Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 13 January 2009 > ( >

PayPal phishing scams are nothing new, but this one is rather interesting as it uses 3 different hosts for a single phish. One for the e-mail, the second loaded both via an iFrame AND via the LINK tag normally used for the shortcut icon;

<link rel="Shortcut icon" href="http://0xa668e24b/~hkoh/" />

0xa68e24 is a hex encoded IP and decodes to, which resolves to When you click the link in the e-mail, it redirects to;

Finally it uses a Form Mail script at ( - to send the victims details to the phisher (in this case;

So what of the e-mail itself? Well since I don't use HTML e-mail (and neither should you!), I can only show it in plain text form. The following is an export of the entire e-mail, including headers.

Exported by: Outlook Export v0.1.3

From: PayPal [ - Invalid IP was passed to me ]
Date: 13/01/2009 18:10:43
Subject: New email address added to your PayPal account

IP: [ ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

IP: [ ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: true

Text Version
You have added as a new email address for your PayPal account.

If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at: <>

Thank you for using PayPal!
The PayPal Team


Delivered-To: hphosts@[REMOVED]
X-FDA: 61796512134
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 80,6,0,4778cd017079e040,ad69e733ebae8d26,,,RULES_HIT:
,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none
Received: from ( [])
by (Postfix) with ESMTP
for <hphosts@[REMOVED]>; Tue, 13 Jan 2009 18:10:46 +0000 (UTC)
Received: (qmail 19954 invoked from network); 13 Jan 2009 19:18:59 +0100
Received: from unknown (HELO User) (
by with SMTP; 13 Jan 2009 19:18:59 +0100
From: "PayPal"<>
Subject: New email address added to your PayPal account
Date: Wed, 14 Jan 2009 03:10:43 +0900
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 is a legit website. The only thing they're guilty of here is being silly enough not to lock down their form mail scripts to prevent third party use. The owner information for the other two involved are;

WhoIs Information:

registrant's handle: ont_o85624 (INDIVIDUAL)
nameservers: [] []
created: 2004.03.22 08:33:47
last modified: 2008.12.14 20:43:45

option created 2008.02.01 00:03:06

company: Lukasz Przekop
street: Solidarnosci 60/4
city: 00-240 Warszawa
location: PL
handle: ont_t85614
last modified: 2008.03.12

ul. G. Zapolskiej 44
30 - 126 Krakow
+48. 12 2600200

Domain Name :
Registrant : Hanyang University
Registrant Address : 17, haengdang-dong, Songdong-gu, Seoul, Korea Hanyang University, Haengdang-dong, Seongdong-gu Seoul, KR
Registrant Zip Code : 133070
Administrative Contact(AC): JeKwang Mun
AC E-Mail :
AC Phone Number : 02-2220-1427
Registered Date : 1994. 03. 07.
Last updated Date : 2008. 12. 04.
Expiration Date : 2009. 05. 01.
Publishes : Y
Authorized Agency : Inames Co., Ltd.(

Primary Name Server
Host Name :
IP Address :

Secondary Name Server
Host Name :
IP Address :
Host Name :
Host Name :

As always, don't blindly click on links in e-mails. The only reason these phishing scams are successful is because people don't actually look at where the link is going to take them, nor do they look at the URL in the address bar!. You need to start taking notice and actually type the websites address into the browsers address bar (irrespective of where the link is going to take you, or claims it is going to take you).

No comments: