phishing paypal?

[bd134]

I'm not sure this post is off-topic, but I just receieved an e-mail claiming to be sent from [email protected], and I believe someone is phishing for my paypal account username and password.

Return-Path: <[email protected]>

Received: from relay5.XXX.XXXX.edu (relay5.cso.XXXX.edu [XXX.174.5.138])

by expms2.XXXXX.XXXX.edu (MOS 3.4.8-GR)

with ESMTP id BHN70446;

Wed, 2 Nov 2005 16:13:14 -0600 (CST)

Received: from server.betterbidding.com (server.betterbidding.com [207.142.135.54])

by relay5.XXX.XXXX.edu (8.12.11/8.12.11) with SMTP id jA2MCwFD010219

for <[email protected]>; Wed, 2 Nov 2005 16:12:59 -0600 (CST)

Received: (qmail 23056 invoked by uid 48); 2 Nov 2005 22:10:01 -0000

Date: 2 Nov 2005 22:10:01 -0000

Message-ID: <[email protected]>

Subject: paypal account ( From Priceline and Hotwire Forum )

X-PHP-Script: www.betterbidding.com/admin.php for 83.237.118.245

From: "Priceline and Hotwire Forum" <[email protected]>

X-Priority: 3

X-Mailer: IBForums PHP Mailer

X-Spam-Score: 0

X-Spam-Details: rule=cautious_notspam policy=cautious score=0 mlx=0 adultscore=0 adjust=0 engine=2.5.0-05091301 definitions=3.0.0-05110204

X-Spam-OrigSender: [email protected]

To activate your paypal account , you must enter your Email Address and Password

in the corresponding dialog box of http://bbs.xvsxp.com/account.php.

[subrosa]

I got the same email today and notified the administrator.

[N8M]

I received the same email today, and have notified Paypal.

[danuary]

Same here - looks like a bug in the site's admin script is letting someone abuse it...

[ufjoe21]

I just got it.....looks like someone is playing while thereuare is away!!!!!!!!!!!

[Otter7]

Got one too...

Lookups on the headers and imbedded URL:

server.betterbidding.com IN A 207.142.135.54

-----------------------------------------------------------------------------------

Queried whois.opensrs.net with "xvsxp.com"...

Registrant:

dan pouliot

6 Homestead Dr.

Raymond, nh 03077

US

Domain name: XVSXP.COM

Administrative Contact:

pouliot, dan [email protected]

6 Homestead Dr.

Raymond, nh 03077

US

603-3371778

Technical Contact:

pouliot, dan [email protected]

6 Homestead Dr.

Raymond, nh 03077

US

603-3371778Domain name: XVSXP.COM

-----------------------------------------------------------------------

Address lookup

canonical name ppp83-237-118-245.pppoe.mtu-net.ru.

aliases

addresses 83.237.118.245

Domain Whois record

Queried whois.ripn.net with "mtu-net.ru"...

% By submitting a query to RIPN's Whois Service

% you agree to abide by the following terms of use:

% http://www.ripn.net/about/servpol.html#3.2 (in Russian)

% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: MTU-NET.RU

type: CORPORATE

nserver: dns0.mtu.ru.

nserver: dns1.mtu.ru.

state: REGISTERED, DELEGATED

org: MTU-INTEL JSC

phone: +7 095 7538282

fax-no: +7 095 9039129

e-mail: [email protected]

registrar: RUCENTER-REG-RIPN

created: 1998.02.25

paid-till: 2006.04.01

source: TC-RIPN

[rc408]

I just got one. Thanks for the heads-up bd134.

I'm wondering what to do with the phone number that pshooper retreived? Should we mass call this guy or something? This stuff makes me want to reach out and "touch" someone. :)

[cntrfieldsmom]

Add me to the list.

[IBDP]

I received an email today from Priceline and Hotwire Forum with a link to "activate your paypal account".

http://bbs.xvsxp.com/account.php.

