the text of the
>>>> URL you will see that the link does not match the text of the email.
>>>>
>>>> Paypal NEVER sends out messages of that type.
>>>>
>>>> If you follow the link you should find that the site is down by now.
>>>> Otherwise please drop me a line.
>>>>
>>>> my day jod is working out how to stop this particular crime.
>>>
>>>Sounds cool. How do I get a gig like that? Would you benefit
>>
>> Quick google search shows that Dr. Hallam-Baker is Principal
>> Scientist at VeriSign.
>
>Ah. Glad they're doing that, I didn't know they did more than
>site certs and security stuff. Good to have a company with all those
>resources actively pursuing the bad guys.

Their portfolio is pretty broad now, they started with certs, but
now do everything from downloadable ring-tones through cell call billing,
on-line credit card processing and smart-tokens for multi-factor
authentication. And don't forget running .com and .net root DNS
servers.

>
>> I suspect he isn't fighting at the front-line, but rather trying
>> to determine methods that would prevent such attempts from
>> either being made or being successful.
>
>Yes, it's a challenge to find something (a) easy for the users to use,
>(b) unspoofable for the bad guys, and (c) likely to be _used_ to check
>validity of where the site pretends to be.

And non-proprietary.

scott

Rob V wrote:

> I know these are just phishing expeditions - but can someone explain how the
> link below shoots you to somewhere else and not PayPal??
>

As a friend explained it to me, one trick is to the same address as the
legitimate one except for using a foreign letter character that looks
like an English character. I'm sure there are a myriad of other sneaky
techniques.

Glen

Roy Smith wrote:
> "Rob V" <[email protected]> wrote:
>=20
>>I know these are just phishing expeditions - but can someone explain ho=
w the=20
>>link below shoots you to somewhere else and not PayPal??
>=20
>=20
> I just looked at one of the many PayPal phishes I've gotten. It displa=
ys=20
> an innocent-looking link to click at the label on a button. But, when =
you=20
> click the button, it takes you somewhere completely different.
>=20
> I don't know if you're into the gory details of HTML, but here's what's=
=20
> burried in the email (slightly reformatted to make it easier to read):
>=20
> <FORM
> target=3D"_blank"
> ACTION=3Dhttp://rds.yaho&#010;o.com/*http://www&#009;.google.com/url
> METHOD=3Dget>
> <INPUT
> TYPE=3DHIDDEN
> NAME=3Dq
> VALUE=3Dhttp://rds.yahoo.com/*http://218.57.129.20/%6D%61%6E%75%61%6C/=
webscr/
>=20
> <input
> type=3Dsubmit
> style=3D"color:#000080; border:solid 0px; background:#white;"
> value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update
>=20
> </form>
>=20
> When I clicked on the button, I ended up at 218.57.129.20 after several=
=20
> redirects. Even after watching all the conversations with a packet=20
> sniffer, I'm still not 100% sure what's going on. It looks like it=20
> contacted yahoo, got an error, then contacted google, got another error=
,=20
> and somehow ended up at 218.57.129.20 (where I was presented with what =

> looked like a perfectly valid PayPal login screen). I suspect they're =

> exploiting some bug in many browsers where incorrectly formed HTML is=20
> parsed wrong.
>=20
> The bottom line is that these guys are not just some kids out for kicks=
=2E =20
> They're sophisticated, well equipped, and technologically savvy crimina=
ls. =20
> My guess is that phishing is the #1 financial fraud these days, and it'=
s=20
> probably costing billions of dollars a year.


*************************

You mean this isn't Paypal? ROTFLMAO

******
(6) Match Found at whois.apnic.net for 218.57.129.20 ......
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 218.57.129.0 - 218.57.129.63
netname: JNQLSOFTWARE
country: CN
descr: Shandong Jinan Qilu Software Area Development Center
admin-c: DS95-AP
tech-c: DS95-AP
status: ASSIGNED NON-PORTABLE
changed: [email protected] 20020416
mnt-by: MAINT-CNCGROUP-SD
source: APNIC

person: Data Communication Bureau Shandong
nic-hdl: DS95-AP
e-mail: [email protected]
address: No.77 Jingsan Road,Jinan,Shandong,P.R.China
phone: +86-531-6052611
fax-no: +86-531-6052414
country: CN
changed: [email protected] 20050128
mnt-by: MAINT-CNCGROUP-SD
source: APNIC


