TOKYO (MacHouse) – As we reported a few hours ago, an organized cyber scum group circulated a spam message more than 24 hours ago to misrepresent PayPal. The spam message with the subject line of !ClamAV:VIRUS found:Phishing.Heuristics.Email.SpoofedDomain! Update Your PayPal Account Personal urges the recipient to update their PayPal account. (See Screenshot 01.) The link given in the message says www.paypal.com. However, the underlying URL is actually http://www.imp-igg.com.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: MacHouse |
 Screenshot 03 – Source: networldbud.com |
Screenshot 02 shows the HTML source code of the spam message. Obviously, the spam message does not originate from PayPal. Rather, it appears to originate from mail.networldbud.com. In reality, this mail server , which is hosted in Hungary, is traced to the IP address of 91.82.87.222, as implied in the source code. In fact, one can find a popular webmail package called SquirrelMail at networldbud.com. (See Screenshot 03.) That’s probably what the spammer used to circulate the phishing message.
However, the HTML source code of the spam message also mentions webfusion.co.uk. Indeed, that’s where a UK web hosting company called WebFusion is hosted. (Screenshot 04 shows the index of Web Fusion.) In reality, their web server is traced to the IP adress of 212.241.202.190. So far, we don’t know WebFusion’s precise involvement with this phishing message.
 Screenshot 04 – Source: WebFusion |
 Screenshot 05 – Source: Aplus.net |
 Screenshot 06 – Source: Aplus.net |
Clicking on the link given in the spam message, one will be immediately redirected to http://elixxx52.web.aplus.net. (See Screenshot 05.) After providing an e-mail and a password, one is further requested to provide
(See Screenshot 06.) What? Do you need a credit card and a U.S. social security number to create a PayPal account? After providing extra pieces of information, one will be eventually redirected to the genuine PayPal website. (See Screenshot 07.)
 Screenshot 07 – Source: PayPal |
 Screenshot 08 – Source: Aplus.net |
 Screenshot 09 – Source: MacHouse Domain Lookup |
So where is the phishing website hosted? The web server of this PayPal phishing website (the website at elixxx52.web.aplus.net) is traced to the IP address of 216.55.128.150. This IP address appears to belong to an organization called Aplus.net Internet Services (= Ababus America?). (Screenshot 08 shows the index page of Aplus.net’s website.) It’s a very suspicious web hosting company. Why? The domain of aplus.net was first registered in August, 1998. And the WhoIs registration was updated in June, 2007. (See Screenshot 09.) The domain is not brand-new at all. Nonetheless, its forums found at http://forum.aplus.net doesn’t have many posts.
 Screenshot 10 – Source: Aplus.net |
 Screenshot 11 – Source: MacHouse Domain Lookup |
Remember the underlying URL of http://www.imp-igg.com in the spam message? Interestingly, the domain of imp-igg.com was registered by Ababus America. (See Screenshot 11.) The designated nameservers are ns1.abac.com and ns2.abac.com, which both seem to be used by Aplus.net Internet Services. Aplus.net Internet Services doesn’t host not just the PayPal phishing website but also the website used to redirect Internet users to the former.
References:
Active PayPal Phishing Website Ex San Diego, CA, USA – Part 1
Beware of French PayPal Phishing Website Hosted at WordPress Blog (Prenez garde d’un site Web phishing de PayPal accueilli à infantmemories.com.)
Beware of PayPal Phishing Mail Circulated by Moroccan Cyber Criminal Group
