Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Here We Go Again | Main | Life Threats OK in YouTube Comments »

April 25, 2007

PayPal Phisher Going the Distance

It has been a long time since I bothered to fill out the username/password fields (with bogus information, obviously) of a bogus phishing site, but I tried one today to see what the modern phisher is up to.

The "Verify Your PayPal Account" phishing email message that prompted me wasn't all that well done. There was no PayPal logo art. The date by which I had to update my records to prevent account suspension was February 10, 2007 (two-and-a-half months ago according to my calendar). The actual URL behind the "Click here to update your PayPal account information" link was to an IP address, which turned out to be yet another hijacked web site (in Australia).

Visiting any unknown web page these days is incredibly dangerous—especially with the recently revealed and as-yet-unpatched QuickTime flaw that can affect Windows and Mac users if your browser opens QuickTime to play media files (including inside IE, Firefox, and Safari). The flaw allows an attacker to take over your computer. Therefore, I first checked the target page using a non-graphical download of the content to inspect for HTML attempts at loading QuickTime content. None found. I then locked down my browser to prevent loading of plug-ins or execution of Java and JavaScript before visiting the phisher's page.

Appearing before me was the usual knock-off PayPal starting page with text fields for entry of username and password. I made up some appropriate text strings (the highly juvenile, yet highly satisfying, words "bite me" were sprinkled liberally throughout). I expected to be taken immediately to a more elaborate and equally phony page containing form fields for more personal data. Surprisingly, this phisher (or, rather, the supplier of the phishing kit) included the same (or at least plausibly similar) "Processing Login" page that PayPal's real site uses, complete with little dot animation:

Processing LoginAnimated dots image

I could see that this might convince a newbie that the site was PayPal's, even though the browser failed to show a secure connection.

Once the "processing" was completed (after a pre-ordained span of four thumb-twiddling seconds—why bother with real processing?), the site showed the page I expected. Fields included the usual names, credit card data, CVN number, ATM PIN number (always a dead giveaway that the form is being used for identity thievery), billing address, home phone number, mother's maiden name, date of birth, and even your driver's license number.

That's all the information an identity crook needs to hijack something you might treasure...you!

Posted on April 25, 2007 at 06:06 PM