**************************

=2E... Start Report ...
NS - name Server Specs:
QTNS.Name Server: ns.sdjnptt.net.cn
QTNS.Name : 57.218.in-addr.arpa

TTL: - Time to Live: 151305

NS - name Server Specs:
QTNS.Name Server: dns-jn.sd.cninfo.net
QTNS.Name : 57.218.in-addr.arpa

TTL: - Time to Live: 151305



*************************
******
One of the lat routers on the traceroute...

(6) Match Found at whois.apnic.net for 60.208.64.46 ......
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 60.208.0.0 - 60.217.255.255
netname: CNCGROUP-SD
descr: CNCGROUP Shandong province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: XZ14-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-SD
mnt-routes: MAINT-CNCGROUP-SD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20040705
source: APNIC

role: CNCGroup Hostmaster
e-mail: [email protected]
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: [email protected] 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC

person: XIAOFENG ZHANG
nic-hdl: XZ14-AP
e-mail: [email protected]
address: Jinan,Shandong P.R China
phone: +86-531-605
fax-no: +86-531-605
country: CN
changed: [email protected] 20050128
mnt-by: MAINT-ZXF
source: APNIC




***************************

I have a little tool I wrote for tracking these SOB's

However, that assumes my local DNS servers have not been "poisened".

Every so often I get motivated to track them. But somany phishers - so=20
little time...

Most are in China these days, But a lot are still in Dallas/FW area.

The most interesting ones are the ones that have router records on the=20
tracroute that show a hop from LA to Detroit as the last hop. Or a=20
registration record for Seatle -- bu the last router on the tracroute is =

in China, or Pakistan or whatever...

That way you know they are strictly legit. ROTFLMAO.

Now I assume that any business related email must be followed up with a=20
telephone call.

Cheers and good hunting.

--=20
Will R.
Jewel Boxes and Wood Art
http://woodwork.pmccl.com
The power of accurate observation is commonly called cynicism by those=20
who have not got it.=94 George Bernard Shaw

Larry Jaques wrote:
>> On Fri, 25 Mar 2005 20:35:59 -0500, the inscrutable "firstjois"
>> <[email protected]> spake:
>>
>>> Two non-Pay Pal users got this notice today:
>> --snip--
>>> So, I don't know if the above is a hoax or the real tomato but ?????
>>
>> Josie, they're called "spoofs" and are hoaxes; scammers trying to
>> get you to use your login info so they can empty your account into
>> theirs.
>>
Thanks all! I've emailed my buddies and reported it back to Pay Pal, too.
I've been using the internet for a long time but hadn't seen anything like
that before. Some people really have a lot of time on their hands and
pretty mean minds.

Josie

In article <[email protected]>,
[email protected] says...
> If the email is html, then what is shown may be hiding a different link.
> By copying this email as the text shown, the link has been discarded.
>
Some email readers (most?) will let you display message source. Even if
you can't read HTML, you should be able to spot a strange URL or two
lurking in the message.

--
Homo sapiens is a goal, not a description

"Rob V" <[email protected]> wrote in message
news:[email protected]...
>I know these are just phishing expeditions - but can someone explain how
>the link below shoots you to somewhere else and not PayPal??
>
>
> "firstjois" <[email protected]> wrote in message
> news:[email protected]...
>> Two non-Pay Pal users got this notice today:
>>
>> --------------------------------------------------------------
>>
>>
>> https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
>>
>> Changing your password is a security measure that will ensure that you
>>
>>
>>
>

The phishing logon is ever so slightly different from the genuine logon as
shown below:

https://www.paypal.com/cgi-bin/webscr?cmd=_login-run <------ does not
contain the /us/

