Beware of Dangerous PayPal Phishing Website Hosted at KLMTROPHIES.COM – Part 2

Posted on January 30, 2009 by Administrator

anti spam






TOKYO (MacHouse) – As we reported yesterday, an organized cyber criminal group circulated a phishing message more than 24 hours ago, targeting French PayPal users. In fact, we received two copies, one arriving at 11:18 AM (U.S. Pacific) or 07:18 PM (London), and the other copy arriving at 11:51 AM (U.S. Pacific) or 07:51 PM (London). (See Screenshot 01-2.) Interestingly, sender’s e-mail address is commonly shown as wol@alice.it.





PayPal phishing klmtrophies.com
Screenshot 01 – Source:
MacHouse		   PayPal phishing klmtrophies.com
Screenshot 02 – Source:
MacHouse		   PayPal phishing klmtrophies.com
Screenshot 03 – Source:
klmstrophies.com






Clicking on the only hyperlink in the message that says Cliquez ici, one will be forwarded to a phishing website hosted at http://klmtrophies.com. (See Screenshot 03.) 24 hours after our first report, the phishing package is no longer found at klmtrophies.com.

What the cyber scam group wants is PayPal accounts and traffic information. After submitting an e-mail address and a password, one will be forwarded to Submit.php at KLM Trophy Center. (See Screenshot 04.) Let’s take a close look at what was going on while the data was being transmitted. Screenshot 05 shows that the web browser accessed paypal112.2o7.net. (See Screenshot 05.) What is this node? Its web server is traced to the IP address of 66.235.139.70. The location is Orem, Utah, USA. Orem, Utha… It’s the home for HostMonster, a web hosting company. It is also a home for Omniture, a developer of web traffic analysis software. In fact, Omniture says the domain of 207.net is used by the company ‘to help provide portions of its Omniture SiteCatalyst and Omniture SearchCenter products.’ (See Screenshot 06.)  





PayPal phishing klmtrophies.com
Screenshot 04 – Source:
klmstrophies.com		   PayPal phishing klmtrophies.com
Screenshot 05 – Source:
klmstrophies.com		   PayPal phishing klmtrophies.com
Screenshot 06 – Source:
Omniture






Next, let’s find out how the phishing message was circulated. Screenshot 07 shows the HTML source code of the first copy of the phishing message. In both occasions, the spammer used an account at Portail Orange to send out the phishing message. The immediate source is smtp20.orange.fr, smtp28.orange.fr or another mail server at orange.fr. Both copies also commonly indicate that the true origin is the IP address of 86.214.231.175. The node name is ANantes-251-1-152-175.w86-214.abo.wanadoo.fr. Who owns the domain of wanadoo.fr? It’s actually Portail Orange.





PayPal phishing klmtrophies.com
Screenshot 07 – Source:
MacHouse






Related stories:

Beware of Dangerous PayPal Phishing Website Hosted at KLMTROPHIES.COM – Part 1
Active PayPal Phishing Website Ex Argentine Targeting German Users – Part 2

This entry was posted in Internet security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Notify me of followup comments via e-mail. You can also subscribe without commenting.