Bitcoin Forum
December 07, 2016, 04:33:01 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: [WARNING] Email phishing - paypal  (Read 1052 times)
BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
July 16, 2011, 09:06:32 PM
 #1

Hi, just wasn't sure if I should post this here because this is not really related to bitcoins but I post it anyway cause I received this email with a email address I only use for bitcoin: info@btcrow.com

Here's the headers of email with some informations removed and replaced with (removed.fqdn.server):
------------------------------------------------ CUT -----------------------------------------------------
Return-Path: <Claire@fia-net.fr>
X-Original-To: info@btcrow.com
Delivered-To: info@btcrow.com
Received: from WIN-5D8CTVHD5GU (unknown [78.129.222.148])
       by removed.fqdn.server (Postfix) with ESMTP id 199E035425C
       for <info@btcrow.com>; Sat, 16 Jul 2011 12:50:33 -0500 (CDT)
Received: from User ([127.0.0.1]) by WIN-5D8CTVHD5GU with Microsoft SMTPSVC(7.5.7600.16385);
        Sat, 16 Jul 2011 18:50:06 +0200
Reply-To: <service@orange.fr>
From: "service@paypal.fr"<Claire@fia-net.fr>
Subject: Notification de conexion a votre compte PayPal .
Date: Sat, 16 Jul 2011 18:50:06 +0200
MIME-Version: 1.0
Content-Type: text/html;
       charset="Windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <WIN-5D8CTVHD5GUcQAB00000064@WIN-5D8CTVHD5GU>
X-OriginalArrivalTime: 16 Jul 2011 16:50:06.0179 (UTC) FILETIME=[6A44C330:01CC43D8]
To: undisclosed-recipients:;

------------------------------------------------ CUT -----------------------------------------------------

This first (before seing the message sound spammy and fishy to me cause of return-path and reply-to fields.

here's the screenshot of the message now:



Also there's the source of the html email mesage:

------------------------------------------------ CUT -----------------------------------------------------

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>

<body>
<img src="http://playaussierules.com/wp-admin/images/form.png" width="598" height="699" border="0" usemap="#formpaypal" />
<map name="formpaypal" id="formpaypal">
  <area shape="rect" coords="61,484,496,498" href="http://esroros.net/url/url" alt="Accés au formulaire" />
  <area shape="rect" coords="251,629,276,641" href="https://www.paypal.com/fr/cgi-bin/helpweb?cmd=_help" alt="Aide" />
  <area shape="rect" coords="285,629,368,641" href="" alt="Espace Sécurité" />
</map>
</body>
</html>

------------------------------------------------ CUT -----------------------------------------------------

As you can see the scam image and the form once you click the link are hosted (It's a guess but I'm sure at 99%) on a hacked website.

The 2 url are:
hxxp://esroros.net/url/url
and
hxxp://playaussierules.com/wp-admin/images/form.png

They use the area shape trick to fake a real link from paypal but once you click it it redirect to their fake form to steal you paypal credentials.

Just want to warn people here who aren't familiar with that type of messages to never ever complete it.
Paypal / Visa / MasterCard / Your Bank, anything which is relative to keeping safe your money won't ever send you message asking you your password and login informations.

If you have doubt when receiving this kinda email, Always verify with the genuine website in order to be sure that nobody want to phish you.

If you have questions it will be a pleasure to answer them here.

EDIT: I'll shortly send email to owner of esroros.net and playaussierules.com in order to let them know that their websites have been hacked.

1481128381
Hero Member
*
Offline Offline

Posts: 1481128381

View Profile Personal Message (Offline)

Ignore
1481128381
Reply with quote  #2

1481128381
Report to moderator
1481128381
Hero Member
*
Offline Offline

Posts: 1481128381

View Profile Personal Message (Offline)

Ignore
1481128381
Reply with quote  #2

1481128381
Report to moderator
Make sure you back up your wallet regularly! With Bitcoin-Qt, it needs to be backed up at least as often as every 100 transactions (both sends and receipts) or new addresses.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481128381
Hero Member
*
Offline Offline

Posts: 1481128381

View Profile Personal Message (Offline)

Ignore
1481128381
Reply with quote  #2

1481128381
Report to moderator
1481128381
Hero Member
*
Offline Offline

Posts: 1481128381

View Profile Personal Message (Offline)

Ignore
1481128381
Reply with quote  #2

1481128381
Report to moderator
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
July 16, 2011, 09:16:20 PM
 #2

That's what you get for posting your email in plain text on public forums Wink and you just did it again when you posted the headers from that email. The crawlers will be happy Cheesy
Haven't seen that mail before, so, thank you for the heads up  Grin

BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
July 16, 2011, 09:25:07 PM
 #3

That's what you get for posting your email in plain text on public forums Wink and you just did it again when you posted the headers from that email. The crawlers will be happy Cheesy
Haven't seen that mail before, so, thank you for the heads up  Grin

LOL, you catch me ^^'. Yes I've intentionally post my email address in plain text in public forum for making it more easy to people who are not aware of obfuscated emails.

It's maybe an attack directed for me only, I had a lot of hacking attempt for btcrow.com and this was maybe their last hope to screw me.

will let you know if I receive more email like that.

error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 16, 2011, 09:31:39 PM
 #4

$ whois 78.129.222.148
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '78.129.222.0 - 78.129.222.255'

inetnum:        78.129.222.0 - 78.129.222.255
netname:        ThrustVPS_8
descr:          Thrust::VPS
country:        GB
admin-c:        RF5058-RIPE
tech-c:         RF5058-RIPE
status:         ASSIGNED PA
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered

person:         Russell Foster
address:        530 W. 6th Street
address:        Suite 901
address:        Los Angeles
address:        CA 90014
address:        US
phone:          +447919373537
abuse-mailbox:  abuse@thrustvps.com
nic-hdl:        RF5058-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered

% Information related to '78.129.128.0/17AS20860'

route:           78.129.128.0/17
descr:           Iomart Hosting Ltd
origin:          AS20860
mnt-by:          GB10488-RIPE-MNT
mnt-by:          RAPIDSWITCH-MNT
source:          RIPE # Filtered

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 16, 2011, 09:38:52 PM
 #5

never click links in emails you don't except. 100% of phishing resolved thank you have a nice day  Grin

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!