TOKYO (MacHouse) – Criminals never quit. We reported an active PayPal phishing website about just 10 days ago. And we’ve found a new one. This PayPal phishing website is apparently targeting German users.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: backlink-superchargers.com |
 Screenshot 03 – Source: backlink-superchargers.com |
An organized cyber scum group circulated at least two copies of an identical spam message more than 10 hours ago. The subject line of the message is Bitte antworten Sie bis spatestens 9.12.2008 hinsichtlich Fall Nr. PP-720-135-625. It says something like “Please answer to spatestens 9.12.2008 regarding case No. PP-720-135-625.” (See Screenshot 01.) The entire message is written in German, which we can’t read. There are several URLs pasted in the message. The underlying link behind one of the URLs is http://webgameinfo.se//Privatkunden-passw0rt/index.htm. Clicking on the link, you will be redirected to a PayPal phishing website hosted at the domain of backlink-superchargers.com. More specifically, a phishing website is installed inside popin-video > .online-id. (See Screenshot 02-3.)
Our preliminary analysis shows that the spam message originates from a web server in Ottawa, Ontario, Canada. We don’t know if this is the true origin. Anyway, it seems that the spam message was then passed to a web server of Vail Mountain School (vms.edu), a school located in Vail, Colorado, USA.
We will have a more detailed report in several hours.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Warning: Active PayPal Phishing Website Found at APLUS.NET – Part 2
Warning: Active PayPal Phishing Website Found at APLUS.NET – Part 1
Active PayPal Phishing Website Ex San Diego, CA, USA – Part 2
Active PayPal Phishing Website Ex San Diego, CA, USA – Part 1
Beware of French PayPal Phishing Website Hosted at WordPress Blog (Prenez garde d’un site Web phishing de PayPal accueilli à infantmemories.com.)
Beware of PayPal Phishing Mail Circulated by Moroccan Cyber Criminal Group
Hey. We got this “payPal” fishing stuff too. we are a german company so i can translate the mail for you:
the subject “Bitte antworten Sie bis spatestens 9.12.2008 hinsichtlich Fall Nr. PP-720-135-625″ means:
“Please answer by 9th december 2008 regarding Case No. PP-720-135-625″
i do not have the emailtext (out mailfilter filters the complete mail) but if you send it to my mailadress, i can translate it for you, if you like.
regards
danny
That would be very nice of you. Thanks for your offer. But that’s not necessary.