Loading...

phishing paypal?


bd134
By bd134,
in

Recommended Posts

I'm not sure this post is off-topic, but I just receieved an e-mail claiming to be sent from admin@betterbidding.com, and I believe someone is phishing for my paypal account username and password.

Return-Path: <admin@betterbidding.com>

Received: from relay5.XXX.XXXX.edu (relay5.cso.XXXX.edu [XXX.174.5.138])

by expms2.XXXXX.XXXX.edu (MOS 3.4.8-GR)

with ESMTP id BHN70446;

Wed, 2 Nov 2005 16:13:14 -0600 (CST)

Received: from server.betterbidding.com (server.betterbidding.com [207.142.135.54])

by relay5.XXX.XXXX.edu (8.12.11/8.12.11) with SMTP id jA2MCwFD010219

for <XXXXXXXX@XXXX.edu>; Wed, 2 Nov 2005 16:12:59 -0600 (CST)

Received: (qmail 23056 invoked by uid 48); 2 Nov 2005 22:10:01 -0000

Date: 2 Nov 2005 22:10:01 -0000

Message-ID: <20051102221001.23050.qmail@server.betterbidding.com>

Subject: paypal account ( From Priceline and Hotwire Forum )

X-PHP-Script: www.betterbidding.com/admin.php for 83.237.118.245

From: "Priceline and Hotwire Forum" <admin@betterbidding.com>

X-Priority: 3

X-Mailer: IBForums PHP Mailer

X-Spam-Score: 0

X-Spam-Details: rule=cautious_notspam policy=cautious score=0 mlx=0 adultscore=0 adjust=0 engine=2.5.0-05091301 definitions=3.0.0-05110204

X-Spam-OrigSender: admin@betterbidding.com

To activate your paypal account , you must enter your Email Address and Password

in the corresponding dialog box of http://bbs.xvsxp.com/account.php.

Link to comment

Got one too...

Lookups on the headers and imbedded URL:

server.betterbidding.com IN A 207.142.135.54

-----------------------------------------------------------------------------------

Queried whois.opensrs.net with "xvsxp.com"...

Registrant:

dan pouliot

6 Homestead Dr.

Raymond, nh 03077

US

Domain name: XVSXP.COM

Administrative Contact:

pouliot, dan dpouliot@comcast.net

6 Homestead Dr.

Raymond, nh 03077

US

603-3371778

Technical Contact:

pouliot, dan dpouliot@comcast.net

6 Homestead Dr.

Raymond, nh 03077

US

603-3371778Domain name: XVSXP.COM

-----------------------------------------------------------------------

Address lookup

canonical name ppp83-237-118-245.pppoe.mtu-net.ru.

aliases

addresses 83.237.118.245

Domain Whois record

Queried whois.ripn.net with "mtu-net.ru"...

% By submitting a query to RIPN's Whois Service

% you agree to abide by the following terms of use:

% http://www.ripn.net/about/servpol.html#3.2 (in Russian)

% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: MTU-NET.RU

type: CORPORATE

nserver: dns0.mtu.ru.

nserver: dns1.mtu.ru.

state: REGISTERED, DELEGATED

org: MTU-INTEL JSC

phone: +7 095 7538282

fax-no: +7 095 9039129

e-mail: nic@mtu.ru

registrar: RUCENTER-REG-RIPN

created: 1998.02.25

paid-till: 2006.04.01

source: TC-RIPN

Link to comment

Everyone that received it should forward the email to spoof@paypal.com...

Dear TJ41,

Thank you for contacting PayPal. We appreciate you bringing this

suspicious email to our attention.

Commonly referred to as phishing, these emails are sent by fraudsters in

an attempt to collect sensitive personal or financial information from

the recipients. PayPal takes phishing threats seriously. Our fraud

prevention specialists are working 24/7 to help protect you and enable

the community to stay safe.

After review, we can confirm that the email you received was not sent by

PayPal. Any website which may be linked to this email is not authorized

or used by PayPal.

Our fraud prevention team is working to disable any website linked to

this email. In the meantime, please do not enter any information into

this website. If you have already done so, you should immediately log

into your PayPal account and change your password, as well as your

security questions and answers. We also recommend that you contact your

bank and credit card company immediately.

Link to comment

I'd really like to see the feds enact really stiff jail time and forfeiture rules for these kinds of internet schemes. Obviously, even with reasonable safeguards, they're fairly easy to pull off and hide behind the annonymity of the internet. Sentence some guys to 20 years and seize all their assets and I bet we wouldn't have this kind of garbage.

I would have thought the phishers covered their tracks better. Someone seems to have posted the phisher's domain info. Is that a real lead for a criminal investigation? And is there any law enforcement entity that would investigate?

BTW, I'm particularly pissed about this internet fraud thing because last month I "bought" a $10 DVD on ebay from a guy who turned out to be a fraudster. Had a complete on-line "store," fake "feedback," even answered an online question about shipping that I had -- the whole nine yards! Just to extort $10 bucks from a handful of people. Ridiculous -- but it tells you how careful you have to be on the web. BTW, so far ebay and paypal have been unwilling to help, because the fraud is less than $25. So you've got to be overly careful even on small online purchases.

Link to comment
I'd really like to see the feds enact really stiff jail time and forfeiture rules for these kinds of internet schemes. Obviously, even with reasonable safeguards, they're fairly easy to pull off and hide behind the annonymity of the internet. Sentence some guys to 20 years and seize all their assets and I bet we wouldn't have this kind of garbage.

They can't do much when the servers are located in RUssia. (notice the .ru in one of the above posts)

Link to comment

Also received and reported. http://bbs.xvsxp.com/forums/ The site is using the same forum software as is used here.

Both of the links have been removed from the site.

"File Not Found

The requested URL was not found on this server. "

I wonder how php scripts were placed on that server, possibly from someone outside.

Remember not to instantly blame the messenger (site) which could have been hacked or trusted someone they shouldn't have. Since only the pages are down and not the site, it is safer to say it was not involved.

Link to comment
Need help with your own trip?

Register now, we have a huge community of travel enthusiasts to answer any questions you might have.

Create an account

Sign up for a new account in our community. It's easy!

Register a new account
Sign in

Already have an account? Sign in here.

Sign In Now
EXCLUSIVELY at BetterBidding:
10% OFF

PRICELINE COUPON


(click here) and use

promo code

: SNOWDAY10

(Express Hotels max $50 discount... expires 01/28/2023)
QUICKQUOTE [X]
PRICELINE & HOTWIRE on one screen!
NOTE: Priceline searches for
DOUBLE OCCUPANCY ONLY
Room %roomN%:
Age of child:
FINDFAST[X]
×
×
  • Create New...