Active PayPal Phishing Website Hosted in Ecuador
TOKYO (MacHouse) - More than three hours ago, an organized cyber criminal group circulated a spam message implicating eBay-owned online payment company again. This time, a PayPal phishing website is hosted not in China but in Ecuador.
The phishing message that was circulated a while ago is all written in German. Its subject line is Wichtige botschaft aus - Mit großer Aufmerksamkeit gelesen! Sender’s address is shown as service@paypal-inc.de. The message itself is quite simple. It says
Sie haben 1 neue Nachricht Security Alert!
Anmelden in Ihrem Konto und das Problem behoben werden.
Klicken Sie hier, um sich in
The PayPal Team
The underlying URL in the hyperlink is http://ccpp.org.ec/boletines/_vt/
paypal-aktualisieren-Sie-Ihre-Kontoinformationen/ (A continuous URL is split into two lines.) Accessing it, one will end up at an active PayPal phishing website hosted in Ecuador.
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: ccpp.org.ec |
Screenshot 01 shows the actual phishing message. And Screenshot 02 shows the login page of the PayPal phishing website in question. If you try to log in with an e-mail address and a password, you are likely to see an error message. (See Screenshot 03.) If you instead click on the button that says Einloggen, leaving those text boxes blank, you are like to further proceed to an account information page. (See Screenshot 04)
 Screenshot 03 - Source: ccpp.org.ec |
 Screenshot 04 - Source: ccpp.org.ec |
Our preliminary analysis suggests that a phishing message originated from a mail server belonging to a telecommunications company in France called Accetis International. The very spammer sending the HELO command may come from Texas, USA. We will have a more detailed report hopefully within 24 hours.
Related stories:
PayPal Phishing Website Hosted by Chinese University
PayPal Phishing E-mail Out Targeting German Users Once Again - Part 2
PayPal Phishing E-mail Out Targeting German Users Once Again - Part 1
Briefly: PayPal Phishing Website Ex Argentine Targeting German Users, Mail Originating from ROSENBLUMEYECENTERS.COM
Active PayPal Phishing Website Ex Argentine Targeting German Users - Part 2
Active PayPal Phishing Website Ex Argentine Targeting German Users - Part 1
Another Active PayPal Phishing Website Targeting German Users - Part 2
New Active PayPal Phishing Website Targeting German Users - Part 2
Another Active PayPal Phishing Website Targeting German Users - Part 1
New Active PayPal Phishing Website Targeting German Users - Part 1
Active Phishing Website Targeting German PayPal Users - Part 2
Active Phishing Website Targeting German PayPal Users - Part 1
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
January 26th, 2009 at 11:15 pm
According to the HTML source of the phishing message, the immediate sender is traced to the IP address of 62.23.127.148. This IP address is traced to a mail server run by a French organization called AC Conseil. The true origin of the phishing message is the IP address of 66.34.152.1. It’s traced to twighlight.propagation.net.