Phish: identity theft
cyber...@fbi.gov
Phish FROM: 169.134.broadband2.iol.cz [83.208.134.169]
hostm...@iol.cz,postm...@iol.cz,ab...@iol.cz
Phish URL: http://140.112.38.49/verify/Verify.html
on Taiwan Academic Network/National Taiwan University
tane...@moe.edu.tw,ab...@ntu.edu.tw,
secu...@ntu.edu.tw,postm...@ntu.edu.tw
Phish TARGETS: paypal users.
ad...@paypal.com,sup...@paypal.com,sp...@paypal.com,
secu...@paypal.com
==========
[DETAILS:]
PHISH FROM: 169.134.broadband2.iol.cz [83.208.134.169]
inetnum: 83.208.134.0 - 83.208.134.255
netname: NEXTEL-XDSL
descr: XDSL NETWORK-ADSL
country: CZ
admin-c: HVJI1-RIPE [omitted]@hq.iol.cz
[whois.abuse.net]
hostm...@iol.cz (for iol.cz)
postm...@iol.cz (for iol.cz)
PHISH URL: http://140.112.38.49/verify/Verify.html
'click on the following link
[A href="http://140.112.38.49/verify/Verify.html"]
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run[/A]'
inetnum: 140.112.0.0 - 140.112.255.255
netname: TANET
descr: Taiwan Academic Network
address: Ministry of Education computer Center
e-mail: tane...@moe.edu.tw
address: National Taiwan University
e-mail: ab...@ntu.edu.tw
The page demands one's:
Name, address, phone number, email address,
Credit card number (and expiration date and private security number),
ATM PIN,
Date of birth, Social Security Number,
Mother's maiden name and
PayPal password.
Quite a bit.
This is POSTed to "http://140.112.38.49/verify/verify.php
which redirects not to paypal itself:
HTTP/1.1 302 Found
Location: https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
============================================================
[ORIGINAL PHISH: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]
Return-Path: <sup...@paypal.com>
Received: from _my_isp_ (_my_isp_ [xxx.xxx.xxx.xxx])
by _my_isp_ (xxx) with ESMTP id j0AGoFni097652;
Mon, 10 Jan 2005 11:50:16 -0500 (EST)
(envelope-from sup...@paypal.com)
Received: from 169.134.broadband2.iol.cz (169.134.broadband2.iol.cz [83.208.134.169])
by _my_isp_ (xxx) with SMTP id j0AGnTLG086778;
Mon, 10 Jan 2005 11:49:45 -0500 (EST)
(envelope-from sup...@paypal.com)
X-Message-Info: OBT/zh+163+uii/K+980/423071964394
Received: from smtp-raindrop....@paypal.com ([83.208.134.169]) by mb91-o47...@paypal.com with Microsoft SMTPSVC(5.0.6005.0701);
Mon, 10 Jan 2005 14:44:15 -0400
X-Message-Info: SXRMA+%ND_LC_CHAR[1-3]15+isz+ZPQ+8/0374892217
Received: (qmail 52701 invoked by uid 268); Mon, 10 Jan 2005 23:46:15 +0500
Date: Mon, 10 Jan 2005 20:39:15 +0200
Message-Id: <8415454106.75305@support@paypal.com>
From: PayPal Team <sup...@paypal.com>
To: <xxx>
Subject: PayPal® Account Review Department
xxxMIME-Version: 1.0 (produced by christopherhued 9.7)
xxxContent-Type: multipart/alternative;
xxx boundary="--10765760193825967271"
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on _my_isp_
X-Spam-DCC: dmv.com: _my_isp_ 1181; Body=1 Fuz1=many Fuz2=many
X-Spam-Report:
* 0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us
* 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
* [cf: 100]
* 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.1 HTML_MESSAGE BODY: HTML included in message
* 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
* 1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* 1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
* 0.4 INCH_HTML_NO_HEADBODY INCH CUSTOM RULE message has html tag but not body or head.
X-Spam-Status: Yes, hits=7.2 required=6.0 tests=DCC_CHECK,
HTML_FONTCOLOR_UNKNOWN,HTML_MESSAGE,INCH_HTML_NO_HEADBODY,
MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,NORMAL_HTTP_TO_IP,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=no version=2.63
X-Spam-Level: *******
X-IMAPbase: 1105391354 41
X-UIDL: Zdk"!#`o!!Aoo!!n^+"!
