PDA

View Full Version : Warning: How a scam works



Evan
12-08-2004, 11:57 AM
I received a Paypal scam e-mail this morning and I thought I would show why you should never click on a link in an e-mail.

First, this is how the e-mail appears:

http://vts.bc.ca/pics/ppfake1.jpg

But, what you see is not what you get. Hidden in the e-mail and not shown to you by Outlook Express is some simple computer code like this:


<font face="Verdana, Arial" size="2">
&lt;a onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_verification'; return true;" href="http://www.losases.com.uy/ssl/pp/" target="_blank" &gt;
https://www.paypal.com/cgi-bin/webscr?cmd=_verification&lt;/a&gt;
</font>

Embedded in this invisible part of the e-mail is where you actually end up. I have inserted "(break link)" so it can't be clicked on here.



http://(break link)www.losases.com.uy/ssl/pp/(break link)

This URL takes you to a perfect replica of what looks to be a Paypal page. It looks like this:

http://vts.bc.ca/pics/ppfake.jpg

I don't advise actually checking out that URL unless you use Firefox and know exactly how to set your security settings.

When you enter your personal info on that page they then have all they need to screw you over.

JCHannum
12-08-2004, 12:04 PM
That one and a very similar one from eBay are common. I get one every week or so. Forward them to spoof@ebay.com

The thing that I do not understand is why they cannot be backtracked and prosecuted. Or, perhaps persecuted.

Gator
12-08-2004, 12:08 PM
Evan,
Haven't gotten this one yet but did get one simular to be "Verified" (that's what they called it.
Have seen the verified sign on Ebay but Ebays address was not in the properties of the email. It also had the "Account Review" attached to it.

Thanks for the heads up.

Larry

pkastagehand
12-08-2004, 12:24 PM
I think most of those places (Ebay, PayPal, etc.) tell you in their literature and emails and so forth not to use links in any unsolicited email (or any email?). Always type in the link use the URL that you have always used (in your favorites or whatever).

That type of email is called phishing (sounds like fishing). There are many forms phishing can take. Sometimes looking for info for identity theft. Sometimes just looking for valid and active email addresses for the e-marketers.

ibewgypsie
12-08-2004, 12:47 PM
I have gotten just "that" link.

No I didn't reply.
There was sellers on there with the "check out now" on thier page that took you to "thier" site to enter in "your paypal account name and password" it kinda looked like paypal too, but no lock in the lower right corner.

David.. thank for the heads up.

jfsmith
12-08-2004, 12:57 PM
I get those many times a month, I don't use eBay or PayPal, and don't have accounts with either of them any more, but these scam mails keep coming.

Jerry

Carl
12-08-2004, 01:14 PM
Thanks Evan, I received an e-mail recently asking me to click on a link to verify my IP (MSN) account information to "prevent interruption of service". I checked on my account from the MSN homepage and found all was well, and then reported the e-mail address of the scammer to MSN.

[This message has been edited by Carl (edited 12-08-2004).]

hitnmiss
12-08-2004, 02:50 PM
Thanks Evan, great writeup.

These don't worry me too much. With 1 oz of thought I could spot 'em. What worries me is if a guy like Evan wanted to write a scam email. I'm willing to bet Evan could write one I wouldn't spot.

Elninio
12-08-2004, 05:26 PM
"The thing that I do not understand is why they cannot be backtracked and prosecuted. Or, perhaps persecuted. "


I would just shoot them, scams piss me off so much, especially when your dealing with real money and not computer game accounts

Evan
12-08-2004, 06:19 PM
The domain that the scam URL points to is registered in Uruguay. I poked around the Uruguay registry and found out why. They do not provide WHOIS information on registrants. It is administered by Internic.uruguay. Smug little bastards, the registerd URL in the scam is www dot losases dot com dot uy. "Los Ases" translates to "The Aces". It would be possible to have the domain shut down, possibly, by contacting the country service provider which is Antel.

