Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

I dont normally warn about these because most of the time they are obvious if you use a bit of nouse or phising filters will pick them up.
However Ive just received what is the most convincing phising scam that I have ever seen so far.


Anyone with a paypay account may know that to login you use the url www.paypal.com/cgi-bin/webscr?cmd=login

This particular scam sends you to www.paypal.com.cmd-login.com/cgi-bin/

Once there you see a practical replica of the real PayPal site.  All the images and links are either hosted on or will take you to the real paypal site - aside from that one log-in button.

The trick theyve used for this is to purchase the domain cmd-login.com and then hosted it on a server in Bulgaria to make it difficult to get the site taken down.

Looking at both sites side by side I cant tell which is which...  unless you are astute enough to notice the real domain and not be fooled by the www.paypal.com which in this case is a subdomain not the real paypal.com.

Copy of the Mail

This email confirms that Andrew Jackson has sent you 85.00 EUR with PayPal.

To complete this payment, you must accept or refuse it within 30 days by clicking here.

If you do not accept or refuse this payment within 30 days, it will be cancelled and the funds will be returned to Andrew Jackson's account.

-----------------------------------
Payment Details
-----------------------------------


Amount: 85.00 EUR

Transaction ID: 9D373306GD4453236

View the details of this transaction online

This payment is pending because it was sent in a currency in which you do not currently hold a balance.


Thank you for using PayPal!
The PayPal Team

----------------------------------------------------------------
Copyright © 1999-2007 PayPal. All rights reserved. PayPal (Europe) Limited is authorised and regulated
by the Financial Services Authority in the United Kingdom as an electronic money institution. PayPal FSA Register Number: 226056.
PayPal Email ID PP2765

[edited to make sure the urls didnt accidentally take someone where they may not want to go]

[kitz]

and just as I typed that out -
I received the exact same mail to another mailbox I have. :/

[Astral]

Thanks for the warning.

I have to say that my spam seems to have diminished lately but I expect having said that out loud I'll be deluged!

[kitz]

I got 5 in the end on different accounts.
However Ive just noticed that the site it sent you to is now either busy - or its been pulled.

Hopefully its the later rather than the former.

[roseway]

Thanks for the warning. These things are evil, and will take in a lot of people.

[mr_chris]

I wondered why I turned off the MS phishing filter... now I know - it says it's not a reported site. So I've reported it, see how long it takes.

[kitz]

>> I wondered why I turned off the MS phishing filter

The McAfee site content also said clear when I checked earlier
- although I notice its now been amended and updated to red.

It even passed the SARE (SpamAssisinRules) test with a score of just 1.3. 
Ironically getting the most points due it being sent from a dynamic ip address.

At the time of me getting the first email everything cleared it and I could have easily been scammed.
It was only because I was very suspicious of someone sending 85 euros to my account that made me look into it further.

I also looked up the domain and iirc it was only registered less than a week ago - so it would appear to be a brand spanking new threat very cleverly done. 
From the amount of mails I received then its possible they were busy setting this up for a few days then decided to do a mass spam hoping to catch as many people out that they could before it was reported any where.

Even I at first glance didnt spot the slight difference between the urls..  and the site was a very good and exact replica of the official site - aside from that one login button. It certainly is  by far the most convincing phising scam I've seen before.

Lets just hope they didnt manage to fool too many people :/

[jabns]

I have just got it to... to the quarentine lol.

The hamster that powers my mail server is working its little legs of since Plus Net decided to "Mess up"(to put it nicely). I left them over a year ago and am still getting all the crap coming through.

Lucky spam assassin flagged it  .

I have taken the risk of singing up to a few RBL Blacklists that are not verified and have set it to add 0.5 on to the score to limit collateral damage but still add a tad more to the risky ones.

BTW Kitz: How are old PN doing with the email side of things? I heard it was improving?

James

[guest]

Unless PN actually turned the email servers permanently off I reckon the only thing they could have done was improve - hard to see how they could get worse

[kitz]

The site is still up..  so last nights problems must have been due to slowness through traffic not it having been taken down as I'd hoped.

Firefox is now reporting the site as a suspected web forgery though.

>> How are old PN doing with the email side of things? I heard it was improving?

