Warning: Active PayPal Phishing Website Found at APLUS.NET - Part 2
TOKYO (MacHouse) - As we reported earlier, an organized cyber criminal group circulated at least two identical spam e-mail messages more than 12 hours ago, misrepresenting PayPal. The subject line of the spam message is Update Your PayPal Account Personal Information. (See Screenshot 01.) The underlying link behind ‘www.paypal.com’ in the message is http://itvenl1a4v.web.aplus.net/. And that’s where a PayPal phishing website was hosted when we made our first report several hours ago. In fact, this phishing website is still active.
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: MacHouse |
 Screenshot 03 - Source: WebFusion |
The e-mail message is quite identical with the one that we reported about 2 weeks. The last PayPal phishing website was hosted in San Diego, California, USA. This time… The phishing website is hosted at the same location. And the web host is Aplus.net Internet Services since the IP address of the web server is traced to 216.55.128.150.
The phishing e-mail message looks as if it came from PayPal@proxysend.com. But, as you guess, that’s not the true sender. It’s just a fake e-mail address. Screenshot 02 shows the HTML source code of the spam message. It seems that a brazilian Internet user with the IP address of 200.249.198.34 connected a web server hosted by WebFusion to circulate phishing spam messages. (Screenshot 03 shows the index page of WebFusion’s website.)
 Screenshot 04 - Source: aplus.net |
 Screenshot 05 - Source: aplus.net |
 Screenshot 06 - Source: PayPal |
Clicking on the link in the phishing message, one will be forwarded to http://itvenl1a4v.web.aplus.net. If you enter an e-mail address and a password, whether or not they are genuine, you will be asked to provide more account information. (See Screenshot 04-5.) Finally, you will be redirected to PayPal’s genuine website. (See Screenshot 06.)
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Warning: Active PayPal Phishing Website Found at APLUS.NET - Part 1
Active PayPal Phishing Website Ex San Diego, CA, USA - Part 2
Active PayPal Phishing Website Ex San Diego, CA, USA - Part 1
Beware of French PayPal Phishing Website Hosted at WordPress Blog (Prenez garde d’un site Web phishing de PayPal accueilli à infantmemories.com.)
Beware of PayPal Phishing Mail Circulated by Moroccan Cyber Criminal Group
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
November 29th, 2008 at 9:37 am
This site has been taken down. Aplus.Net is a DBA for Abacus America, one of the oldest and most reputable hosting companies in business. We are an ICANN certified registrar.
Please report any future issues you may find to abuse@aplus.net
November 29th, 2008 at 11:41 am
>Please report any future issues…
Negative. We no longer waste our resources in contacting concerned parties including victims. All you have to do is to subscribe to junk e-mail messages just as we do. Don’t depend on us.