Active Phishing Website Targeting French PayPal Users – Part 1

Posted on March 30, 2009 by Administrator

anti spam






TOKYO (MacHouse) – An organized group of half-retarded cyber criminals sent out at least four spam messages in the past 12 hours or so to scam French PayPal users. The first spam message of this kind that we received is titled Update Your Account Information. It’s written in English. But the entire message is then written in French. People with a common sense would write both the subject line and the body with the same language. That’s why we say a group of half-retarded people is involved.






1st PayPal phishing message

Title: Update Your Account Information
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






2nd PayPal phishing message

Title: Chers utilisateurs PayPal:Attention! Votre Compte PayPal A ete limite!
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






3rd PayPal phishing message

Title: (none)
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






4th PayPal phishing message

Title: Chers utilisateur PayPal:Attention! Votre Compte PayPal A ete limite!
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






(See Screenshots 01-4.)  





PayPal phishing paypail.netingame.net
Screenshot 01 – Source:
MacHouse		   PayPal phishing paypail.netingame.net
Screenshot 02 – Source:
MacHouse		   PayPal phishing paypail.netingame.net
Screenshot 03 – Source:
MacHouse


PayPal phishing paypail.netingame.net
Screenshot 04 – Source:
MacHouse		   PayPal phishing paypail.netingame.net
Screenshot 05 – Source:
paypail.netingame.net		   PayPal phishing paypail.netingame.net
Screenshot 06 – Source:
paypail.netingame.net






Another weird aspect of this phishing campaign targeting French PayPal users is the URL of a phishing website stated in each message. None of the URLs is clickable. As for the first phishing message, there is no URL stated underlying the phrase Cliquez Ici pour activer votre compte. That also suggests that the cyber criminal group comprises of teenagers as regarded as Australian crocodiles. Though not clearly stated, the rest of the phishing messages imply that there is a phishing website found at http://paypail.netingame.net. In fact, there is. (See Screenshots 05-6.)

Our quick analysis indicates that an active phishing website targeting French users is hosted in France. Furthermore, it appears that all phishing messages originate from a dedicated server hosted in France. We will have a more detailed report hopefully within 24 hours.






Click on the button to watch a short documentation video. VTC
Click on the button to watch more documentation videos. VTC

This entry was posted in Internet security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Notify me of followup comments via e-mail. You can also subscribe without commenting.