Holy shit is this ever evil... (e-mail scam)

[Dewey_Cheatem_Undhow]

So I get the following e-mail today. I’m including headers, and indicating where form entry areas and “submit” buttons are via text since I obviously can’t replicate the HTML here:

Header:

X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
Received: from compuserve.com ([66.168.152.195]) by mc10-f9.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Tue, 10 Jun 2003 14:14:38 -0700
Date: Tue, 10 Jun 2003 20:20:30 +0000
From: Information-update <Information-update@paypal.com>
Subject: Dear PayPal Customer
To: REDACTED
References: <0ADJ22H8J2JKJ7A6@hotmail.com>
In-Reply-To: <0ADJ22H8J2JKJ7A6@hotmail.com>
Message-ID: <GB6LA19L89383LA1@paypal.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Return-Path: Information-update@paypal.com
X-OriginalArrivalTime: 10 Jun 2003 21:14:38.0296 (UTC) FILETIME=[4CE11D80:01C32F95]

Obviously, this asshat isn’t with PayPal.

Body:

{PAYPAL LOGO}

Dear PayPal Customer

This e-mail is the notification of recent innovations taken by PayPal to detect inactive customers and non-functioning mailboxes.

The inactive customers are subject to restriction and removal in the next 3 months.

Please confirm your email address and credit card information by logging in to your PayPal account using the form below:

Email Address: { }
Password: { }
Full Name: { }
Credit Card #: { }
Exp.Date(mm/yyyy): { }
ATM PIN (For Bank Verification) #: { }

{LOG IN}

This notification expires September 31, 2003

Thanks for using PayPal!

This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification preferences and unsubscribe, go to https://www.paypal.com/PREFS-NOTI and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed.

Copyright© 2002 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.

Mercifully, I’ve never used PayPal, so I knew this was faux right from the start (and I wouldn’t send my CC# over email anyway, even in the guise of a web form – I’d visit the PayPal website first). But I’ve gotta admit, this thing looked pretty convincing at first glance. I can see plenty of people getting duped.

And it pisses me off plenty because I’ve got to warn my parents (because they might fall for it), which only makes them more afraid to use the computer. Grrrrrrr.

I guess this isn’t so much a rant as a PSA. Emailers beware.

[Freyr]

Interesting. I got the same thing a few weeks back. Report 'em to the real PayPal!

[Diogenes_the_Cynic]

I can’t believe they asked for a bank PIN. That takes balls.

[Dewey_Cheatem_Undhow]

Here’s the address in the <form> field:

<form action=“http://www.paypal.com010011100011100001110001101
0011100011100001110001101001110001110000111000110100
1110001110000111000110100111000111000011100011010011
1000111000011100011@davidpage.port5.com/01001110001110
0001110001111011100011101010101100111001.php” method=“get”>

Note I inserted carriage returns to keep the page from being too wide.

Can anyone extrapolate that into something meaningful? And does anyone have any ideas on what to do with it?

[SweetLucy]

These type of scams keep being perpetuated by the blockheads who do fall for them and eagerly give away this kind of information. “There’s a sucker born every minute!”

[Reeder]

*Originally posted by Diogenes the Cynic *
**I can’t believe they asked for a bank PIN. That takes balls. **

Lots of ignorant people online. That’s our job…to educate them.

I used to get a lot of the same on AOL asking for my information. I just report them and move on.

[hansel]

Everything before the @ sign in the url of the form is ignored by the browser and the server, so davidpage.port5.com is the domain the form is being submitted to, and 01001…1001.php is the file. I just tried entering the domain into my browser, and got a non-reponse.

Here’s the whois for port5.com:

Portland Communications Ltd (PORT48-DOM)
3 Lyon Road
Walton On Thames, Surrey KT12 3PU
UK

Domain Name: PORT5.COM

Administrative Contact, Technical Contact:
Clements, Justin (JC31547) sales@PORTLAND.CO.UK
Portland Communications Ltd
3 Lyon Road
Walton On Thames, Surrey KT12 3PU
UK
01932 227234 fax: 01932 252569

Record expires on 02-Aug-2003.
Record created on 15-May-2002.
Database last updated on 10-Jun-2003 20:12:28 EDT.

Domain servers in listed order:

NS0.PORTLAND.CO.UK 212.15.64.83
NS1.PORTLAND.CO.UK 212.15.64.25

Going to www.port5.com, they’re a webhosting company that offers free subdomains (e.g., davidpage.port5.com), and you can sign up from anywhere in the world, so it’s no help locating him. So, your scammer obtains a free subdomain there, locates his php script to forward your info somewhere else, and collects his illicit booty.

You can complain to port5, and should. They’ll shut down his account (unless they’re in on it).

[Hauky]

Well, anything between the ‘http://’ and the ‘@’ in the beginning, without getting into the details, is totally ignored by the browser in this instance. Thus, the info is going to http://davidpage.port5.com, whatever that is. The numbers are obviously binary, but I’m not sure whether a browser would interpret those or leave them the way they are. In any case, upon trying it, it appears that the host has taken down the page, as it’s a 404 error now.

[Scarlett67]

*Originally posted by Dewey Cheatem Undhow *
This notification expires September 31, 2003.

Um . . . what?

I’m sad to say that I bet they’ll get a lot of suckers.

[andros]

You’re right. It’s a metric fuckton of nasty. Barb Mikkelson wrote a piece on it over to Snopes:

PayPal Scam

Has screenshots of the actual message for yas.

[andros]

Sorry, meant to say she wrote a piece on a similar scam.

[MaddyStrut]

I got the same damn message. Like the OP, I had to warn my parents about it–and they would have responded too! I love my parents dearly and think they’re normally quite intelligent. But damn they can be naive about things!

[cmkeller]

I’ve been plagued by a similar thing with eBay.

I suspected the thing was a scam. To be on the safe side, I deleted the e-mail and “updated” my info directly on eBay’s web site. But it’s good to finally see confirmation of the scam. (I was hoping eBay would have some announcement warning about it…they really should!) Now I don’t need to bother even with that step.

[dwyr]

I received something very similar about earthlink. They asked for everything but a DNA sample.

Jerkwads.

[dwyr]

I received something very similar about earthlink. They asked for everything but a DNA sample. If that wasn’t enough of a tip-off the abhorrent spelling sure was.

Jerkwads.

[dwyr]

Not that I’m all that bright either…

[lezlers]

I recieved something like that from AOL not so long ago. Unfortunately for them my bank account had just been drafted so I knew my info. was current. I reported them. It makes me so angry that there are people out there like that, their karma is gonna kick them in the ass so hard. I just wish I could be there to see it. :mad:

[insomnia4AM]

I got something like this yesterday, The subject line was “Pay-Pal Confirmation needed!” and then when I opened it, out of sheer curiousity, it pretty much asked me for everything short of my first born! I don’t have Pay-Pal. I got a few things like that from AOL too. I don’t have AOL either. sigh

[Ale]

dwyr, start to panic, seems that THEY got a DNA sample after all, your clone is posting in the boards too!!! :eek:

[Reuben]

I just phoned the number in the whois entry (the company Portland is just down the road from my office) and verified that this particular case has been definitely dealt with.

I’d be interested to know what they actually do, except boot the miscreant off their servers. Do they even report the scam, plus all the info on that customer they have, to the police?