I'd moved my domain and stuff away from PN before the incident so PN dont handle "my mail" and havent done for about a year.
I did get caught up in it though and my username account gets quite a bit of spam.  However I dont let them filter it and use MailWasher so I can see what kind of stuff is coming through.  It tends to come in fits and starts.
Most of the real crap comes through on my domain (mostly dictionery type spam) and I have a pile of MW filters set which tends to catch most of it and should auto delete it. 

[tuftedduck]

I didn't get one.........................now I feel ignored and forgotten.

[oldfogy]

I didn't get one.........................now I feel ignored and forgotten.

Me too...

But then again, I don't have a PayPal account.... 
Well actually I think I do, I opened one 4/5 years ago and never used it. 

[Pwiggler]

i had 1 a week or so back ..... apparently i bought an ipod off some guy in the US and paypal was about to take 180 dollars from me the following day.  Almost at the same time i had a genuine mail from paypal telling me that my credit card details had expired and to renew them if i wanted to make a transaction !!

i did have 2 look twice at it tho 

[tnp]

$ whois cmd-login.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: CMD-LOGIN.COM
   Registrar: REGISTER.COM, INC.
   Whois Server: whois.register.com
   Referral URL: http://www.register.com
   Name Server: NS1.BNMQ.COM
   Name Server: NS2.BNMQ.COM
   Status: clientTransferProhibited
   Updated Date: 23-nov-2007
   Creation Date: 15-nov-2007
   Expiration Date: 15-nov-2008

   Registrant:
      Register Internet LP
      Register Internet  LP
      Avenida do Infante 50
      Funchal, Madeira 9004-521
      PT
      Email: admin@rangermadeira.com

   Registrar Name....: REGISTER.COM, INC.
   Registrar Whois...: whois.register.com
   Registrar Homepage: www.register.com

   Domain Name: cmd-login.com

      Created on..............: Thu, Nov 15, 2007
      Expires on..............: Sat, Nov 15, 2008
      Record last updated on..: Fri, Nov 23, 2007

   Administrative Contact:
      Register Internet LP
      Register Internet  LP
      Avenida do Infante 50
      Funchal, Madeira 9004-521
      PT
      Phone: +1.2127989100
      Email: admin@rangermadeira.com

   Technical Contact:
      Registercom
      Domain Registrar
      575 8th Avenue
      New York, NY 10018
      US
      Phone: +1.9027492701
      Email: domainregistrar@register.com

   DNS Servers:

   ns1.bnmq.com
   ns2.bnmq.com

[kitz]

hmmmm  Interesting I did one the other night and the information was different.
I honestly cant remember now but on Thursday that was not the information that was showing then it was somewhere like Yarmouth.

I also did a tracert to the site on Thurs and it traced to  somewhere in Bulgaria
- where now its showing as being in Atlanta.


---------------


Ooh stop - the one I did the other day is still cached.

Code: [Select]

   Registrant:
      Domain Discreet
      ATTN: cmd-login.com
      P.O. Box 278
      Yarmouth, NS B5A 4B2
      CA
      Email: ********************************@domaindiscreet.com

   Registrar Name....: REGISTER.COM, INC.
   Registrar Whois...: whois.register.com
   Registrar Homepage: www.register.com

   Domain Name: cmd-login.com

      Created on..............: Thu, Nov 15, 2007
      Expires on..............: Sat, Nov 15, 2008
      Record last updated on..: Thu, Nov 15, 2007

   Administrative Contact:
      Domain Discreet
      ATTN: cmd-login.com
      P.O. Box 278
      Yarmouth, NS B5A 4B2
      CA
      Phone: 1-902-7495331
      Email: ********************************@domaindiscreet.com

   Technical Contact:
      Domain Discreet
      ATTN: cmd-login.com
      P.O. Box 278
      Yarmouth, NS B5A 4B2
      CA
      Phone: 1-902-7495331
      Email: ********************************@domaindiscreet.com

   DNS Servers:

   ns2.games-act.com
   ns1.games-act.com

look they have changed nameservers too!

hmmm cheeky gits - thats probably why the site went down for a short while.
Possibly kicked off one and had to move?  Exceeded cheap bandwidth??   Who knows :/