The phishing attack came in the form of an email that appeared to be from PayPal. Since the title of the email stated “Please update your billing records or your account will be suspended. Thanks!", it was clearly designed to alert the victim in a way that is bound to get their attention. Contained in the body of the email was a warning that my account would expire in 12 hours unless I updated my records. Included with the message was a helpful link to http://www.paypal.com. Unfortunately, for those not paying attention, this link actually went to http://xxxxxxxxxxx.com/awstats/cgi-bin/.
We decided to follow the link because we like to keep in the loop of what the phishers are up to incase we are called by a client who is curious as to how their identity was stolen. In addition, as we tend to discover, people who use these phishing scams sometimes make mistakes and leave a trail of information that can be helpful in stopping them.
(...) This phishing attack is interesting for several reasons. First, it actually validates the user information before collecting it. Second, if the user information is valid, it grabs key pieces of data that enhance the spoofing attack to convince the reader they are really at PayPal. Third, the script supports remoting parts of the attack, which can make it much more versatile. Finally, the phisher who is using this script is getting owned as well.
It should be noted that we contacted the site owner via an email address provided by Network Solutions. We also contacted Yahoo, Google and PayPal with the relevant information and even went so far as to email the victims with a warning that their credentials were captured and that they were victims of a phishing attack. Over the several days that we monitored this site before it was shutdown, it harvested over 30 PayPal accounts. Of the victims we contacted, only a couple realized they had been a victim of a phishing attack
domingo, febrero 03, 2008
En la sección de referencia de seguridad de Informit, los autores Cyrus Peikari y Seth Fogie publican un detallado caso de pishing sobre PayPal, conveniente de archivar para aprender: