attention paypal members

E

ed1k

Well-known
Local time
1:14 AM
Joined
Oct 10, 2005
Messages
317
Location
Lorne Park, ON
View My Gallery
Yesterday I got e-mail that looks like from paypal. Since I don't have paypal account I desided someone wants to open an account in my name - so I just ignored the mail. Today I got another e-mail and now I spent couple of minutes to this email, it turned out to be fraudulent mails. If someone knows paypal authority to forward information I put below, please do.


e-mail received from 207.172.196.196

Header:
Return-Path: <service@intl.paypal.com>
Delivery-Date: Fri, 09 Jun 2006 12:30:55 +0200
Received-SPF: softfail (mxeu21: transitioning domain of intl.paypal.com does not
designate 207.172.196.196 as permitted sender) client-ip=207.172.196.196;
envelope-from=service@intl.paypal.com; helo=192.168.0.2;
Received: from [207.172.196.196] (helo=192.168.0.2)
Message-ID: <RTXABOATAPUSXECNQEDOZFU@aol.com>
From: "PayPal" <service@intl.paypal.com>
Reply-To: "PayPal" <service@intl.paypal.com>
Subject: Notification of Security Measures
Date: Fri, 09 Jun 2006 13:30:54 +0200
X-Mailer: Microsoft Outlook Express 5.00.2615.200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--8000495088998475"

Whois:
207-172-196-196.c3-0.upd-ubr14.trpr-upd.pa.cable.rcn.com (207.172.196.196)

207.172.0.0 - 207.172.255.255
RCN Corporation
196 Van Buren St.
Herndon, VA
US

RCN Corporation
noc@rcn.com[/email]
+1-888-972-6622

HTML part (there is no text body):
-begin----------------------------------------
Dear PayPal Member,

During our regularly schedule account maintenance and verification we have detected a slight error in your billing information on file with PayPal.
This might be due to either following reasons:

- A recent change in your personal information (i.e. change of address)
- Submitting invalid information during the initial sign up process.
- An inability to accurately verify your selected option of payment due an internal error within our processors.

Therefore your account has been temporarily suspended. We need you to confirm your identity in order to regain full privileges of your account.

If this is not completed by June 15, 2006, we reserve the right to terminate all privileges of your account indefinitly, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.
To confirm your identity please follow the link below:

https://www.paypal.com/cgi-bin/webscr?cmd=_login-run[/url]


Thank you for your patience in this matter.

PayPal - Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.
-end----------------------------------------
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
actually refers to

Fraudulent server (currently up and running):
http://69-11-1-251.yktn.hsdb.sasknet.sk.ca[/url]
port:81
path:/update/index.php?MfcISAPICommand=SignInFPP

Whois:
69-11-1-251.yktn.hsdb.sasknet.sk.ca (69.11.1.251)

69.11.1.0 - 69.11.1.255
SaskTel Wide Area Network Engineering Center
2121 Sask. Dr F9
Regina, SK
CA

WIDE AREA NETWORK ENGINEERING CENTER
wanec@sasktel.sk.ca[/email]
+1-306-777-3238
 
Not only is the email fraudulent - a virus or spying program could have snuck into your computer. I would run my virus scan as soon as possible and refrain from opening them in the future. Good luck. 🙂
 
It could also be a good idea to turn off the HTML 'auto link' feature on that specific post or edit it to remove the links so that no nervous finger reading this thread clicks on one of those by mistake 😉

And remember to be careful out there guys.

Oscar
 
Good thinking Oscar. I have taken the liberty of doing that.

Kim

taffer said:
It could also be a good idea to turn off the HTML 'auto link' feature on that specific post or edit it to remove the links so that no nervous finger reading this thread clicks on one of those by mistake 😉

And remember to be careful out there guys.

Oscar
Click to expand...
 
Yes, kaspersky antivirus has complained about possible trojan virus in that html message. Althou it was valid html, except that text pointed to one http address and href actually pointed to different place.
I posted message as a plain text, that www.paypal link isn't valid and doesn't harvest for payment information. URL with fraudulent page @sasknet.sk.ca that looks like paypal site and provides webform to enter all account information I broke down into 3 section: server, port and path. I did that exactly for the reason to avoid someone here mistakenly clicked on link.
Don't worry about me as I don't have any html features in my mailer 🙂 Please someone forward or send a link to this discussion to spoof@paypal, I am not going to send any emails into paypal lands (sorry, I have enough spam and don't want yet marketing offers from paypal)
Eduard.
 
I get these types of emails all the time. They look like they're from paypal, ebay, my bank, some other bank, etc. You can pretty much always count on being able to forward to spoof@whoever and get a response telling you whether the email is phish or not. When in doubt, delete. But I always forward as well as I really want the institution in question to have as much info as possible in the hope that they can do something about these crooks.
 
I've seen this kind of phishing too, but this time for e-bay accounts. Same type of text in those, just e-bay instead of Paypal.
 
I got this in my email today. I'm guessing its phishing, and I'm not clicking the link. I've sent a forward to paypal too.

Just posting it here so we know what to look for.


""Dear valued PayPal® member:


It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before June 29, 2006.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.

To update your PayPal® records click on the following link:
w.paypal.com/cgi-bin/webscr?cmd=_login-run


Thank You.
PayPal® UPDATE TEAM

Accounts Management As outlined in our User Agreement, PayPal® will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.

w.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside""
 
Paypal always uses your real name in their emails. If it says "Dear valued customer" or anything other than your name, you know it's a phishing email. I beleive it's the same with eBay.


Bob
 
You must log in or register to reply here.
Back
Top Bottom