Status: RO
X-Status:
X-Keywords:
X-UID: 7
xxx----10765760193825967271
xxxContent-Type: text/html;
xxx charset="iso-1533-3"
xxxContent-Transfer-Encoding: quoted-printable
xxxContent-Description: touchy squatted bent
[HTML]
[font face=3D"Verdana"]
[A href=3D"http://www.paypal.com/cgi-bin/webscr?cmd=3D_home"]
[IMG src=3D"http://images.paypal.com/en_US/i/logo/email_logo.gif" border=3D=
0 width=3D"255" height=3D"35"][/A]
[/font]
[P][FONT face=3DVerdana size=3D"2"]Dear valued [STRONG][SPAN style=3D=
"FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"]PayPal[SUP]=AE[/SUP]=
[/SPAN] [/STRONG]member: [BR][/FONT]
[font face=3D"Verdana"][BR][/font][/P]
[P][FONT face=3DVerdana size=3D2][SPAN style=3D"FONT-SIZE: 10pt; COLOR: bl=
ack; FONT-FAMILY: Verdana"][STRONG]PayPal[SUP]=AE[/SUP][/STRONG][/SPAN][/F=
ONT][tt][font face=3D"Verdana"]
is committed to maintaining a safe environment for its community of [br]
buyers and sellers. To protect the security of your account, PayPal employ=
s [br]
some of the most advanced security systems in the world and our anti-fraud=
[br]
teams regularly screen the PayPal system for unusual activity. [br]
[br]
Recently, our Account Review Team identified some unusual activity in your=
[br]
account. In accordance with PayPal's User Agreement and to ensure that you=
r [br]
account has not been compromised, access to your account was limited. Your=
[br]
account access will remain limited until this issue has been resolved. Thi=
s [br]
is a fraud prevention measure meant to ensure that your account is not [br=
]
compromised. [br]
[br]
In order to secure your account and quickly restore full access, we may [b=
r]
require some specific information from you for the following reason: [br]
[br]
We would like to ensure that your account was not accessed by an [br]
unauthorized third party. Because protecting the security of your account =
[br]
is our primary concern, we have limited access to sensitive PayPal account=
[br]
features. We understand that this may be an inconvenience but please [br]
understand that this temporary limitation is for your protection. [br]
[br]
Case ID Number: PP-040-187-541 [br]
[br]
We encourage you to log in and restore full access as soon as possible. [b=
r]
Should access to your account remain limited for an extended period of [br=
]
time, it may result in further limitations on the use of your account.[/fo=
nt][/tt][FONT face=3DVerdana size=3D2] =
&n=
bsp; &nbs=
p; [/P]
[P]However, failure to restore your records will result in account suspens=
ion. [BR]Please update your records on or before [FONT colo=
r=3Dred][STRONG]January
14, 2005[/STRONG].[/FONT] [BR][BR]Once you have updated your account =
records, your [SPAN style=3D"FONT-SIZE: 10pt; COLOR: black; FONT-FAMI=
LY: Verdana"][STRONG style=3D"font-weight: 400"]PayPal[/STRONG][/SPAN] ses=
sion will not be [BR]interrupted and will continue as normal. [/P]
[P]To update your [strong style=3D"font-weight: 400"]
Paypal[/strong] records click on the following link: [BR][A href=3D"h=
ttp://140.112.38.49/verify/Verify.html" target=3D_self]https://www.paypal.=
com/cgi-bin/webscr?cmd=3D_login-run[/A][/P]
[P] [/P]
[/FONT][FONT face=3DVerdana]
[P align=3D"left"][tt][font face=3D"Verdana"]Thank you for your prompt att=
ention to this matter.
Please understand that [br]
this is a security measure meant to help protect you and your account. We =
[br]
apologize for any inconvenience. [br]
[br]
[br]
Sincerely, [br]
[/font][/tt][/FONT][FONT face=3DVerdana size=3D2][FONT face=3DVerdana]
[SPAN style=3D"COLOR: black; FONT-FAMILY: Verdana"][STRONG]PayPal[SUP]=AE[=
/SUP][/STRONG][/SPAN][/FONT]
Account Review Department[tt][font face=3D"Verdana"][br]
[br]
[br]
[br]
PayPal Email ID PP522 [FONT face=3DVerdana size=3D2] [br]
[/FONT]
[/font][/tt][/FONT][FONT face=3DVerdana size=3D2][FONT face=3DVerdana size=
=3D2] &nb=
sp;  =
; [/P]
[P]Accounts Management As outlined in our User Agreement, [SPAN style=3D"F=
ONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"]
[STRONG style=3D"font-weight: 400"]PayPal[/STRONG][/SPAN] will [BR]pe=
riodically send you information about site changes and enhancements. [/P]
[P]Visit our Privacy Policy and User Agreement if you have any questions.&=
nbsp;[BR][A href=3D"http://www.paypal.com/cgi-bin/webscr?cmd=3Dp/gen/ua/po=
licy_privacy-outside"]http://www.paypal.com/cgi-bin/webscr?cmd=3Dp/gen/ua/=
policy_privacy-outside[/A][/P]
[P] [/P][/FORM][/FONT][/FONT][/BODY][/HTML]
xxx----10765760193825967271--
--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.
For a copy of the guidelines to this group, see:
<URL:http://www.killfile.org/~tskirvin/nana/>