Mark & Juanita <[email protected]> writes:
>On 25 Mar 2005 18:05:45 -0800, "Phillip Hallam-Baker" <[email protected]>
>wrote:
>
>>Its a criminal fraud called phishing. If you look at the text of the
>>URL you will see that the link does not match the text of the email.
>>
>>Paypal NEVER sends out messages of that type.
>>
>>If you follow the link you should find that the site is down by now.
>>Otherwise please drop me a line.
>>
>>my day jod is working out how to stop this particular crime.
>
> Good deal! Hope you are having some success at that endeavor.
>

The problems revolve around changing the existing infrastructure in a
non-disruptive way and doing it in a fashion that won't be percieved
as proprietary by any other vendors or the open source community.

scott

Watch out for this new scam:

Dear CNET members,
By now, hopefully everyone is aware of phishing scams--cleverly designed
e-mail and Web sites used to gain access to your financial logins and
passwords. We've pretty much reached the level of sniffing those out from a
mile away. But this fairly new heinous tactic, called pharming, is
absolutely frightening. For example, you type in citibank.com in to your
Internet browser. The address bar displays as you would expect--citibank.com
and you proceed to log on to access your bank account information. No sweat,
eh? Well, little did you know that behind the scenes, citibank.com's DNS
(domain name servers) just got hijacked--displaying the completely
legitimate URL address that you are accustomed to, but directing you to a
spoofed site that looks and feels just like your financial institution, so
you have absolutely no idea you willingly gave up your personal account info
to the hijackers. Is this scary or what? Are you concerned? Are there any
preventative measures out there that we can take, or are we just out of luck
on this one? Find out more about this all-too-important topic in senior
editor Robert Vamosi's article, "Alarm over pharming attacks: identity theft
made even easier." And if you have concerns to share or preventative tips to
offer, or if you've even been scammed before by this tactic, share your
experience with us so that we can all learn how to tackle this issue
together. Be safe and be aware out there! TalkBack here.


"firstjois" <[email protected]> wrote in message
news:[email protected]...
> Two non-Pay Pal users got this notice today:
>
> --------------------------------------------------------------
>
>
> Dear Paypal Member,
>
> We recently noticed one or more attempts to log in to your PayPal
> account from a foreign IP address.
>
> If you recently accessed your account while traveling, the unusual log
> in attempts may have been initiated by you. However, if you did not
> initiate the log ins, please visit PayPal as soon as possible to change
> your password:
>
> https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
>
> Changing your password is a security measure that will ensure that you
> are the only person with access to the account.
>
> Thanks for your patience as we work together to protect your account.
>
> Sincerely,
> PayPal
>
> ----------------------------------------------------------------
>
> Please do not reply to this e-mail. Mail sent to this address cannot be
> answered. For assistance, log in to your PayPal account and choose the
> 'Help' link in the header of any page.
>
> PayPal Email ID PP321
>
> ---------------------------------------------------------------
>
> So, I don't know if the above is a hoax or the real tomato but ?????
>
> Josie
> --
> ----------------------------------
> "Once you know, you know"
> The Unified Field of Know Theory
>
>
>

Dave Hinz <[email protected]> writes:
>On 25 Mar 2005 18:05:45 -0800, Phillip Hallam-Baker <[email protected]> wrote:
>> Its a criminal fraud called phishing. If you look at the text of the
>> URL you will see that the link does not match the text of the email.
>>
>> Paypal NEVER sends out messages of that type.
>>
>> If you follow the link you should find that the site is down by now.
>> Otherwise please drop me a line.
>>
>> my day jod is working out how to stop this particular crime.
>
>Sounds cool. How do I get a gig like that? Would you benefit

Quick google search shows that Dr. Hallam-Baker is Principal
Scientist at VeriSign.

>from copies of the current phishing attempts I get?

I suspect he isn't fighting at the front-line, but rather trying
to determine methods that would prevent such attempts from
either being made or being successful.

scott

>
>Dave Hinz

"Rob V" <[email protected]> wrote in
news:[email protected]:

> I know these are just phishing expeditions - but can someone explain
> how the link below shoots you to somewhere else and not PayPal??
>

If the email is html, then what is shown may be hiding a different link.
By copying this email as the text shown, the link has been discarded.

