How to look up Paypal phish?

[davidnix71]

I got a phish last week, but didn't see it until today because my isp put it in a junk mail folder.  Oddly enough, it's still up. Here's the link http://203.144.227.202/.www.paypal.com/index.htm


The body of the phish/cross-site script is:

              Notification of Limited Account Access                                                                          

         
          As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:
         
         Unusual account activity has made it necessary to limit sensitive account            features until additional verification information can be collected.

          We have            been notified that            a card associated with your account has been reported as lost or            stolen, or that there were additional problems with your card.           Case ID Number: PP-071-362-996            
           

                                                                                                             Click here to verify  your account                                                                                  
         
     
          Please understand that this is a  security measure intended to help protect you and your account. We apologize for  any inconvenience.  
         
                     
          If you choose to ignore our request, you leave us no choice but to           temporary suspend your account.
         
          Sincerely,
PayPal Account Review Department.  

                                                                                                            Please do not reply to this e-mail. Mail               sent to this address cannot be answered. For assistance,               log in to your  PayPal account and choose the "Help" link in               the footer of any page.
             
               To receive email notifications in plain text instead of HTML,               update your preferences               here.                                                        

How would I go about finding the true owner of this Apache server? If you go to http://203.144.227.202:80 you get the test page.

All the links on the page lead to the real Paypal. The following text is the page source, but I don't see anything useful.

http://www.w3.org/TR/html4/loose.dtd">







https://www.paypalobjects.com/css/xptLite.css">
https://www.paypalobjects.com/css/xptlive.css">

https://www.paypalobjects.com/en_US/i/icon/pp_favicon_x.ico">

https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif" alt="">

https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run">Sign Up | https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">Log In | https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_home">Help

	http://www.paypal.com/cgi-bin/webscr?cmd=_home">https://www.paypalobjects.com/en_US/i/nav/P_on_welcome.gif" border="0" alt="Welcome"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> http://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_send_money.gif" border="0" alt="Send Money"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> http://www.paypal.com/cgi-bin/webscr?cmd=p/req/index-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_request_money.gif" border="0" alt="Request Money"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> http://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_merchant_tools.gif" border="0" alt="Merchant Tools"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> http://www.paypal.com/cgi-bin/webscr?cmd=_auction-outside">https://www.paypalobjects.com/en_US/i/nav/P_off_auction_tools.gif" border="0" alt="Auction Tools">
https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1">

Member Log-In https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="15" height="1">https://www.paypal.com/cgi-bin/webscr?cmd=_email-recovery">Forgot your email address? https://www.paypal.com/cgi-bin/webscr?cmd=_forgot-password','popupWin','scrollbars,resizable,toolbar,status,width=640,height=700,left=50,top=50');return false;">Forgot your password? https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1"> Email Address https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="11" height="1"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1"> Password https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="11" height="1"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1"> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="12" height="1"> Join PayPal Today Now Over 100 million accounts https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1"> https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run">https://www.paypalobjects.com/en_US/i/btn/btn_SignUpNow.gif" border="0" alt=""> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="10" height="1"> https://www.paypalobjects.com/en_US/i/header/spot_globe.gif" border="0" alt=""> https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="5" height="1"> Learn more about https://www.paypal.com/cgi-bin/webscr?cmd=_display-approved-signup-countries-outside">PayPal Worldwide https://www.paypal.com/cgi-bin/webscr?cmd=xpt/bizui/WhatIsPayPal-outside">http://www.paypalobjects.com/en_US/i/header/hpPrivacy_shopwoutsharing_563x115.jpg" border="0" alt=""> https://www.paypalobjects.com/en_US/i/header/spot_buyerTab_178x29.gif" border="0" alt="">https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="11" height="1">https://www.paypalobjects.com/en_US/i/header/spot_sellMerchTab_374x29.gif" border="0" alt=""> https://www.paypal.com/cgi-bin/webscr?cmd=p/ema/index-outside">Send money to anyone with an email address in 55 countries. PayPal is https://www.paypal.com/cgi-bin/webscr?cmd=p/auc/new_ebay_buyer_intro-outside">free to use. Your information is kept https://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside">secure. Learn about https://www.paypal.com/cgi-bin/webscr?cmd=p/auc/new_ebay_buyer_intro-outside">sending payments through PayPal. https://www.paypal.com/cgi-bin/webscr?cmd=_auction-outside">Free eBay tools make selling easier. PayPal works hard to help https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/bizui/BusinessSecurity-outside">protect sellers. PayPal simplifies https://www.paypal.com/cgi-bin/webscr?cmd=p/ship/center-outside">shipping and tracking. https://www.paypal.com/cgi-bin/webscr?cmd=xpt/auctions/PaypalPreferred-outside">Earn cashback with PayPal Preferred Rewards. https://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">Accept credit cards on your website using PayPal. https://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">Compare our solutions to merchant accounts and gateways https://www.paypal.com/cgi-bin/webscr?cmd=_display-receiving-fees-outside">Low fees make PayPal the affordable choice. Learn why PayPal is https://www.paypal.com/cgi-bin/webscr?cmd=_merchant-outside">good for business. https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/bizui/EnterpriseSolutions-outside">http://www.paypalobjects.com/en_US/i/bnr/bnr_mobile_183x50.gif" border="0" alt="">

