Mmmm, tastes like phish!
April 1, 2004 5:20 AM   Subscribe

I believe this is one of those PayPal lookalike steal all your personal info pages. What are the steps one goes through to report something like this? And to whom?

Of course, in light of this thread I don't feel like doing anything about it personally, so anyone else feel like a good netizen today?
posted by banished to Computers & Internet (11 answers total)
 
It is a fake, the site is registered in Korea.

Tell PayPal:
If you think that you have received a fraudulent email (or fake website), please forward the email (or URL address) to spoof@paypal.com and then delete the email from your mailbox. Never click any links or attachments in a suspicious email.

posted by jpburns at 6:33 AM on April 1, 2004


I reported it using a webform I found on their helppages (Paypal, not a fake webform :)
posted by sebas at 9:29 AM on April 1, 2004


It's interesting that the "security test" image is actually from Paypal (and it changes slightly on reload - although the code stays the same). You'd think Paypal'd block hot-linking of those kind of images.
posted by TimeFactor at 11:14 AM on April 1, 2004


I got the same e-mail in my mailbox. It seems most bigtime web co's don't ask for e-mail verification (except sometimes right away when you sign up) to avoid stuff like that. I just ignore them to be on the safe side.
Even if you can't hotlink an image, can't you just do some "Pringscreen" action and then crop the picture accordingly (randomly thought of this last night actually).
posted by jmd82 at 11:20 AM on April 1, 2004


For some stupid reason, I clicked on that link to verify my email. What can I expect, if anything, besides just massive amounts of spam?
posted by emoeby at 12:02 PM on April 1, 2004


Wow, icky! Thanks for pointing this out. I hadn't seen anything like it before.
posted by scarabic at 1:20 PM on April 1, 2004


This sort of thing has become flavour of the month amongst the script kiddies (for eBay / Paypal accounts) and amongst larger and more organised criminal groups (online banking accounts). It's called 'phishing'. It used to happen many years ago with AOL account details. Now there's more than just a screen name at stake, more people are getting involved. It doesn't take much to produce an excellent mock-up of a web site like PayPal or an online bank. If you use some simple url obfuscation techniques, you can make it look like the person is at the real bank web site.

I've seen some that will direct you to an IP address like the one you give, pop-up a window, then immediately direct the main window to the real bank, so it looks like you're okay and that it's the real bank web site that'd produced the pop-up asking for your details. Then there are those that use fake domain names: paypalverify.com, citibankonline.com, etc.

They can be very sophisticated. But banks and other legitimate organisations will NEVER send out an email asking you to go somewhere to verify your identity. Don't do it, kids.

Report it to the bank or organisation in question (PayPal for this one). Report it to the web host of the ip address (go to coolwhois.com and do a whois lookup on the IP - like this - which tells you it's in Korea, so check with KRNIC, who tell you it's owned by ONSE with an abuse address of abuse@shinbiro.com). But I would encourage you to report it - PayPal and eBay don't seem to care much, but the banks do.

That's a complicated one as it ends up in Korea... most are from Eastern Europe, quite a few from Asia. The script kiddie ones often resolve to a broadband address on RoadRunner or Cox or somesuch.

I work in this area, hence the length of the post. If you want any more info, do mail me.
posted by humuhumu at 1:47 PM on April 1, 2004


Also, it can be worth checking out the IP address or domain name on Google, especially Google Groups. Doing that with this IP would have given you at least one abuse posting of the same phishing email.

But as I said, the basic rule is: don't believe any email from anyone which asks for your personal details. If you want to go to your bank or any other organisation with which you're signed up, type the domain into the address bar yourself.
posted by humuhumu at 1:51 PM on April 1, 2004


That was quick - it's gone.
posted by dg at 2:44 PM on April 1, 2004


It's still up for me.
posted by banished at 7:31 PM on April 1, 2004


Still up here.

Clicking on the link, to respond the question from far back, doesn't do anything, although it does appear that the site does do some sanity checking on clicking submit (I tried to submit a blank form).
posted by calwatch at 11:35 PM on April 2, 2004


« Older The company I work for is sett...   |  Is this an April Fool's joke, ... Newer »
This thread is closed to new comments.