There are add-ins that would let you know whether the site you are going to
go to is indeed the site you think you are going to. I use spoofstick as a
Firefox extension, but I'm sure there are others, as well as for other
browsers. IMHO, they should be standard.

--
Best regards
Han
email address is invalid

I turned the same email into Pay Pal a couple days ago.

-- Log


"firstjois" <[email protected]> wrote in message
news:[email protected]...
> Two non-Pay Pal users got this notice today:
>
> --------------------------------------------------------------
>
>
> Dear Paypal Member,
>
> We recently noticed one or more attempts to log in to your PayPal
> account from a foreign IP address.
>
> If you recently accessed your account while traveling, the unusual log
> in attempts may have been initiated by you. However, if you did not
> initiate the log ins, please visit PayPal as soon as possible to change
> your password:
>
> https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
>
> Changing your password is a security measure that will ensure that you
> are the only person with access to the account.
>
> Thanks for your patience as we work together to protect your account.
>
> Sincerely,
> PayPal
>
> ----------------------------------------------------------------
>
> Please do not reply to this e-mail. Mail sent to this address cannot be
> answered. For assistance, log in to your PayPal account and choose the
> 'Help' link in the header of any page.
>
> PayPal Email ID PP321
>
> ---------------------------------------------------------------
>
> So, I don't know if the above is a hoax or the real tomato but ?????
>
> Josie
> --
> ----------------------------------
> "Once you know, you know"
> The Unified Field of Know Theory
>
>
>

Hmmm

These paypal notices are hoaxes...


firstjois wrote:
> Two non-Pay Pal users got this notice today:
>=20
> --------------------------------------------------------------
>=20
>=20
> Dear Paypal Member,
>=20
> We recently noticed one or more attempts to log in to your PayPal
> account from a foreign IP address.
>=20
> If you recently accessed your account while traveling, the unusual log
> in attempts may have been initiated by you. However, if you did not
> initiate the log ins, please visit PayPal as soon as possible to change=

> your password:
>=20
> https://www.paypal.com/us/cgi-bin/webscr?cmd=3D_login-run
>=20
> Changing your password is a security measure that will ensure that you
> are the only person with access to the account.
>=20
> Thanks for your patience as we work together to protect your account.
>=20
> Sincerely,
> PayPal
>=20
> ----------------------------------------------------------------
>=20
> Please do not reply to this e-mail. Mail sent to this address cannot be=

> answered. For assistance, log in to your PayPal account and choose the
> 'Help' link in the header of any page.
>=20
> PayPal Email ID PP321
>=20
> ---------------------------------------------------------------
>=20
> So, I don't know if the above is a hoax or the real tomato but ?????
>=20
> Josie

HOAX HOAX HOAX

Lots of this stuff going around today. A veritable flood as it were.

I think that the woodwork groups are being farmed for addresses. (and=20
probably all others...)

People I know are seeing 5 to 8 virus attachments a day as well as this=20
crap.

I have looked at the code for the Paypal stuff and tracked some of the=20
websites back to China using some of the tools I have here.

You can use web based "whois" if you are brave enough to fiddle with the =

messages and extract stuff. Some of these messages now have executable=20
code in them. Exercise caution -- at the least turn off Javascript for=20
email and newsgroups.

The 419 and Lottery scams are in high gear this last week or so.

For your entertainment - see the "Busted up Cowgirl" Link on the=20
following page or got to the email security...
http://pmccl.com/security/security.html



--=20
Will R.
Jewel Boxes and Wood Art
http://woodwork.pmccl.com
The power of accurate observation is commonly called cynicism by those=20
who have not got it.=94 George Bernard Shaw

George wrote:
> "Norman D. Crow" <[email protected]> wrote in message
> news:[email protected]...
>
>>'Nother type of pfishing is the ones where you recieve an e mail message
>>saying "Your order #xxxxx is ready", just hoping you get nosy and send
>
> them
>
>>an irate e mail. NOW they have your address, at least.
>>
>
>
> Which they didn't use to contact me in the first place?
>
> Or do you mean that they have confirmed someone at the address?
>
> Sorry, I guess I'm just doing a Cawthorne, I really do understand what you
> mean. I just don't understand why they wouldn't continue to send to empty
> addresses, it being easier than weeding out, since their cutout mailing
> programs don't kick back undeliverables.
>
>
>
Ha. Ha!
Hey, I resemble that, but at least spell my last
name correctly, Geroge.

