Beware of French PayPal Phishing Website Hosted at WordPress Blog (Prenez garde d’un site Web phishing de PayPal accueilli à infantmemories.com.)

Posted on October 30, 2008 by Administrator

anti spam






TOKYO (MacHouse) – More than 10 hours ago, a cyber criminal badly seeking credit card numbers circulated a PayPal phishing message written in French. (See Screenshot 01.) This phishing message looks quite similar to the one that we showed the other day. A major difference is that there’s an additional paragraph that says






Quelqu’un avec le IP address 81.121.126.91 a essaye d’acceder a votre compte personnel!





PayPal phishing infantmemories.com
Screenshot 01 – Source: MacHouse		   PayPal phishing infantmemories.com
Screenshot 02 – Source: infantmemories.com		   PayPal phishing infantmemories.com
Screenshot 03 – Source: MacHouse






It says somebody with the IP address of 81.121.126.91 is trying to access your personal account!

The underlying link behind ‘Cliquez Ici Pour Une Resolution’ this time is





http://infantmemories.com/wp-includes/js/css/cgi-bin/webscrcmd=_login-run/

webscrcmd=_account-run/updates-paypal/login.jsp (A continuous URL broken into two lines.)






Accessing the URL above, there is an active PayPal phishing website. (See Screenshot 02.) Taking a close look at the URL, it’s a WordPress website. That is, the phishing package is installed inside ‘wp-includes’ folder.

Screenshot 03 shows the HTML source code of the phishing message. So where does it look like the phishing message comes from? French phishing websites remind us of what? Wistee (wistee.fr)? Yes, that’s where the phishing message originates from. The IP address of 94.124.84.10 is traced to the disgraced to French web hosting company. (Screenshot 04 shows the index page of Wistee’s website.) That coincides with the time signature of +0100, which indicates that the sender of the spam message resides in Western/Central Europe or North Africa.





PayPal phishing infantmemories.com
Screenshot 04 – Source: Wistee		   PayPal phishing infantmemories.com
Screenshot 05 – Source: Pugmarks		   PayPal phishing infantmemories.com
Screenshot 06 – Source: infantmemories.com






Let’s see quickly what we can find out about the exploited WordPress website. The web server of this WordPress website is traced to the IP address of 207.191.227.3. The location is Naperville, Illinois, USA. This server appears to belong to Pugmarks (pugmarks.com). (Screenshot 05 shows the index page of Pugmarks.)






Click on the button to watch a documentation video. VTC






References:

Beware of PayPal Phishing Mail Circulated by Moroccan Cyber Criminal Group

This entry was posted in Internet security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Notify me of followup comments via e-mail. You can also subscribe without commenting.