Miscellaneous > Technical Support

How to look up Paypal phish?

(1/2) > >>

davidnix71:
I got a phish last week, but didn't see it until today because my isp put it in a junk mail folder.  Oddly enough, it's still up. Here's the link http://203.144.227.202/.www.paypal.com/index.htm


The body of the phish/cross-site script is:

              Notification of Limited Account Access                                                                                    
          As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:
         
         Unusual account activity has made it necessary to limit sensitive account            features until additional verification information can be collected.
          We have            been notified that            a card associated with your account has been reported as lost or            stolen, or that there were additional problems with your card.           Case ID Number: PP-071-362-996            
           

                                                                                                             Click here to verify  your account                                                                                  
         
     
          Please understand that this is a  security measure intended to help protect you and your account. We apologize for  any inconvenience.  
         
                     
          If you choose to ignore our request, you leave us no choice but to           temporary suspend your account.
         
          Sincerely,
PayPal Account Review Department.  

                                                                                                            Please do not reply to this e-mail. Mail               sent to this address cannot be answered. For assistance,               log in to your  PayPal account and choose the "Help" link in               the footer of any page.
             
               To receive email notifications in plain text instead of HTML,               update your preferences               here.                                                        

How would I go about finding the true owner of this Apache server? If you go to http://203.144.227.202:80 you get the test page.

All the links on the page lead to the real Paypal. The following text is the page source, but I don't see anything useful.






PayPal - Welcome












Sign Up | Log In | Help






























Member Log-In

Forgot your email address?
Forgot your password?








Email Address








Password
















Join PayPal Today

Now Over
100 million accounts











Learn more about
PayPal Worldwide


















Send money to anyone with an email address in 55 countries.

PayPal is free to use.

Your information is kept secure.

Learn about sending payments through PayPal.


Free eBay tools make selling easier.

PayPal works hard to help protect sellers.

PayPal simplifies shipping and tracking.

Earn cashback with PayPal Preferred Rewards.





Accept credit cards on your website using PayPal.

Compare our solutions to merchant accounts and gateways

Low fees make PayPal the affordable choice.

Learn why PayPal is good for business.









document.write('');

document.write('');



document.write('');






About | Accounts | Fees | Privacy | Security Center | Contact Us | User Agreement | Developers | Jobs | Buyer Credit | Referrals | Shops | Mass Pay
PayPal, an eBay company
Copyright � 1999-2006 PayPal. All rights reserved.
Information about FDIC pass-through insurance














Other than reporting this as a phish/cross-site scripting, is there any 'fun' we can have with this bottom-dwelling filter feeder?

mobrien_12:
http://www.phishfighting.com

Non profit site.


--- Quote ---
How many phishing  emails did you receive today?:  I receive 5-10 emails a day that are supposedly from real companies like Paypal
--- End quote ---

mobrien_12:

--- Quote ---
[mobrien@hariel ~]$ nslookup 203.144.227.202
Server:         68.87.85.98
Address:        68.87.85.98#53

Non-authoritative answer:
202.227.144.203.in-addr.arpa    name = 203-144-227-202.static.asianet.co.th.

Authoritative answers can be found from:


--- End quote ---


Using WHOIS at http://www.samspade.org


--- Quote ---

whois

Whois:
@whois.

Server Used: [ whois.apnic.net ]

203.144.227.202 = [ 203-144-227-202.static.asianet.co.th ]
 
  inetnum:      203.144.128.0 - 203.144.255.255
  netname:      ASIAINFO-TH
  descr:        Internet Service Provider
  country:      TH
  admin-c:       WP1-AP
  tech-c:        SK1-AP
  mnt-by:        APNIC-HM
  mnt-lower:     MAINT-ASIAINFO-AP
  remarks:      Aggregated small blocks to be one /17.
  changed:      [email protected]
 20000403
  changed:      [email protected]
 20021216
  status:       ALLOCATED PORTABLE
  source:       APNIC
  person:       Wongchai Piyakavarnich
  nic-hdl:       WP1-AP
  e-mail:       [email protected]
 
  address:      14th 27 th  floor  Fortune Town
  address:      1 Ratchadaphisek Road  Din Daeng
  address:      Bangkok 10400
  phone:        662-6411800
  fax-no:       662-6421557
  country:      TH
  changed:      [email protected]
 20060412
  mnt-by:        MAINT-ASIANET-AP
  source:       APNIC
  person:       Supachai Kitwongpak
  address:      17 th floor  Fortune House
  address:      1 Ratchadaphisek Road  Din Daeng
  address:      Bangkok 10320
  country:      TH
  phone:        66-2-641-1800
  fax-no:       66-2-642-1540
  e-mail:       [email protected]
 
  nic-hdl:       SK1-AP
  mnt-by:        MAINT-ASIAINFO-AP
  changed:      [email protected]
 19990210
  source:       APNIC


--- End quote ---


This is Bangkok.  They probably don't care.

worker201:
Considering the sorts of exotic things(people) you can reportedly buy in Bangkok, it isn't surprising that you can also buy phish/spam service.

piratePenguin:
It took a whole 3 clicks to report it.

Navigation

[0] Message Index

[#] Next page