Doug Miller wrote:

> <snip>
>
>
>See
>https://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/SecuritySpoof-outside
>
>--
>Regards,
> Doug Miller (alphageek at milmac dot com)
>
><snip>
>

Hey, wait a minute Doug. Can we trust your link?? You're not phishing,
are you??

<[email protected]> wrote in message
news:[email protected]...
>
> >
> > So, I don't know if the above is a hoax or the real tomato but ?????
> >
> > Josie
>
> If you mosey over to news.admin.net-absue.email and Google for
> terms like "how to read email headers" you will find out how
> easy it is to verify that these are fake.
>
> You can use the same techniques to find out who owns a webpage
> (up to a point, the criminals work through fronts but legit
> companies do not.)
>
> Of course it is usually pretty easy to identify the fakes just from
> the text. They always ask for information a legitimate company
> will not, like your PIN or password, Social Security Account Number
> and so on.
>
'Nother type of pfishing is the ones where you recieve an e mail message
saying "Your order #xxxxx is ready", just hoping you get nosy and send them
an irate e mail. NOW they have your address, at least.

--
Nahmie
Those on the cutting edge bleed a lot.

Roy Smith <[email protected]> writes:

> ACTION=http://rds.yaho&#010;o.com/*http://www&#009;.google.com/url
> VALUE=http://rds.yahoo.com/*http://218.57.129.20/%6D%61%6E%75%61%6C/webscr/

I think that the "*" in a URL refers to the username. So everything
left of the "*" is ignored.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

"George E. Cawthon" <[email protected]> wrote in message
news:[email protected]...
> George wrote:
> > "Norman D. Crow" <[email protected]> wrote in message
> > news:[email protected]...
> >
> >>'Nother type of pfishing is the ones where you recieve an e mail message
> >>saying "Your order #xxxxx is ready", just hoping you get nosy and send
> >
> > them
> >
> >>an irate e mail. NOW they have your address, at least.
> >>
> >
> >
> > Which they didn't use to contact me in the first place?
> >
> > Or do you mean that they have confirmed someone at the address?
> >
> > Sorry, I guess I'm just doing a Cawthorne, I really do understand what
you
> > mean. I just don't understand why they wouldn't continue to send to
empty
> > addresses, it being easier than weeding out, since their cutout mailing
> > programs don't kick back undeliverables.
> >
Yes, they've confirmed a live address. I seldom see more than one of these
from any sender, as Vircom usually catches the next one.(Vircom is firewall,
spam & virus blocker used by my ISP)

--
Nahmie
Those on the cutting edge bleed a lot.

I know these are just phishing expeditions - but can someone explain how the
link below shoots you to somewhere else and not PayPal??


"firstjois" <[email protected]> wrote in message
news:[email protected]...
> Two non-Pay Pal users got this notice today:
>
> --------------------------------------------------------------
>
>
> Dear Paypal Member,
>
> We recently noticed one or more attempts to log in to your PayPal
> account from a foreign IP address.
>
> If you recently accessed your account while traveling, the unusual log
> in attempts may have been initiated by you. However, if you did not
> initiate the log ins, please visit PayPal as soon as possible to change
> your password:
>
> https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
>
> Changing your password is a security measure that will ensure that you
> are the only person with access to the account.
>
> Thanks for your patience as we work together to protect your account.
>
> Sincerely,
> PayPal
>
> ----------------------------------------------------------------
>
> Please do not reply to this e-mail. Mail sent to this address cannot be
> answered. For assistance, log in to your PayPal account and choose the
> 'Help' link in the header of any page.
>
> PayPal Email ID PP321
>
> ---------------------------------------------------------------
>
> So, I don't know if the above is a hoax or the real tomato but ?????
>
> Josie
> --
> ----------------------------------
> "Once you know, you know"
> The Unified Field of Know Theory
>
>
>

In article <[email protected]>, "Phillip Hallam-Baker" <[email protected]> wrote:

>Linux also has a hosts file. The much larger problem on the Windows
>boxes was a third-party firewall that had a buggy DNS client that did
>not do anti-spoofing properly and would accept and cache DNS spoofed
>data from any source without verification.

