[LINK] PayPal phishing scam - is this a domain hijack

Kim Holburn kim.holburn at gmail.com
Fri Jan 19 20:47:10 AEDT 2007 

On 2007/Jan/18, at 11:26 PM, Rick Welykochy wrote:

> I just ran across the following PayPal phishing attempt. What I  
> finf interesting
> here is the domain name being used for the scam:
>
> . . . . .
>
> Payment Details
> Transaction ID: 7KX030868E9630138
> Item Price:     $294.00 USD
> Total:          $294.00 USD
> Order:          Order #51
> Business:       elisom at netvision.net
> 	
>
> If You Haven't Authorize This Charge , Click The Link Below To  
> Cancel The Payment And Get Full Refumd
> Login Here To Cancel The Payment
> LINK: http://www1.paypal.com.cgi-bin.verify- 
> v50lxsecuressl.activate.onlineservice.accounts.raisedtotheground.com/w 
> ebscrcmd=update/ 
> signinDQAAAG4AAADZ3XcFqGpyVexZXlp42ILckL16sz8USkBXj2StlL2lq74RZi- 
> ZN0FOU7by8X_Jh2pn3AEECKZo8TFq0WyJ8IIGI0qgARKV_pf27Z0dSdpkBPWqiQQcY0sJJ 
> 8txaw-ifZToKQeM9OX1D4LVt4HygyKB.html

There are many many ways to obfuscate the url.  This is one of the  
simpler ones.  You could use tinyurl.  You can use urls like these  
and combine different schemes but most people don't even check the  
host name and why should they have to?

http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
http://209.85.135.103
http://www.paypal.com@www.google.com

There's also language encoding of dns names, like unicode, utf, etc

Then there's the link text if it's an html email.

I've seen phishing sites that almost immediately redirect you through  
to the real website with a special bit of javascript added in.


> . . . . .
>
> The 2LD domain is has a website: http://raisedtotheground.com/
>
> So, how did the scammers attach the 3rd and high level domain name
> components to this 2LD? Would they have to attack the servers that  
> hosts
> the domain (the "authority") and modify the zone files?

They probably bought the domain name with a prepaid "credit" card for  
the purpose.  If they have a compromised windows box with a dynamic  
DNS system they can call it whatever they like.  If it's a  
compromised windows DNS server ....  In this case looks like a  
wildcard entry.

It's easier and cheaper to become a domain registrar these days isn't  
it?

$ host www1.paypal.com.cgi-bin.verify- 
v50lxsecuressl.activate.onlineservice.accounts.raisedtotheground.com  
NS41.BITESITES.COM
Using domain server:
Name: NS41.BITESITES.COM
Address: 216.66.19.100#53
Aliases:

www1.paypal.com.cgi-bin.verify- 
v50lxsecuressl.activate.onlineservice.accounts.raisedtotheground.com  
has address 216.66.19.100


> The Registry database contains ONLY .COM, .NET, .EDU domains and
> Registrars.
> =-=-=-=
> Visit AboutUs.org for more information about raisedtotheground.com
> <a href="http://www.aboutus.org/raisedtotheground.com">AboutUs:  
> raisedtotheground.com</a>
>
> Registration Service Provided By: NameCheap.com
> Contact: support at NameCheap.com
> Visit: http://www.namecheap.com/
>
> Domain name: raisedtotheground.com
>
> Registrant Contact:
>    Screen Hosting
>    Nick Hurley (nick at screenhosting.co.uk)
>    +1.000000
>    Fax: +1.5555555555
>    Screen Hosting
>    37 Plov.
>    Kingswinford, WE DY68XU
>    GB
>
> Administrative Contact:
>    Screen Hosting
>    Nick Hurley (nick at screenhosting.co.uk)
>    +1.000000
>    Fax: +1.5555555555
>    Screen Hosting
>    37 Plov.
>    Kingswinford, WE DY68XU
>    GB
>
> Technical Contact:
>    Screen Hosting
>    Nick Hurley (nick at screenhosting.co.uk)
>    +1.000000
>    Fax: +1.5555555555
>    Screen Hosting
>    37 Plov.
>    Kingswinford, WE DY68XU
>    GB
>
> Status: Locked
>
> Name Servers:
>    NS41.BITESITES.COM
>    NS42.BITESITES.COM
>
> Creation date: 20 Mar 2006 15:34:33
> Expiration date: 20 Mar 2007 15:34:33



> BTW: The reason the URL is so long is to further fool people who might
> try to glimpse the URL in their email readers. I believe some email  
> clients
> cannot display such a long URL in its entirety.
>
>
> cheers
> rickw
>
>
> -- 
> _________________________________
> Rick Welykochy || Praxis Services
>
> Those who are too smart to engage in politics are punished by being
> governed by those who are dumber.
>     -- Plato
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3342707610
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list