Posted on

Phishing using Paypal

Sometimes you see interesting attempts.

paypal phishing attempt

The header looks like this:

Return-Path: service@paypal.com
Received: from XXXXXXXXXX.GROOTERSNET.NL (192.168.0.2)
by xxxxxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 29 Oct 2007 10:14:17 +0100 (CET)
Received: from www.outsidepride.com ([69.20.59.177] EXTERNAL) (EHLO
www.outsidepride.com) by xxxxxxxxxx.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.0); Sun, 28 Oct 2007 21:34:22 +0100
Received: from User ([89.137.232.120]) (authenticated bits=0) by
www.outsidepride.com (8.12.11.20060308/8.12.11) with ESMTP id l9SKWQo4011442;
Sun, 28 Oct 2007 16:32:27 -0400
Message-Id: <200710282032.l9SKWQo4011442@www.outsidepride.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Date: Sun, 28 Oct 2007 22:32:56 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by www.outsidepride.com id
l9SKWQo4011442
Blocked by the anti-spam frontend, for the following reasons:

X-PMAS-External: www.outsidepride.com [69.20.59.177] (EHLO
www.outsidepride.com)
X-PMAS-Software: PreciseMail V3.0 [071027] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_FTP_TO_IP: Uses a dotted-decimal IP address in URL (1.000)
X-PMAS-BDY-IMAGE_LINK: Image that links to web site (3.000)
X-PMAS-BDY-INCREASE_YOUR_SOMETHING: Message has phrase "Increase your..."
(3.000)
X-PMAS-BDY-FOR_MORE_INFO2: Includes "for more information" (1.500)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format
(5.000)
X-PMAS-META-1PIXEL_IMG: Message includes 1x1 img link (20.000)
X-PMAS-META-PHISHING_02: Message appears to be a phishing scam (10.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-DEAR_SOMETHING: Contains generic 'Dear (something)' (1.596)
X-PMAS-META-STOP_RECEIVING: Specific spam text "to stop receiving" (5.000)
X-PMAS-Final-Score: 78.732
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from the fact that the sender server is not within the Paypal domain 🙂

The interesting part is on the inside.
Most often, links refer to some site using the http protocol (never https, of course), but this one is different – twice using FTP got get your data:

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Travelling
confirmation Here</a></td>

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Re-activate your account Here</a></td>

The addresses mentioned are Romanian, at least, two of them.

  • 192.102.104.2 is indeed owned by onix.ro – it is possible that it;s a source of abuse: an internet cafe, probably
  • 217.156.19.129 is owend by vl.ro – named analog Digital Systems Inc. RDS – Radio Data Systems? That makes sense. But ause like this, I doubt it!
  • 62.177.188.59 is owned by bbeyond – a Dutch network operator without a Romanian domain: bbeyond.ro does not exist.

    • The address mentioned in the liks refers to a network operator in Canada, and there is an abuse address in their Whois data. So I’ll forward the message to them.

    Posted on

    26-Oct-2007

    New installs
    Some time tonight to prepare some software updates (got the patches off the HP OpenVMS site and stored them on Diana) and to install some ne stuff. Availability Manager, to start with. The 2.4 version doesn’t work on 8.3, appearantly, so I got the 2.6 version and installed it – and have it running now.
    Updated SWB (Mozilla) tp 17.13, and tried to install the X11vnc server and VNC , but both fail. The first because theet is no [.VNS]TEST.*;* file, the second (to be built first, I guess) because some include file is missing.

    It was too late to handle this.

    This weekend, I plan to install the patches so the system may be down for some time tomorrow night.
    Math
    I’ve got to do some math on the system parameters, to enhance system performance. In other words: tune the box. I’ll do that some time, now it runs relatively well. It could be better. Well, lets gather some data. T4 runs all the time, I should be able to get out some results! Perhaps TDC? I’ll look into that as well.

    WordPress isn’t one of the updates, I still have to test 2.3, and 2.3-1 is due to come out soon.

    Posted on

    20-Oct-2007

    Power down a while
    I had to do some work on the power grid in the house, so all systems have been down for about 90 minutes. I could have restarted Diana somewhat quicker but cleaning up a bit was thought to be more important.
    Diana has been shut off actually – completely – before I removed power, and when power came up and the switch was thrown – nothing happned. That is: Diana did some work, poker the keyboard twice, and suddenly seemed to stop. No reel beeps. I restarted the HSZ50, I didn’t shutdown the controller when owering down the grid, perhaps that might have caused some trouble. After I restarted it, Diana did start.
    No problems like the previous restart, though there is an attempt – again – to start the WEBES stuff. Well, it has all been removed – but the script rus in VERIFY mode. I couldn’t find yest where this sript is launched. It might be a script mentioned in the startup-database. Indeed it is:

    SYSMAN> startup show file
    %SYSMAN-I-COMFIL, contents of component database on node DIANA
    Phase Mode File
    ------------ ------ ---------------------------------
    LPMAIN DIRECT WCCPROXY$STARTUP.COM
    LPMAIN DIRECT DESTA$STARTUP.COM
    LPMAIN DIRECT CCAT$STARTUP.COM

    These files need to be removed (de-installing the product didn’t work, since a procedure is simply missing….):

    SYSMAN> startup remove file WCCPROXY$STARTUP.COM
    SYSMAN> startup remove file DESTA$STARTUP.COM
    SYSMAN> startup remove file CCAT$STARTUP.COM
    SYSMAN> startup show file
    %SYSMAN-I-NODERR, error returned from node DIANA
    -STARTUP-E-COMFILEMTY, STARTUP component file is empty.

    Hope that did it 🙂

    Hyperpsi – the web-based program I use to have a look on yesterday’s performance – hadn’t run since last boot, because one logical wasn’t setup properly, but this time, it’s all smoothly started. I miss the data between 17-Oct-2007 21:00 until today’s reboot at 17:00 but that should not be a hell of a problem.
    I think trouble has been triggered by WEBES starting that time, causing a far to high load for programs to initialize properly. I can only guess – but now WEBES isn’t started (the whole directoty tree has neem removed) it seems to make a difference.

    Posted on

    17-Oct-2007

    MySQL crashed – again
    Just after posting the Babelfish interpretation of “Flushing Cache”, MySQL server went down. This time, it took a few hours to get up again – because I had no access to the systems. It’s been pretty much the same: value 12, “not enough core”, this time on read.
    Reverse changes
    I took the chance to reverse a few changes made in favout of the IDE server for Distributer Detbenas and WEBES and lowered some of the system parameters that wer increased as their requirement, but since RdB is to be installed some day, I kept an eye on the requirements. The only one needed a permanent increase comapred to the original setings, is CHANNELCNT – set to 2050, just less than twice the original amount. The rest have been restored to the original.
    Next I rebooted Diana (some of them are not dynamic) but something strange happened: It looks like some command procedure has “SET VERIFY” in it and the whole listing was sped out on the screen. MySQL was started but the remains of the procedure seemed to be bypassed. Running it separately revealed no troubles at all, so what happened here, I don’t know. The log didn’t shbow anything either….
    But the system is now working again.