Just curious... which third-party firewall was that?

--
Regards,
Doug Miller (alphageek at milmac dot com)

Nobody ever left footprints in the sands of time by sitting on his butt.
And who wants to leave buttprints in the sands of time?

WillR wrote:
> Josie...
>
>
> firstjois wrote:
>> Larry Jaques wrote:
>>
[snip]

>
> You may have missed the point. :-)
>
> This is a _big_ industry with lots of money at stake. It is worth
> their time -- just like good planning and execution pays off in any
> industry. They are not mean -- they are greedy and well financed.
>
> Big money as in _billions of dollars_ are on the table if they can
> scam enough people.
>
[snip]

You're right! I have trouble thinking of this kind of thing as a business.

Josie

On 25 Mar 2005 18:05:45 -0800, "Phillip Hallam-Baker" <[email protected]>
wrote:

>Its a criminal fraud called phishing. If you look at the text of the
>URL you will see that the link does not match the text of the email.
>
>Paypal NEVER sends out messages of that type.
>
>If you follow the link you should find that the site is down by now.
>Otherwise please drop me a line.
>
>my day jod is working out how to stop this particular crime.

Good deal! Hope you are having some success at that endeavor.


+--------------------------------------------------------------------------------+
The absence of accidents does not mean the presence of safety
Army General Richard Cody
+--------------------------------------------------------------------------------+

Phillip,

Glad to hear that there are individuals employed to chase down this type of
crime. I also have gotten many of these notes within the year. I have
reported these attempts to paypal, RCMP & CSIS (Canadian intelligence). I
also picked up on the link being bogus. My advice to anyone is never follow
the link in a email sent to them. Always go through a the www.paypal.com
login screen to login and check for activity on your account. Only change
account info and passwords through the main login and not from link given in
an email.

"Phillip Hallam-Baker" <[email protected]> wrote in message
news:[email protected]...
> Its a criminal fraud called phishing. If you look at the text of the
> URL you will see that the link does not match the text of the email.
>
> Paypal NEVER sends out messages of that type.
>
> If you follow the link you should find that the site is down by now.
> Otherwise please drop me a line.
>
> my day jod is working out how to stop this particular crime.
>

I fell for this the first time I got one. Immediately after I got through
the form, I got a tinglin' in the old spidey-sense, and went straight to
PayPal's home page, logged in and changed my password. Fortunately, nothing
ever came of it. I am *extremely* skeptical of any such messages now, and
always check the hidden URL of any link. If I'm still not sure it's a hoax,
I'll log into the site's home page through my web browser, rather than click
a link in the email message. It's definitely gotten dangerous out there.

"firstjois" <[email protected]> wrote in message
news:[email protected]...
> Two non-Pay Pal users got this notice today:
>
> --------------------------------------------------------------
>
>
> Dear Paypal Member,
>
> We recently noticed one or more attempts to log in to your PayPal
> account from a foreign IP address.
>
> If you recently accessed your account while traveling, the unusual log
> in attempts may have been initiated by you. However, if you did not
> initiate the log ins, please visit PayPal as soon as possible to change
> your password:
>
> https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
>
> Changing your password is a security measure that will ensure that you
> are the only person with access to the account.
>
> Thanks for your patience as we work together to protect your account.
>
> Sincerely,
> PayPal
>
> ----------------------------------------------------------------
>
> Please do not reply to this e-mail. Mail sent to this address cannot be
> answered. For assistance, log in to your PayPal account and choose the
> 'Help' link in the header of any page.
>
> PayPal Email ID PP321
>
> ---------------------------------------------------------------
>
> So, I don't know if the above is a hoax or the real tomato but ?????
>
> Josie
> --
> ----------------------------------
> "Once you know, you know"
> The Unified Field of Know Theory
>
>
>

On Fri, 25 Mar 2005 20:35:59 -0500, firstjois wrote:

> So, I don't know if the above is a hoax or the real tomato but ?????

