January 07, 2006
Scam Alert, pt 4,762
I got one of them emails from "PayPal" telling me that my billing information needed to be updated. I assumed that this came from a scambot, but I wanted to be sure.
Usually, if you copy the hyperlink they provide and paste it into wordpad, wordpad will reveal the true address. F'rinstance, if the email reads Just click on https://paypal.com/whatever to update your info, the full text in wordpad might read Just click on http://paypal.com/whatever http://scamalot.revisited.nigeria/UN/oilforfood to update your info, or something,
So, I copy/pasted and got this:
You can also confirm your Billing Information by logging into your PayPal account at https://www.paypal.com/us/ [-http://70.29.248.58/us/cgi_bin/Account_Verification/-].Thank you for using PayPal!
The PayPal Team
Hmmm. It definately redirects to something seemingly unPayPal-ish, but I still had a lingering doubt. Well, not really. But I was still curious about where this might take me, so I clicked.
I got to the fake PayPal page and was intent on entering my email address (which they obviously already have) and a fake password. If my fake password got me any further than this was obviously a scam.
But then I noticed the helpful option, offered as a highlighted link, next to the password field. "Forgot your password?". Hmmm. If this really is PayPal then they'd email my password. I clicked. Did they inform me that my password was en route? Nope. I got a message that began:
To retrieve your password, enter any email address you have added to your PayPal account. We will email instructions on resetting your password.
Uuuh... oookay. So I backed out of there and entered a fake password. I chose slowboat. I was gonna try whaddayatakemefor? but I figured that might have set off an alarm.
I got right in.
Then they, of course, wanted me to give them all of my personal information including name, address, phone numbers and, get this, credit card information including "credit card PIN".
BWAHAHAHAHAHAHAHAHAH! ! ! ! !
There's gotta be a way to ping their IP with a dirty bomb and fuse their 'puter's circuitry, no? No?! Damm. I know their IP is 70.29.248.58 but I have no idea what to do with that information.
Ah, well. Be careful out there, folks.
UPDATE: Got another one, from a different IP:
We recently noticed more attempts to log in to your PayPal account from a foreign IP address.If you accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you are the rightfull [sic] holder of the account, please visit Paypal as soon as possible to verify your identity:
Click here to verify your account [That link wont copy/paste for some reason -- TS]
You can also verify your account by logging into your PayPal account at https://www.paypal.com/us/ [http://rrcs-70-61-27-11.central.biz.rr.com/webscrr/index.php].
If you choose to ignore our request, you leave us no choise [sic] but to temporaly [sic] suspend your account.We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.
Thank you for using PayPal!
The PayPal Team
And just 'cuz I'm curious:
Results of IP Tracking for 70.29.248.58
IP address: 70.29.248.58
Hostname: CPE00045a812ddf-CM001217cbc29c.cpe.net.cable.rogers.com
ISP: Rogers Cable Inc.
Country: United States
Results of IP Tracking for 70.61.27.11
IP address: 70.61.27.11
Hostname: rrcs-70-61-27-11.central.biz.rr.com
ISP: Road Runner-Commercial
Country: United States
UPDATE II: Just got the exact same one again. Road Runner again, but from a different IP:
Results of IP Tracking for 24.193.97.35
IP address: 24.193.97.35
Hostname: cpe-24-193-97-35.nyc.res.rr.com
ISP: Road Runner
Country: United States
**sigh**
UPDATE III: Rogers Cable is a cable and phone service provider, and Road Runner does kinda the same thing.
UPDATE IV: More on IP 24.193.97.35:
OrgName: Road Runner
OrgID: RRNY
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: USReferralServer: rwhois://ipmt.rr.com:4321
NetRange: 24.193.0.0 - 24.193.255.255
CIDR: 24.193.0.0/16
NetName: ROADRUNNER-NYC-3
NetHandle: NET-24-193-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-04-05
Updated: 2002-11-25RTechHandle: ZS30-ARIN
RTechName: ServiceCo LLC
RTechPhone: +1-703-345-3416
RTechEmail: abuse@rr.comOrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail: abuse@rr.comOrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail: abuse@rr.com# ARIN WHOIS database, last updated 2006-01-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
My guess is that all of this information is pretty useless. I searched my own IP address and it led me to believe that I was somewhere in Colorado. Pheh.
Posted by Tuning Spork at January 7, 2006 08:37 PM | TrackBack
The simple rule if you get on of those emails is to sign on to the service manually or using your previously stored bookmark.
Posted by: Stephen Macklin at January 8, 2006 09:09 AMI would forward your post to paypal. Damn where's ther a good hacker when you need one!
Posted by: michele at January 8, 2006 11:18 AMI always forward those (with full email headers) to spoof@paypal.com. I don't know if they ever catch the guys, but it makes me feel better....
Posted by: Susie at January 10, 2006 07:42 PMApparently if you forward such scam letters to something like spoof@paypal.com or same for ebay, they will do the research for you and tell you if it is a scam or not.
I chose to close my account rather than worry.
Posted by: Edith at January 13, 2006 12:48 PM