Friday 24 April 2009

Sophistication in PayPal Phishing Scams - name and address

The content of phishing emails tends to skew to the generic so imagine my surprise when a paypal scam email started as "Dear CALLUM WILSON" and included my full address and postcode.


Dear CALLUM WILSON ,
PayPal Resolution Center: Your account is limited.

Why is my account access limited?

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue

regarding your account:
...
- A clear copy of a recent bank statement or utility bill on which your name and address (NNN XXXXXX STREET,STIRLING,STIRLING,FK8 XXX) are clearly visible and less than 3 months old.
...
The email suggests that victims send compromising information such as copies of both sides of debit cards, passport, utility bills etc to secure@paypalcompany.com - this, hosted on a compromised host [89.255.10.39] at a Dutch ISP. The host redirects port 80 HTTP traffic to the real Paypal.com site but has SMTP, POP3 and IMAP daemons running suggesting tools to take in and process victims emails sent to the domain. The server also has a copy of MySQL running, allbeit locked down for out of domain access. The site is running Plesk [http://en.wikipedia.org/wiki/Plesk], a cpanel like ISP hosting platform on port 8443. Firefox is now showing the site as a forgery - but how many internet users have anti-phising browsers?

So what is the root of this scam?
I always use unique usernames for any access to online shops - the interesting thing about my email was that whilst it had the correct name and address for my PayPal account, the email address was not correct. The data had come from http://www.brother-store.co.uk - a UK based retailer of print stationery for the fabulous Linux compatible Brother QL-550 that runs in our office printing labels.

The Impulse Group Ltd (Cambridge, UK) [http://www.impulse-group.ltd.uk] run a set of affiliate sites that retail various printer supplies share a common platform for sales enquiries and orders: http://www.enquiry-system.co.uk and http://www.secure-internet-payment.co.uk (irony not included).

Some 24 hours after the breach, some of the sites are still not functioning. I rang Impulse Group Ltd this morning and they confirmed there had been a breach and that they would inform their customers through the website: see the Impulse news site for more information.
Posted by at
Labels:

No comments:

Post a Comment

Thanks for adding a comment; I moderate all posts.

Subscribe to: Post Comments (Atom)