Hoax. It's called phishing. The link goes to some chelovek in Moscow. No,
I haven't seen your example, but I've gotten a few similar spams. The very
best was one that purported to be from Microsoft. It was a doozy, well
laid out, corporate logos, look'n'feel of MS. Be careful out there.

--
"Keep your ass behind you"
vladimir a t mad {dot} scientist {dot} com

"Rob V" <[email protected]> wrote:
> I know these are just phishing expeditions - but can someone explain how the
> link below shoots you to somewhere else and not PayPal??

I just looked at one of the many PayPal phishes I've gotten. It displays
an innocent-looking link to click at the label on a button. But, when you
click the button, it takes you somewhere completely different.

I don't know if you're into the gory details of HTML, but here's what's
burried in the email (slightly reformatted to make it easier to read):

<FORM
target="_blank"
ACTION=http://rds.yaho&#010;o.com/*http://www&#009;.google.com/url
METHOD=get>
<INPUT
TYPE=HIDDEN
NAME=q
VALUE=http://rds.yahoo.com/*http://218.57.129.20/%6D%61%6E%75%61%6C/webscr/
>
<input
type=submit
style="color:#000080; border:solid 0px; background:#white;"
value=https://www.paypal.com/cgi-bin/webscr?cmd=_update
>
</form>

When I clicked on the button, I ended up at 218.57.129.20 after several
redirects. Even after watching all the conversations with a packet
sniffer, I'm still not 100% sure what's going on. It looks like it
contacted yahoo, got an error, then contacted google, got another error,
and somehow ended up at 218.57.129.20 (where I was presented with what
looked like a perfectly valid PayPal login screen). I suspect they're
exploiting some bug in many browsers where incorrectly formed HTML is
parsed wrong.

The bottom line is that these guys are not just some kids out for kicks.
They're sophisticated, well equipped, and technologically savvy criminals.
My guess is that phishing is the #1 financial fraud these days, and it's
probably costing billions of dollars a year.

Josie...


firstjois wrote:
> Larry Jaques wrote:
>=20
>>>On Fri, 25 Mar 2005 20:35:59 -0500, the inscrutable "firstjois"
>>><[email protected]> spake:
>>>
>>>
>>>>Two non-Pay Pal users got this notice today:
>>>
>>>--snip--
>>>
>>>>So, I don't know if the above is a hoax or the real tomato but ?????
>>>
>>>Josie, they're called "spoofs" and are hoaxes; scammers trying to
>>>get you to use your login info so they can empty your account into
>>>theirs.
>>>
>=20
> Thanks all! I've emailed my buddies and reported it back to Pay Pal, t=
oo.
> I've been using the internet for a long time but hadn't seen anything l=
ike
> that before. =20


> Some people really have a lot of time on their hands and
> pretty mean minds.
>=20
> Josie
>=20
>=20

You may have missed the point. :-)

This is a _big_ industry with lots of money at stake. It is worth their=20
time -- just like good planning and execution pays off in any industry.=20
They are not mean -- they are greedy and well financed.

Big money as in _billions of dollars_ are on the table if they can scam=20
enough people.

Best wishes -- keep your credit cards in your wallet. LOL

And -- as I said before ...
For your entertainment - see the "Busted up Cowgirl" Link on the=20
following page or go to the email security...
http://pmccl.com/security/security.html




--=20
Will R.
Jewel Boxes and Wood Art
http://woodwork.pmccl.com
The power of accurate observation is commonly called cynicism by those=20
who have not got it.=94 George Bernard Shaw

In article <[email protected]>, "firstjois" <[email protected]> wrote:
>Two non-Pay Pal users got this notice today:
>
>--------------------------------------------------------------
>
>
>Dear Paypal Member,

Fraud.

PayPal is very explicit: they never, *ever* send e-mails that address you any
other way than by your first and last name that you used when you registered.

See
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/SecuritySpoof-outside

--
Regards,
Doug Miller (alphageek at milmac dot com)

Nobody ever left footprints in the sands of time by sitting on his butt.
And who wants to leave buttprints in the sands of time?