Posted on by SYSMGR

Paypal again

Another one as if from Paypal
Paypal-21aug

if displayed in HTML format – as it is received in Outlook (or Outlook Express, as most innocent users would).

No name – so bogus. Look at the date: 28-Aug-2007, which is two weeks ahead. It might indeed be the date when your account will be abused IF you react on this message.

If you look to the raw data, it’s not that obvious in first glance because the names seem to match:

Return-Path: service@paypal.com
Received: from cpe-71-65-23-167.twmi.res.rr.com (71.65.23.167)
by xxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Tue, 21 Aug 2007 18:56:32 +0100 (CET)
Received: from 208.188.111.32 by ; Tue, 21 Aug 2007 18:57:49 +0100
Message-ID: <qtprxvpwrckqwbprqtl @msn.com>
From: "PayPal" <service@paypal.com>
Reply-To: "PayPal" <service@paypal.com>
To: (me)
Subject: Restore your account access
Date: Tue, 21 Aug 2007 10:54:49 -0700
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--2194093895003147"
X-Priority: 1
X-MSMail-Priority: High

However, what about:


X-Mailer: AOL 7.0 for Windows US sub 118

That is America OnLine – an ISP – and I’m pretty sure Paypal has it’s own servers, and won’t use a broadband- or dial-in service from one of the biigest ISP’s in the world.
The sender address from where I got the message is RR.COM – RoadRunner, an ISP located in the US. Not really payPal…

Nor would Paypal use MSN for sending a message:


Message-ID: <qtprxvpwrckqwbprqtl @msn.com>
X-MSMail-Priority: High

Looking into the message, the pain is in the central link:

<table width=3D"100%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
olor=3D"#FFFECD" align=3D"center">
<tr><td class=3D"pp_sansserif" align=3D"center">
<a href=3D"http://centrala.junis.ni.ac.yu/.../.paypal/.confirm/index.htm"
title=3D"Please click here to restore your account access">
Please click here to restore your account access</a>
</td></tr></table>

And there are some links at the bottom that do not show up – because it’s behind the </html> tag:

<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/=
Statistics data collection code --><script

language=3D"JavaScript" src=3D"http://hostingprod.com/js_source/geov2.js">=
</script><script language=3D"javascript">geovisit

();</script><noscript><img src=3D"http://visit.webhosting.yahoo.com/visit.=
gif?us1173035983" alt=3D"setstats" border=3D"0" width=3D"1"

height=3D"1"></noscript>

and that’s something you won’t find on a real Paypal message. They have their own servers and will not host on Yahoo.

I checked the node in the link: It looks like a telephone exchance:

paypal target

Hacked, most likely, given the stealth location of /.../.confirm (It’s a Unix/Linux box and a dot as first character renders the file (or directory) invisible). No real wonder for a university….

I contacted the site on this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.