spf-discuss
[Top] [All Lists]

fake paypal.com phishing example

2004-08-11 16:02:42
The first thing that gave this away as a phishing scam was the fact that
it's HTML (and without MIME headers).  Therefore it shows up in mutt as
literal <html> and <br> and so forth.  The second thing was the Return-Path
of "root(_at_)localhost(_dot_)localdomain".  The third was the URL containing a 
raw
IP address.

Note that the SPF check did nothing in this case because ".localdomain"
isn't even a valid TLD, and therefore "localhost.localdomain" can't
possibly have an SPF record published.  (Some of you would have rejected
this because of the lack of a real domain in the return path.  I don't
do that... yet.)

Someone's getting very, very clever out there.  The wording is actually
sensible, properly spelled, and grammatically correct.  (I wonder if
they just cut-and-pasted paypal's actual suspended-account wording;
I've never seen the real thing, because I've never had my paypal account
suspended....)  It's the most convincing phishing scam I've seen yet.

I just figured I'd share this so we know what we're up against.

==============================================================================
From root(_at_)localhost(_dot_)localdomain Wed Aug 11 01:38:49 2004
Return-Path: <root(_at_)localhost(_dot_)localdomain>
Delivered-To: greg(_at_)wooledge(_dot_)org
Received: (qmail 1550 invoked from network); 11 Aug 2004 05:38:49 -0000
Received: from unknown (HELO localhost.localdomain) (202.114.118.38)
  by wooledge.org with SMTP; 11 Aug 2004 05:38:49 -0000
Received-SPF: none (wooledge.org: domain at localhost.localdomain does not 
designate permitted sender hosts)
Received: (from root(_at_)localhost)
        by localhost.localdomain (8.11.6/8.11.6) id i7B0MC502541;
        Wed, 11 Aug 2004 08:22:12 +0800
Date: Wed, 11 Aug 2004 08:22:12 +0800
Message-Id: <200408110022(_dot_)i7B0MC502541(_at_)localhost(_dot_)localdomain>
To: greg(_at_)wooledge(_dot_)org
Subject: Verify PayPal Account
From: Safe Harbour<admin(_at_)paypal(_dot_)com>
Content-Type: text/html
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on pegasus.wooledge.org
X-Spam-Level: ****
X-Spam-Status: No, hits=4.5 required=5.0 tests=BAYES_44,CLICK_BELOW,
        DATE_IN_PAST_03_06,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,
        MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,
        THE_FOLLOWING_FORM autolearn=no version=2.63
Status: RO
Content-Length: 1063


<html>
<br>Dear customer
<br>We regret to inform you that your PayPal account will be suspended
<br>due to the violation of our site policy below:
<br>
<br>* Misrepresentation of Identity (User) - Representing yourself as
another PayPal user or registering using the identity of another.
<br>Due to the suspension of this account, please be advised you are prohibited 
from
using PayPal in any way.
<br>This includes the registering of a new account.Please note that this
suspension does not relieve you of your agreed-upon obligation to pay any
fees you may owe to PayPal. According to our site policy you will have to
confirm that you are the real owner of the PayPal account by completing
the following form or else your account will be deleted.
<br>
<br>To update your PayPal records click here:
<br><a
HREF=http://163.32.216.10/data/secure/certificates/SSL/resubmit/index.htm
target="_self">http://cgi3.paypal.com/aw-cgi/paypalISAPI.dll?SecureConfirmation&bpuser=1
</a>
<br>
<br>
<br>
<br>Thank you for using PayPal!
<br>http://www.paypal.com
<br>
</html>
==============================================================================

-- 
Greg Wooledge                  |   "Truth belongs to everybody."
greg(_at_)wooledge(_dot_)org              |    - The Red Hot Chili Peppers
http://wooledge.org/~greg/     |

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features 
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>
  • fake paypal.com phishing example, Greg Wooledge <=