Blog

Site as a PayPal Phishing Gateway

Just got myself one of these PayPal phishing emails this morning. It was a very well made email sent to an email address for my partner company in the Netherlands Doede.net . In the email I was told I had to re-enter details of my PayPal account to keep my unlimited verified status. This I could do by updating my details online.

Phishing Email

Here is the entire email text (click to enlarge screenshot):

paypal phishing

Site behind the email

The site leads to a site faking PayPal and asking for password. After entering these details, you are asked to enter all your personal details as well.

Here a curl report using Google Chrome as user agent:

curl -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" http://paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cvdf.alejadur.cl/wp-account.php
<META http-equiv="refresh" content="1;URL=http://paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27b7fr.trisupport.cl/pay/pay/reboot.php">
<html dir="rtl">
<head>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<base href="http://aol.com">
</head>
</body>

Site Redirect

That page has a meta refresh:

http://paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27b7fr.trisupport.cl/pay/pay/reboot.php

which leads to an url with the same domain trysupport.cl . A whois for that domain runs into an error:

whois -h geektools.com trisupport.cl
GeekTools Whois Proxy v5.0.5 Ready.
Checking access for 101.108.96.82... ok.

Checking server [nic.cl]
The GeekTools Whois Proxy has encountered an error:
Unable to connect to the specified registry nic.cl.

Please try your query again later.

The same goes for alejadur.cl . When I curled this domain I did get data. I found out it was a WordPress website. The file – wp-account.php – redirecting to trisupport.cl must be on his site.

Google Research on site

Google is your friend and after a brief research I found more details. Trisupport.cl (Chilean site) – the site the fake PayPal resides with – seems to have been hacked beginning this year by hackers. Not sure if they added this phishing page as well. The phishing has already been reported to PayPal by us and PayPal has replied:

Thanks for forwarding that suspicious-looking email. You’re right – it
was a phishing attempt, and we’re working on stopping the fraud. By
reporting the problem, you’ve made a difference!

Identity thieves try to trick you into revealing your password or other
personal information through phishing emails and fake websites. To learn
more about online safety, click “Security Center” on any PayPal webpage.

Every email counts. When you forward suspicious-looking emails to
spoof@paypal.com, you help keep yourself and others safe from identity
theft.

Your account security is very important to us, so we appreciate your
extra effort.

Thanks,

PayPal

Phishtank Mention

The site is mentioned here at Phishtank. Phishtank is a site that keeps track of sites hacked for phishing purposes. It did get whois data of the phishing site:

Network
184.107.0.0/16 (AS32613 iWeb Technologies Inc.)
Whois
trisupport.cl:

ACE: trisupport.cl (RFC-3490, RFC-3491, RFC-3492)

CRISTIAN ALONSO SMITH SANDOVAL

Contacto Administrativo (Administrative Contact):
    Nombre      : CRISTIAN ALONSO SMITH SANDOVAL
    Organizacion: Particular

Contacto Tecnico (Technical Contact):
    Nombre      : CRISTIAN ALONSO SMITH SANDOVAL
    Organizacion: Particular

Servidores de nombre (Domain servers):
    ns1.tuhostingdns.com (184.107.248.154)
    ns2.tuhostingdns.com (184.107.248.155)

Altima modificacion al formulario
    (Database last updated on): 06 de diciembre de 2011 (18:19:13 GMT)

Mas informacion (More information):
    http://www.nic.cl/cgi-bin/dom-CL?q=trisupport

Este mensajes esta impreso en ISO-8859-1
(This message is printed in ISO-8859-1)

Summary

Hackers try to hack into websites on a daily basis. Not only to add spam, but also to use your site as a phishing website. That is why it is important to always keep your website updated and use the best server security possible. Never ever reply to email like these and if you did and realized it, report it as soon as possible and change your password immediately.

Tagged in : Tagged in : ,
Jasper Frumau

Jasper has been working with web frameworks and applications such as Laravel, Magento and his favorite CMS WordPress including Roots Trellis and Sage for more than a decade. He helps customers with web design and online marketing. Services provided are web design, ecommerce, SEO, content marketing. When Jasper is not coding, marketing a website, reading about the web or dreaming the internet of things he plays with his son, travels or run a few blocks.

Related Articles

recaptcha Site Keys

Brute Force Attack Block Tip – Google reCaptcha Plugin by BestWebSoft
Let's Encrypt and Zend Framework on NGINX

Let’s Encrypt and Zend Framework on NGINX
WordPress Security Tips

Ten Quick WordPress Security Tips