Active PayPal Phishing Website Hosted at MICROCOVE.COM - Part 1
TOKYO (MacHouse) - An organized cyber criminal group circulated a spam several hours ago targeting PayPal users. Sender’s e-mail address is shown as new@service.fr. And the subject line of the message is PayPal : Update Your Online Banking Information. (See Screenshot 01.)
The scam message goes
It has came to our attention that your PayPal billing information are out of date. This require you to update your billing information as soon as possible.
This billing update is also a new PayPal security statement which goes according to the established norms on our terms of service (TOS) to reduce the instance of fraud on our website.
Please update your records . A failure to update your records may result on a suspension of your account.
To update your PayPal records click on the following link:
http://www.paypal.com/us/
The URL underlying the hyperlink is http://microcove.com/Online1/Paypal-Security/cgi-bin/us/security/
update-paypal/service-peyment/update/login.aspx/ (A continuous URL is divided into two lines.) Clicking on it, one will be forwarded to a phishing website. (See Screenshot 02.)
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: microcove.com |
Our preliminary analysis indicates that the PayPal phishing website is hosted at a web server in Hopkinsville, Kentucky, USA. Just like the last PayPal phishing incident we reported a few days ago, the phishing message seems to come from France. We will have a more detailed report hopefully within 24 hours.
Click on the button to watch a short documentation video. 
Click on the button to watch more documentation videos.
Related stories:
Beware of Dangerous PayPal Phishing Website Hosted at KLMTROPHIES.COM - Part 2
Beware of Dangerous PayPal Phishing Website Hosted at KLMTROPHIES.COM - Part 1
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
February 2nd, 2009 at 10:22 am
Here is another one. Different address, same subject, different link I think. Hope it helps. I just discovered your site, will check it out closely next visit. Thanks for your efforts! Joseph
Message from PayPal #Friday, January 30, 2009 10:12 AM
From Service Fri Jan 30 10:12:40 2009
Return-Path:
Authentication-Results: mta198.mail.re2.yahoo.com from=service7.com; domainkeys=neutral (no sig); from=service7.com; dkim=neutral (no sig)
Received: from 210.8.166.114 (EHLO mail.hooperco.com.au) (210.8.166.114) by mta198.mail.re2.yahoo.com with SMTP; Fri, 30 Jan 2009 10:16:28 -0800
Received: from User ([64.223.70.226]) by mail.hooperco.com.au with Microsoft SMTPSVC(6.0.3790.1830); Sat, 31 Jan 2009 04:18:28 +1000
From: “Service” Add sender to Contacts
Subject: Message from PayPal #
Date: Fri, 30 Jan 2009 13:12:40 -0500
MIME-Version: 1.0
Content-Type: text/html; charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
Bcc:
Return-Path: service@service7.com
Message-ID:
Content-Length: 956
Compact Headers
Dear PayPal Member,
We recently have determined that different computers have logged onto
your PayPal account, and multiple password failures were present before
the logins. We now need you to re-confirm your account information to us.
If this is not completed by January 09, 2009, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.
We thank you for your cooperation in this manner. To confirm your Account
records click on the following link:
http://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit&dispatch=588
Thank you for your patience in this matter.
PayPal Customer Service.
Please do not reply to this e-mail as this is only a notification.
1999-2009 PayPal. All rights reserved.
[Edited by Administrator to convert HTTP into ASCII]
February 2nd, 2009 at 8:21 pm
Thanks, Joseph. We will look into it later on.
February 3rd, 2009 at 1:13 am
The HTML source code suggests that this particular PayPal phishing campaign is not related to the one reported here. The immediate source of the phishing message is mail.hooperco.com.au, which passed the spam message to Yahoo! Mail. The IP address of the web server at hooperco.com.au is correctly recorded as 210.8.166.144. The true origin of the phishing message is something else. It was sent by someone at Vergennes Union High School in Vermont, USA. So this PayPal phishing campaign is rather related to the one that we first reported in January 26th.