I have never asked for a paypal account, so wondering if this is bogus or does it actually come from Betterbidding, Thereuare?

Regards,

Donna

[loanshark]

I received the same email....and yes, I want to beat the #$%^ out of him too.

[akhon]

Same here. Very upset someone is taking advantage of such a wonderful site such as this one for a phishing scheme. The stupidest thing is you would think they should find a site that has some connection to PayPal! So mad.

I've notified thereuare as well as PayPal.

:)

[swag]

Me too.

[lindabobhat]

Looks like we all got it - I immediately deleted it.

[KatiesMom]

Got it too. :)

[MJRBIM]

...also got it - DELETED...

[forress]

I've also received this email and reported it to ebay/paypal.

[patnolan1022]

I received it also. I reported to paypal who has responded it is a scam. came to this site and I'm relieved to have it confirmed!

[rc408]

I called the phone number in the info above and got a v/m that said something about a "Business Line" and gave 8 seconds to leave a message.

[Shea77]

I got it too. Luckily most of us know this is some a-hole trying to steal from us.

Message:

To activate your paypal account , you must enter your Email Address and

Password

in the corresponding dialog box of http://bbs.xvsxp.com/account.php.

[TJ41]

Everyone that received it should forward the email to [email protected]...

Dear TJ41,

Thank you for contacting PayPal. We appreciate you bringing this

suspicious email to our attention.

Commonly referred to as phishing, these emails are sent by fraudsters in

an attempt to collect sensitive personal or financial information from

the recipients. PayPal takes phishing threats seriously. Our fraud

prevention specialists are working 24/7 to help protect you and enable

the community to stay safe.

After review, we can confirm that the email you received was not sent by

PayPal. Any website which may be linked to this email is not authorized

or used by PayPal.

Our fraud prevention team is working to disable any website linked to

this email. In the meantime, please do not enter any information into

this website. If you have already done so, you should immediately log

into your PayPal account and change your password, as well as your

security questions and answers. We also recommend that you contact your

bank and credit card company immediately.

[LoneStar]

I'd really like to see the feds enact really stiff jail time and forfeiture rules for these kinds of internet schemes. Obviously, even with reasonable safeguards, they're fairly easy to pull off and hide behind the annonymity of the internet. Sentence some guys to 20 years and seize all their assets and I bet we wouldn't have this kind of garbage.

I would have thought the phishers covered their tracks better. Someone seems to have posted the phisher's domain info. Is that a real lead for a criminal investigation? And is there any law enforcement entity that would investigate?

BTW, I'm particularly pissed about this internet fraud thing because last month I "bought" a $10 DVD on ebay from a guy who turned out to be a fraudster. Had a complete on-line "store," fake "feedback," even answered an online question about shipping that I had -- the whole nine yards! Just to extort $10 bucks from a handful of people. Ridiculous -- but it tells you how careful you have to be on the web. BTW, so far ebay and paypal have been unwilling to help, because the fraud is less than $25. So you've got to be overly careful even on small online purchases.

[thenewbie]

I'd really like to see the feds enact really stiff jail time and forfeiture rules for these kinds of internet schemes. Obviously, even with reasonable safeguards, they're fairly easy to pull off and hide behind the annonymity of the internet. Sentence some guys to 20 years and seize all their assets and I bet we wouldn't have this kind of garbage.

They can't do much when the servers are located in RUssia. (notice the .ru in one of the above posts)

[LoneStar]

But isn't there a link to some guy in New Hampshire?

[frenchmn]

Also received and reported. http://bbs.xvsxp.com/forums/ The site is using the same forum software as is used here.

Both of the links have been removed from the site.

"File Not Found

The requested URL was not found on this server. "

I wonder how php scripts were placed on that server, possibly from someone outside.

Remember not to instantly blame the messenger (site) which could have been hacked or trusted someone they shouldn't have. Since only the pages are down and not the site, it is safer to say it was not involved.

[birdgirlsherri]

I got it too. Shouldn't we be sending our complaints to Comcast, his ISP?