Active PayPal Phishing Website Ex Argentine Targeting German Users - Part 2
TOKYO (MacHouse) - As we reported several hours ago, an international cyber criminal group has set up another phishing website, implicating PayPal, an online payment company based in San Jose, California, USA. This is the fourth PayPal phishing website particularly targeting Germans in two weeks.
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: 200.123.132.188 |
The title of the spam message they circulated about six hours ago is Bitte antworten Sie bis spätestens 19.12.2008 hinsichtlich Fall Nr. PP-593-231-951. (See Screenshot 01.) And a phishing website is currently hosted at http://200.123.132.188/PP/
paypal-aktualisieren-Sie-Ihre-Kontoinformationen/index.htm. (See Screenshot 02. Note that a continuous URL is divided into two lines.)
 Screenshot 03 - Source: MacHouse |
 Screenshot 04 - Source: Linulex Hosting |
 Screenshot 05 - Source: Rosenblum Eye Centers |
First, let’s read the header of the spam message. Screenshot 03 shows the HTML source code. It indicates that the spam message originates from the IP address of 217.115.202.140. The node name is res2.linulex.net. It belongs to a Dutch web hosting company called Linulex Hosting. (Screenshot 03 shows the index page of web hosting company’s website at linulex.net.) Unlike our initial analysis, that’s not exactly the true origin of the spam message. It appears that it comes from a mail server at rosenblumeyecenters.com. It’s run by an organization called Rosenblum Eye Centers. (Screenshot 05 shows the index page of Rosenblum Eye Centers’ website.)
There isn’t much that we have to say about the host of the phishing website. It’s hosted by a sever whose IP address is 200.123.132.188. It’s traced to a telecommunications company in Buenos Aires, Argentine.
 Screenshot 06 - Source: 200.123.132.188 |
 Screenshot 07 - Source: 200.123.132.188 |
Now, let’s see how the PayPal phishing website works. Once you log in by providing PayPal account information at the page shown in Screenshot 02, one will land at a page titled Mein Konto - PayPal. (See Screenshot 06.) The web page file is labeled update.html. Without filling out the page and clicking on the button at the bottom right, he or she will end up at a congratulations page. (See Screenshot 07.) This web page file is labeled fenish.htm.
We initially thought PayPal account information will be forwarded to e-mail addresses found in update.html. Actually, we checked all files including continue.php, einloggen-error.htm, fenish.htm, index.htm, loginPayPal.php, loginPayPal2.php, loginPayPal3.php and update.htm in the phishing package. (Screenshot 08 shows the list of files included in the phishing package.) But we don’t find any e-mail addresses in any of the files.
 Screenshot 08 - Source: 200.123.132.188 |
 Screenshot 09 - Source: MacHouse |
 Screenshot 10 - Source: Omniture, Inc |
Looking at the bottom of one web page file, there are several variables. It seems that this phishing criminal group uses web traffic software created by a Japanese company found at omniture.com to collect traffic data. We are interested in knowing what the variable labeled s.prop6 is. It’s possibly a variable indicating user ID. It’s shown as 2DL0927663667045U.
Several hours ago, we attempted to contact Omniture, Inc, using a contact form found at company’s website. But they were not available for answers by the time we finished preparing this report.
Related stories:
Active PayPal Phishing Website Ex Argentine Targeting German Users - Part 1
Another Active PayPal Phishing Website Targeting German Users - Part 2
New Active PayPal Phishing Website Targeting German Users - Part 2
Another Active PayPal Phishing Website Targeting German Users - Part 1
New Active PayPal Phishing Website Targeting German Users - Part 1
Active Phishing Website Targeting German PayPal Users - Part 2
Active Phishing Website Targeting German PayPal Users - Part 1
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
December 20th, 2008 at 9:35 am
Hi, it’s me again
Every time I go to the page, “new active paypal german exploit PT.2″ or whatever it’s called, I keep getting redirected to spam websites. This is normally after the ad just over the comments load. I never wrote down the url that I was redirected to. I checked my history it was random numbers and it said blueseek than affilate. That’s the only page that that happened on. (It was the page Eve commented on).
December 20th, 2008 at 11:30 am
Thanks for your report. We apologize for the problem we may have caused. I’ll check it out.
December 20th, 2008 at 11:40 am
I don’t see anything wrong with the page. But it’s true that one can be involuntarily redirected to a different website because of a crafted Flash ad. In fact, it happened right here at this site exactly one year ago. (RE: Malware-Scan.Com, DotTunes.Net) So we apologize for your problem if we are responsible for the redirection. That would not definitely be our intension. In the meantime, it is also true that exploiters spike the web browser with a malicious code to redirect Internet users to undesirable websites. It is also true that redirection depends on your geographic location, web browser and other factors. So we ourselves may never get redirected. For now, we cannot detect anything here. But we will keep looking.
December 20th, 2008 at 11:47 am
I guess it most of been an ad. Probably it got caught and deleted from whatever ad comapnies list of ads or whatever. Yea, just after I posted that I stopped getting redirected. Today’s a weird day. Even a ad is going around YouTube that uses XSS.
December 20th, 2008 at 12:40 pm
>Yea, just after I posted that I stopped getting redirected.
That’s good to know. If a Flash banner is responsible, they will usually redirect you only once in every 24 hours. So you may never know if involuntary redirection has completely stopped.
December 22nd, 2008 at 11:04 am
I think the whole redirection was my fault. I remember I forgot to turn NoScript on and I ended up loading an ad which used XSS. I went to this site by a google search. I checked my history of webpage viewing and noticed I went from the last site I was on to search(dot)php or something like that then to a random letters and numbers it mentioned affilate in it’s URL, then to blueseek random letter/numbers then affilate. Then to the page of this site where I got redirected at. Weird. Think I must of got temporary malicious code in my browser. I was using Firefox on Ubuntu 8.10.
P.S Great job on making this excellent website. (I finally remember to say that!
)
December 22nd, 2008 at 11:32 am
Alex, that’s no problem. And thanks for your compliments.