Phishing Website Targeting French PayPal Users (2)

Posted on May 29, 2008 by Administrator

anti spam






TOKYO (MacHouse) – As we reported earlier, an international cyber scum group sent out 2 copies of a phishing e-mail message targeting French PayPal users. The entire message is written in French. (See Screenshot 01.) The title is ‘Votre compte PayPal a ete expiree,’ which means your PayPal account has expired, I suppose. There are a few crucial mistakes made by the criminal. Sender’s name appears as service@paypal.com though its e-mail address is shown as contact@wistee.fr. Likewise, the return address also appears as contact@wistee.fr.





PayPal phishing wistee.fr
Screenshot 01 – Source: MacHouse		   PayPal phishing wistee.fr
Screenshot 02 – Source: MacHouse		   PayPal phishing wistee.fr
Screenshot 03 – Source: Portail Orange






Let’s look at the source code of the message. There are a few interesting aspects about this message. It appears that the cyber criminal used Microsoft Outlook Express to write the message. (See Screenshot 02.) Whether or not it’s true, the source code shows that this message goes through orange.fr, a French portal. (Screenshot 03 shows a screenshot of Portail Orange’s index page.) The IP address of the person using this orange.fr’s account points to Morocco (northern Africa). There is no indication that the message goes through a mail server hosted at French web hosting company WISTEE, SARL (wistee.fr).

This web hosting company’s servers are favorite choices for international phishing organizations. As far as we know, this is the fourth time their servers are used to host phishing websites.

Going back Screenshot 01, if you click on the link that says ‘Cliquez ici pour activer votre compte’ (Click here to activate your account.), you will be forwarded to the phishing website hosted at Wistee.fr. The URL of the phishing website is http://poaypoll.ns8-wistee.fr/www.paypal.fr/. This website is installed presumably to steal PayPal account information. If you enter a fake PayPal e-mail address and password, you can log in. You are reminded to reactivate your PayPal account. But, for some reason, you are requested to provide credit card information. (See Screenshot 05-6.) Not surprisingly, the protocol of the page is http. That’s another indication that this website is nothing but total fake.





PayPal phishing wistee.fr
Screenshot 04 – Source: poaypoll.ns8-wistee.fr		   PayPal phishing wistee.fr
Screenshot 05- Source: poaypoll.ns8-wistee.fr		   PayPal phishing wistee.fr
Screenshot 06 – Source: poaypoll.ns8-wistee.fr






Click on the button to watch a documentation video. VTC
Click on the button to watch more documentation videos. VTC






References:

Bank of America Phishing Content Hosted at 7th Largest French Website (FREE.FR)
PayPal Phishing Website Hosted in France (WISTEE.FR)
Bank of America Phishing Message Invades Home and Office Computers Worldwide Again…

This entry was posted in Internet security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Notify me of followup comments via e-mail. You can also subscribe without commenting.