Michael Az
12-08-2004, 09:42 PM
Nice post Evan. I got so sick of getting the "Verify your info" emails, that a couple weeks ago I clicked on their button. I wanted to tell them to "kiss my a--", I couldn't do anything without logging in which I didn't. Figure out a way for us to get a message to them!
I am running Foxfire now
Michael

Elninio
12-08-2004, 09:43 PM
i thought "los ases" translated to "the asses" http://bbs.homeshopmachinist.net//biggrin.gif

CCWKen
12-08-2004, 10:04 PM
Too bad no one here is low enough to run a DoS attack on the site. http://bbs.homeshopmachinist.net//biggrin.gif

Evan
12-08-2004, 11:51 PM
I have e-mailed (in English and Spanish) the tech department of the domain registrar Antel and informed them that the domain they have regeistered is running an illegal scam. We'll see if the scam page keeps working.

Thrud
12-09-2004, 01:27 AM
CCWKen:
Yeah, I forgot how to after my stroke - but I do know how to contact the FBI and CSIS when I get a live one.

Evan
I get those all the time. I always forward to spoof@ebay.com and mark as junkmail. Forwarding to spoof@ebay.com fails sometimes because the smartasses include a special .gif file that ebay.com does not have so it craps out - these I send to the internet spooks.

Tinkerer
12-09-2004, 02:04 AM
Yep I get these all the time... I set up a filter that sends then to a folder and then forward them to either spoofs@ paypal or ebay which ever one is correct.

Thrud... if you get a failure to send... just select view message source copy it and send it in it's raw state to them.. hell it's save them from having to do it.

Evan.... I hope your effort work because they can't seem to be able to do it.

I wonder how many of these are from former employees

Evan
12-09-2004, 02:12 AM
I have no illusions that shutting down this particular site will make a real difference. There is a small possibility that the registrar in Uruguay actually will take action as they are a reputable company. The scammers will have another site up and running within 48 hours. This stuff isn't new to me, I just want to make sure as much as I can that no one is taken in. But, If I can throw a small monkey wrench in the scammers plans, then I will. It isn't the first time I have done something similar and it won't be the last.

Too bad I am a nice guy. Trouble is, really effective measures are just as illegal as what they are doing.

pistonskirt
12-09-2004, 11:34 AM
Thanks Evan
As usual your advice is much appreciated.

This afternoon I recieved an e-mail purporting to be from Ebay, I am always suspicious of such mail & the use of "informations" in the text made me even more suspicious, I never reply to or follow links from such e-mails but forward them to the spoof address at Ebay. When I tried to forward this e-mail all sorts of strange things happened to my computer, word tried to launch, several things tried to connect to the internet but these were blocked by my McAfee internet security software, I could then not close the e-mail & the communication attempts repeated continualy, resorting to task manager was the only way to shut things down & re-boot. I then forwarded the e-mail before connecting and recieved a reply from Ebay within the hour saying that the e-mail looked suspicious & they would investigate.
This certainly caused me a lot of trouble despite having comprehensive internet safety software, I wonder just how badly it could have screwed up a less well protected or indeed older computer.
Photograph of the e-mail at the following link.

http://img.photobucket.com/albums/v401/pistonskirt/ebay01.jpg

regards

Brian

Evan
12-09-2004, 12:34 PM
Update:

The scam page has been taken down. http://bbs.homeshopmachinist.net//biggrin.gif http://bbs.homeshopmachinist.net//biggrin.gif http://bbs.homeshopmachinist.net//biggrin.gif

It appears that the site hosting it was probably hacked by the scammers and the scam page replaced the regular home page. The normal home page has been put back this am. Hopefully I had something to do with it. Today, Me 1 : Scammers 0

Thrud
12-09-2004, 06:31 PM
Evan:
You is my kind of hoser! http://bbs.homeshopmachinist.net//biggrin.gif