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/about-outside">About | http://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/general/PayPalAccountTypes-outside">Accounts | http://www.paypal.com/cgi-bin/webscr?cmd=_display-fees-outside">Fees | http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside">Privacy | http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside">Security Center | http://www.paypal.com/cgi-bin/webscr?cmd=_contact_us">Contact Us | http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/ua-outside">User Agreement | http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/intro-outside">Developers | https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/jobs-outside">Jobs | http://www.paypal.com/cgi-bin/webscr?cmd=_bc-signup">Buyer Credit | http://www.paypal.com/cgi-bin/webscr?cmd=_web-referrals-mrb-outside">Referrals | http://www.paypal.com/cgi-bin/webscr?cmd=_shop-ext">Shops | https://www.paypal.com/cgi-bin/webscr?cmd=_batch-payment-overview-outside">Mass Pay http://www.ebay.com/">PayPal, an eBay company Copyright � 1999-2006 PayPal. All rights reserved. http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fdic-outside">Information about FDIC pass-through insurance

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/privacy-outside">https://www.paypalobjects.com/en_US/i/logo/trustmark.gif" alt="Truste">http://www.bbbonline.org/cks.asp?id=20111061155818568">https://www.paypalobjects.com/en_US/i/logo/bbbmark.gif" alt="Better Business Bureau Online">

Other than reporting this as a phish/cross-site scripting, is there any 'fun' we can have with this bottom-dwelling filter feeder?

[mobrien_12]

http://www.phishfighting.com

Non profit site.

How many phishing  emails did you receive today?:  I receive 5-10 emails a day that are supposedly from real companies like Paypal

[mobrien_12]

[mobrien@hariel ~]$ nslookup 203.144.227.202
Server:         68.87.85.98
Address:        68.87.85.98#53

Non-authoritative answer:
202.227.144.203.in-addr.arpa    name = 203-144-227-202.static.asianet.co.th.

Authoritative answers can be found from:

Using WHOIS at http://www.samspade.org

whois

Whois:
@whois.

Server Used: [ whois.apnic.net ]

203.144.227.202 = [ 203-144-227-202.static.asianet.co.th ]
 
  inetnum:      203.144.128.0 - 203.144.255.255
  netname:      ASIAINFO-TH
  descr:        Internet Service Provider
  country:      TH
  admin-c:       WP1-AP
  tech-c:        SK1-AP
  mnt-by:        APNIC-HM
  mnt-lower:     MAINT-ASIAINFO-AP
  remarks:      Aggregated small blocks to be one /17.
  changed:      [email protected]
 20000403
  changed:      [email protected]
 20021216
  status:       ALLOCATED PORTABLE
  source:       APNIC
  person:       Wongchai Piyakavarnich
  nic-hdl:       WP1-AP
  e-mail:       [email protected]
 
  address:      14th 27 th  floor  Fortune Town
  address:      1 Ratchadaphisek Road  Din Daeng
  address:      Bangkok 10400
  phone:        662-6411800
  fax-no:       662-6421557
  country:      TH
  changed:      [email protected]
 20060412
  mnt-by:        MAINT-ASIANET-AP
  source:       APNIC
  person:       Supachai Kitwongpak
  address:      17 th floor  Fortune House
  address:      1 Ratchadaphisek Road  Din Daeng
  address:      Bangkok 10320
  country:      TH
  phone:        66-2-641-1800
  fax-no:       66-2-642-1540
  e-mail:       [email protected]
 
  nic-hdl:       SK1-AP
  mnt-by:        MAINT-ASIAINFO-AP
  changed:      [email protected]
 19990210
  source:       APNIC

This is Bangkok.  They probably don't care.

[worker201]

Considering the sorts of exotic things(people) you can reportedly buy in Bangkok, it isn't surprising that you can also buy phish/spam service.

[piratePenguin]

It took a whole 3 clicks to report it.

<3 Firefox 2

I hope it's not long before Google check it.

[pofnlice]

I got something similar once. I used http://www.whois.net/. After I found out where it came from, somewhere in California, I emailed the host with a complaint, the who is register and a copy of the email. I never heard anything back. But I never got that email again.

Now I get these stupid Your bank account has unusual activity on it, please click here and log in....but I don't have an account with that bank...Bastards....I hope a masked gunman breaks into thier shelters and shoots them in the fingers and the cock!

[obob]

!!!

i vote that bush sends the army against phishers as part of the war on terror, I can see approval ratings with 9's in them (either that, or the end of spam, either way, somebody still wins (And it isn't the phishers))

[Calum]

that would be roughly as intelligent as most of bush's other actions as commander in chief of the US army. i think they should take that office away from the us president and make a law saying only people not born in the US can hold that position.

[worker201]

that would be roughly as intelligent as most of bush's other actions as commander in chief of the US army. i think they should take that office away from the us president and make a law saying only people not born in the US can hold that position.

This just might be the most irrational and poorly considered thing you have ever said.  Whatever your intentions are, there must be some reasonable way to accomplish them.  Transferring figurehead leadership from one dickhead to another won't really solve anything.