Who is Scamming Me?

8 replies [Last post]
davintosh's picture
Offline
Joined: Dec 20 2003
Posts: 554

I got one of the infamous e-mail scams this morning purporting to be from PayPal, saying that my account was being shut down because of suspicious activity unless I cleared up the issue by November 28 (I read this on the 29th.)

The message looked legitimate, with the same formatting and images that every other PayPal message has, and even gave a link to click that would get me to the login page. I'd heard of this before, so I was a little cautious and used Safari to go to www.paypal.com and logged in as usual. Everything seemed fine with my account.

So I went back to the message and checked the links that were there; looked legitimate enough. The helpful link to get me to the login page read thusly in the body of the message:
To update your Paypal records click on the following link: 
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

But if I control-clicked on the link and copied it instead, I got
http:// 2 2 2 . 2 3 5 . 6 8 . 3 3 /paypal/index.htm (I've inserted spaces to make the link unusable.)

Tricky ba$tard$!

So, one question and one warning. First the warning: Beware of ANYTHING that comes unrequested from PayPal -- or any other online service -- that wants you to click a link to login and make changes to your account. If you do need to make changes to your account, use your normal procedures to get there and avoid using any provided links in messages.

Now the question: Using the e-mail message and the IP address in the link, how do I track down this scumbag? Not that I can or will or even want to do anything to avenge this transgression, but I'd just like to know.

Thanks!

__________________

Obsolescence is just a lack of imagination.
Visit my blog: davintosh.com -- it may not be up to date, and it may not be exciting, but you can say you've been there.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
doug-doug the mighty's picture
Joined: Apr 14 2004
Posts: 1355
INVOCATION...

I SUMMON THE DARK FORCES OF THE REVEREND TO SMITE THINE ENEMIES!!!

Reverned Darkeness should be along shortly to assist in this matter. Wink
--DDTM

__________________

--DDTM ('Fritter Critter' since Apr 26 2004 - 18:16)

'If it ain't broke, take it apart anyways. If you can't take it apart, break it so that you can fix it.'

G4from128k's picture
Offline
Joined: Dec 20 2003
Posts: 71
Its worse and more widespread than you think

Welcome to the wonderful world of phishing and you are the fish.

My wife and I get nearly 400 spams per day (its what you get when your email address has been posted on the web form a decade). Many of these spams (yes the filters get most of them, but I still need to review the junk folder for miscategorized important messages) contain these types of messages. Everyday, we receive a nice collection of these faked e-mails claiming to be from all manner of banks, credit card companies, mortgage lenders, eBay, PayPal, Amazon, you name it.

The good news is that you are not being singled out for this. I bet we got that same faked PayPal message and we don't even use PayPal. The bad news is that you will get more and more of these nasty little messages. You did the right thing by checking your account using YOUR URL, not the e-mail's URL. Phishers are getting craftier and craftier at making the message look legitimate but somehow waylay the URL and login.

eeun's picture
Offline
Joined: Dec 19 2003
Posts: 1891
the ebay one...

I was very impressed with one I got some time ago, supposedly from ebay, saying the same stuff about closing account unless blah, blah, blah.

My wife and I have a policy of opening all unknown emails as souce under Outlook, so no bots, etc. will be able to do their thing. We're fortunate enough that we've kept the main email address off the spam lists for the most part, and may receive one or two per day.

This ebay one had many links going to ebay servers, but way down in the code were variable to input ebay user name and password. Up until that point, I'd entertained the possibility that it was legitimate, though I still wouldn't have replied to it via email and would have gone to ebay directly. The input variable names they used were f**k and sh*t. Not too clever.

I read online that the Nigerian prince email scam has been modified, so it's now Arafat's wife looking to get her millions out of the country. 'Course it also refers to Yasser Arafat as 'ailing' as opposed to 'very dead'.

__________________

"Give a man a fire, he's warm for a day. Set a man on fire and he's warm for the rest of his life."
(Terry Pratchett)

Dr. Webster's picture
Offline
Joined: Dec 19 2003
Posts: 1687
Speaking of Nigerian scammers

Speaking of Nigerian scammers...

I find it funny that people are getting back at them by messing with them. Here's my favorite example (1.14MB PDF, the original post is long gone):

http://www.applefritter.com/filestore2/download/5447

__________________

Applefritter Admin

BDub's picture
Offline
Joined: Dec 20 2003
Posts: 706
That link isn't working at th

That link isn't working at the moment. When they do, try to figure out which hosting company is hosting it, and email them. It's a bit of a bother, but as one of the tech support folks who gets to take down accounts like this (Most are legit accounts who used some insanely stupid password or emailed it straight to a scammer) I can tell you that taking down phishing scams is fun.

Plus, you'll save other people trouble.

But mostly it's just fun. Warm fuzzy feeling and all that.

-BDub

__________________

"There is going to be a future: let's chase it until it kills us." - Spider Robinson

davintosh's picture
Offline
Joined: Dec 20 2003
Posts: 554
But how...

...do you track down that sort of thing? I've tried using whois in the Network Utility, but I'm pretty clueless as to what else to use to track down where the server is, who's running it, and who's hosting it.

__________________

Obsolescence is just a lack of imagination.
Visit my blog: davintosh.com -- it may not be up to date, and it may not be exciting, but you can say you've been there.

Reverend Darkness's picture
Joined: Dec 20 2003
Posts: 502
Good News, Bad News....

The good news is that you didn't fall for a phishing scam. The bad news is that you will probably not be able to track down the person that phished...

You can use ARIN (arin.net) to do a whois, but that points you to APNIC (Asia Pacific Network Info Center - apnic.net). Using APNIC just tells you that the page was located on a server in Korea that is owned by Hanaro Telecom (hanaro.com), one of Asia's largest ISP's.

That's about as far as I'm gonna take it right now. I'm on vacation this week to celebrate the particular time of year in which the Sunshine Angel, my darling wife, was brought into existence. I'll look into it more when I go back to work and have some free time. Wink

__________________

When I see lightning, you know it always brings me down... because it's free, and it's me who's lost and never found.

BDub's picture
Offline
Joined: Dec 20 2003
Posts: 706
Generally, if you go to Termi

Generally, if you go to Terminal (my preferred way at least) and punch in "whois 216.239.57.99", you'll get a slew of results. My example here uses Google.

You should get an admin contact of some sort. Depending on where, you may also get a company.

In this case (your scammer) is from a dynamic range of IP's in Asia. The admin contact is listed as

Hanaro.com seems to be a 'your digital telecom partner', or as I see it, an ISP.

Now you have a contact email for your scammers ISP. Note that they're running this off of a dynamic IP, probably DSL so it changes every day or two and it's hard to track. A good thing to do at this point would be to send an email. Something like this:

Quote:

Hello -

My name is (Name) and I recently received a fake Paypal email, with one of the links leading to an IP address in your range. The address was (IP Address). I believe that this address was used for fraud, and request that the account which was assigned (IP Address) at (Time of Email, remember, it may have been reassigned since then, and you don't want to cause trouble for someone who doesn't deserve it) be suspended immediately.

Thank you for your time. If you need to contact me for further information, I'm available at (Email address). I would also appreciate an email to that address so that I know this issue has been looked at.

-(Name)
(Email address)

A lot of smaller places, especially in North America and Europe will jump when they see this kind of thing, because legal fees are scary. This guys in Asia, which could make it harder, but at least you know you tried. Asking for a followup email, and being short and to the point is a good way to go. If you don't get a followup in a week or so, try again. If the ISP is ignoring you, there's not much you can do short of blocking their IP range, but that's not a good solution.

-BDub

__________________

"There is going to be a future: let's chase it until it kills us." - Spider Robinson