Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 13 January 2009

secure.paypal-cgi-bin-us.xn.pl > 166.104.226.75 (infosec.hanyang.ac.kr) > abiedanter.co.uk

PayPal phishing scams are nothing new, but this one is rather interesting as it uses 3 different hosts for a single phish. One for the e-mail, the second loaded both via an iFrame AND via the LINK tag normally used for the shortcut icon;

<link rel="Shortcut icon" href="http://0xa668e24b/~hkoh/secure.paypal.com/webscr.htm?/favicon.ico" />




0xa68e24 is a hex encoded IP and decodes to 166.104.226.75, which resolves to infosec.hanyang.ac.kr. When you click the link in the e-mail, it redirects to;



Finally it uses a Form Mail script at abiedanter.co.uk (195.171.90.14 - orion.wyehosts.net) to send the victims details to the phisher (in this case spmdnss@gmail.com);



So what of the e-mail itself? Well since I don't use HTML e-mail (and neither should you!), I can only show it in plain text form. The following is an export of the entire e-mail, including headers.

Exported by: Outlook Export v0.1.3

From: PayPal
E-mail:service@paypal.inc.com [ - Invalid IP was passed to me ]
Date: 13/01/2009 18:10:43
Subject: New email address added to your PayPal account
**************************************************************************
Links
**************************************************************************

Link: https://www.paypal.com/us/wf/f=ap_email
Domain: www.paypal.com
IP: 64.4.241.33 [ www.paypal.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://secure.paypal-cgi-bin-us.xn.pl/?wf/f=ap_email
Domain: secure.paypal-cgi-bin-us.xn.pl
IP: 87.98.236.114 [ granat.cal.pl ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: true

**************************************************************************
Text Version
**************************************************************************
You have added jamessoul899@yahoo.com as a new email address for your PayPal account.

If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at:

https://www.paypal.com/us/wf/f=ap_email <http://secure.paypal-cgi-bin-us.xn.pl/?wf/f=ap_email>

Thank you for using PayPal!
The PayPal Team

-----------------------------

**************************************************************************
Headers
**************************************************************************
Return-Path: service@paypal.inc.com
Delivered-To: hphosts@[REMOVED]
X-FDA: 61796512134
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 80,6,0,4778cd017079e040,ad69e733ebae8d26,service@paypal.inc.com,customer@paypal.com,RULES_HIT:
69:375:379:539:540:541:542:543:567:800:967:973:980:983:988:989:1026:1155:1208:1224:12
54:1260:1311:1313:1314:1431:1437:1515:1516:1517:1534:1541:1561:1587:1590:1593:1594:16
31:1653:1699:1711:1714:1730:1747:1766:1792:2073:2076:2194:2198:2199:2200:2393:2525:25
60:2564:2610:2682:2685:2857:2859:2890:2900:2910:2933:2937:2939:2942:2945:2947:2951:29
54:3022:3043:3137:3139:3155:3280:3865:3869:3873:3876:3877:3934:3936:3938:3941:3944:39
47:3950:3953:3956:3959:4042:4321:5007:6114:6261:7679:8501:8568:8957:9025:9040:9388,0
,RBL:62.140.23.58-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5
,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none
Received: from s558.evanzo-server.de (s558.evanzo-server.de [62.140.23.58])
by imf04.hostedemail.com (Postfix) with ESMTP
for <hphosts@[REMOVED]>; Tue, 13 Jan 2009 18:10:46 +0000 (UTC)
Received: (qmail 19954 invoked from network); 13 Jan 2009 19:18:59 +0100
Received: from unknown (HELO User) (218.154.52.101)
by s558.evanzo-server.de with SMTP; 13 Jan 2009 19:18:59 +0100
From: "PayPal"<service@paypal.inc.com>
To: customer@paypal.com
Subject: New email address added to your PayPal account
Date: Wed, 14 Jan 2009 03:10:43 +0900
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


abiedanter.co.uk is a legit website. The only thing they're guilty of here is being silly enough not to lock down their form mail scripts to prevent third party use. The owner information for the other two involved are;

WhoIs Information:

DOMAIN: xn.pl
registrant's handle: ont_o85624 (INDIVIDUAL)
nameservers: ns2.cal.pl. [87.98.162.72]
ns1.cal.pl. [87.98.237.11]
created: 2004.03.22 08:33:47
last modified: 2008.12.14 20:43:45

option created 2008.02.01 00:03:06

TECHNICAL CONTACT:
company: Lukasz Przekop
street: Solidarnosci 60/4
city: 00-240 Warszawa
location: PL
handle: ont_t85614
last modified: 2008.03.12

REGISTRAR: Grupa Onet.pl SA
ul. G. Zapolskiej 44
30 - 126 Krakow
Polska/Poland
+48. 12 2600200
bok@onet.pl


Domain Name : hanyang.ac.kr
Registrant : Hanyang University
Registrant Address : 17, haengdang-dong, Songdong-gu, Seoul, Korea Hanyang University, Haengdang-dong, Seongdong-gu Seoul, KR
Registrant Zip Code : 133070
Administrative Contact(AC): JeKwang Mun
AC E-Mail : moonriver@hanyang.ac.kr
AC Phone Number : 02-2220-1427
Registered Date : 1994. 03. 07.
Last updated Date : 2008. 12. 04.
Expiration Date : 2009. 05. 01.
Publishes : Y
Authorized Agency : Inames Co., Ltd.(http://www.inames.co.kr)

Primary Name Server
Host Name : hynetm.hanyang.ac.kr
IP Address : 166.104.27.6

Secondary Name Server
Host Name : ansan-d.hanyang.ac.kr
IP Address : 166.104.239.11
Host Name : kns.kornet.net
Host Name : ns.lgdacom.net


As always, don't blindly click on links in e-mails. The only reason these phishing scams are successful is because people don't actually look at where the link is going to take them, nor do they look at the URL in the address bar!. You need to start taking notice and actually type the websites address into the browsers address bar (irrespective of where the link is going to take you, or claims it is going to take you).

No comments: