I got one of the infamous e-mail scams this morning purporting to be from PayPal, saying that my account was being shut down because of suspicious activity unless I cleared up the issue by November 28 (I read this on the 29th.)
The message looked legitimate, with the same formatting and images that every other PayPal message has, and even gave a link to click that would get me to the login page. I'd heard of this before, so I was a little cautious and used Safari to go to www.paypal.com and logged in as usual. Everything seemed fine with my account.
So I went back to the message and checked the links that were there; looked legitimate enough. The helpful link to get me to the login page read thusly in the body of the message:
To update your Paypal records click on the following link:
But if I control-clicked on the link and copied it instead, I got
http:// 2 2 2 . 2 3 5 . 6 8 . 3 3 /paypal/index.htm (I've inserted spaces to make the link unusable.)
So, one question and one warning. First the warning: Beware of ANYTHING that comes unrequested from PayPal -- or any other online service -- that wants you to click a link to login and make changes to your account. If you do need to make changes to your account, use your normal procedures to get there and avoid using any provided links in messages.
Now the question: Using the e-mail message and the IP address in the link, how do I track down this scumbag? Not that I can or will or even want to do anything to avenge this transgression, but I'd just like to know.
I SUMMON THE DARK FORCES OF THE REVEREND TO SMITE THINE ENEMIES!!!
Reverned Darkeness should be along shortly to assist in this matter.
Welcome to the wonderful world of phishing and you are the fish.
My wife and I get nearly 400 spams per day (its what you get when your email address has been posted on the web form a decade). Many of these spams (yes the filters get most of them, but I still need to review the junk folder for miscategorized important messages) contain these types of messages. Everyday, we receive a nice collection of these faked e-mails claiming to be from all manner of banks, credit card companies, mortgage lenders, eBay, PayPal, Amazon, you name it.
The good news is that you are not being singled out for this. I bet we got that same faked PayPal message and we don't even use PayPal. The bad news is that you will get more and more of these nasty little messages. You did the right thing by checking your account using YOUR URL, not the e-mail's URL. Phishers are getting craftier and craftier at making the message look legitimate but somehow waylay the URL and login.
I was very impressed with one I got some time ago, supposedly from ebay, saying the same stuff about closing account unless blah, blah, blah.
My wife and I have a policy of opening all unknown emails as souce under Outlook, so no bots, etc. will be able to do their thing. We're fortunate enough that we've kept the main email address off the spam lists for the most part, and may receive one or two per day.
This ebay one had many links going to ebay servers, but way down in the code were variable to input ebay user name and password. Up until that point, I'd entertained the possibility that it was legitimate, though I still wouldn't have replied to it via email and would have gone to ebay directly. The input variable names they used were f**k and sh*t. Not too clever.
I read online that the Nigerian prince email scam has been modified, so it's now Arafat's wife looking to get her millions out of the country. 'Course it also refers to Yasser Arafat as 'ailing' as opposed to 'very dead'.
Speaking of Nigerian scammers...
I find it funny that people are getting back at them by messing with them. Here's my favorite example (1.14MB PDF, the original post is long gone):
That link isn't working at the moment. When they do, try to figure out which hosting company is hosting it, and email them. It's a bit of a bother, but as one of the tech support folks who gets to take down accounts like this (Most are legit accounts who used some insanely stupid password or emailed it straight to a scammer) I can tell you that taking down phishing scams is fun.
Plus, you'll save other people trouble.
But mostly it's just fun. Warm fuzzy feeling and all that.
...do you track down that sort of thing? I've tried using whois in the Network Utility, but I'm pretty clueless as to what else to use to track down where the server is, who's running it, and who's hosting it.
The good news is that you didn't fall for a phishing scam. The bad news is that you will probably not be able to track down the person that phished...
You can use ARIN (arin.net) to do a whois, but that points you to APNIC (Asia Pacific Network Info Center - apnic.net). Using APNIC just tells you that the page was located on a server in Korea that is owned by Hanaro Telecom (hanaro.com), one of Asia's largest ISP's.
That's about as far as I'm gonna take it right now. I'm on vacation this week to celebrate the particular time of year in which the Sunshine Angel, my darling wife, was brought into existence. I'll look into it more when I go back to work and have some free time.
Generally, if you go to Terminal (my preferred way at least) and punch in "whois 220.127.116.11", you'll get a slew of results. My example here uses Google.
You should get an admin contact of some sort. Depending on where, you may also get a company.
In this case (your scammer) is from a dynamic range of IP's in Asia. The admin contact is listed as firstname.lastname@example.org
Hanaro.com seems to be a 'your digital telecom partner', or as I see it, an ISP.
Now you have a contact email for your scammers ISP. Note that they're running this off of a dynamic IP, probably DSL so it changes every day or two and it's hard to track. A good thing to do at this point would be to send an email. Something like this:
A lot of smaller places, especially in North America and Europe will jump when they see this kind of thing, because legal fees are scary. This guys in Asia, which could make it harder, but at least you know you tried. Asking for a followup email, and being short and to the point is a good way to go. If you don't get a followup in a week or so, try again. If the ISP is ignoring you, there's not much you can do short of blocking their IP range, but that's not a good solution.