Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 24 September 2008

Your Pay Pal Account May Be Compromised

I'm used to getting PayPal phishing scams, thats certainly nothing new. However, I've not had one of these in a while - a PayPal infection scam. Unlike your run of the mill Phish, this doesn't include any links to third party servers (other than PayPal themselves), but instead includes an attachment (you know whats coming).

The e-mail itself is pretty straight forward, simply stating;

Dear member,
As part of our security measures, we regularly screen activity in the PayPal system.

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

Case ID Number: PP-854-512-134

Thank you for your patience as we work together to protect your account.

PayPal Account Review Department
PayPal Email ID PP2310


The attachment is a 324K zip with the name account-1407A4-report.zip (MD5: 713885a1432fc4a822f9473828045952), I've no doubt that the alphanumeric part will be randomized - they usually are. Avira flagged this one as TR/Crypt.XDR.Gen, and running it through VT showed pretty bad results;

http://www.virustotal.com/analisis/a339e57900d936a58d8fa970d7de6977

... a measly 19/32 have detections for it.

Exported by: Outlook Export v0.1.2


From: security@paypal(dot)com
E-mail:security@paypal(dot)com [ 66.211.168.193 - node-66-211-168-193.networks.paypal(dot)com ]
Date: 24/09/2008 14:23:39
Subject: Your Pay Pal Account May Be Compromised
**************************************************************************
Links
**************************************************************************

Link: https://www.paypal(dot)com/us
Domain: www.paypal(dot)com
IP: 66.211.168.193 [ node-66-211-168-193.networks.paypal(dot)com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://images.paypal(dot)com/en_US/i/scr/pixel.gif
Domain: images.paypal(dot)com
IP: 66.211.168.128 [ images.paypal(dot)com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
PayPal <https://www.paypal(dot)com/us>
src=http://images.paypal(dot)com/en_US/i/scr/pixel.gif
src=http://images.paypal(dot)com/en_US/i/scr/pixel.gif
Dear member,
As part of our security measures, we regularly screen activity in the PayPal system.

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

Case ID Number: PP-854-512-134






Thank you for your patience as we work together to protect your account.

PayPal Account Review Department
PayPal Email ID PP2310


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>PayPal <<A HREF="https://www.paypal(dot)com/us">https://www.paypal(dot)com/us</A>>     <BR>
src=<A HREF="http://images.paypal(dot)com/en_US/i/scr/pixel.gif">http://images.paypal(dot)com/en_US/i/scr/pixel.gif</A>     <BR>
src=<A HREF="http://images.paypal(dot)com/en_US/i/scr/pixel.gif">http://images.paypal(dot)com/en_US/i/scr/pixel.gif</A>     <BR>
Dear member,   <BR>
As part of our security measures, we regularly screen activity in the PayPal system.<BR>
<BR>
We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.<BR>
<BR>
Case ID Number: PP-854-512-134<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Thank you for your patience as we work together to protect your account.<BR>
<BR>
PayPal Account Review Department       <BR>
PayPal Email ID PP2310 <BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <security@paypal(dot)com>
Delivered-To: services@[ITM]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-72.livemail.co.uk (Postfix) with SMTP id 4BB7166E6C5
for <services@[ITM]>; Wed, 24 Sep 2008 14:19:06 +0100 (BST)
Received: from paypal(dot)com (rrcs-24-123-221-42.central.biz.rr.com [24.123.221.42])
by smtp-in-72.livemail.co.uk (Postfix) with ESMTP id C661766E71A
for <hphosts@[ITM]>; Wed, 24 Sep 2008 14:18:49 +0100 (BST)
From: security@paypal(dot)com
To: hphosts@[ITM]
Subject: Your Pay Pal Account May Be Compromised
Date: Wed, 24 Sep 2008 09:23:39 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_AA8C3ED1.95BE0846"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080924131849.C661766E71A@smtp-in-72.livemail.co.uk>
X-Original-To: hphosts@[ITM]

No comments: