PDA

View Full Version : Attempt at Paypal Hijack



ober
08-25-2004, 12:00 PM
So I just got an email from "service@paypal.com". It says "


Dear PayPal valued member,

Due to concerns, for the safety and integrity of your paypal
account we have issued this warning message.

It has come to our attention that your account information
needs to be updated due to inactive members, frauds and
spoof reports.

Please take 5-10 minutes out of your online experience and
renew your records so you will not run into any future problems
with the online services. However, failure to update your
records will result in account suspension.

Once you have updated your account records your PayPal
account service will not be interrupted and will continue as
normal.

Please follow the link below and login to your account
and renew your account information:

http://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Sincerely,
PayPal customer department!

This notification expires on the 28th of August, 2004.
Please do not reply to this e-mail. Mail sent to this address cannot
be answered. For assistance, log in to your PayPal account and
choose the "Help" link in the footer of any page.
To receive email notifications in plain text instead of HTML, update
your preferences here.

But I look at the header and see it is from this email address:
200408251706.i7PH6fVt082472@kennethwmorrison.org

And what happens when you click on the login link? It sends you here: http://ironald.org/.S/

FANTASTIC. Anyone have an email bomb handy?

anonytmouse
08-25-2004, 12:13 PM
The whois information is here (http://www.networksolutions.com/en_US/whois/registry-data.jhtml;jsessionid=V43IK1UA4YWISCWLEAMCFEY?whoi stoken=0) or do a whois lookup here (http://www.networksolutions.com/en_US/whois/index.jhtml)

I strongly doubt that either the whois information or the email address is correct. You could try calling the number!

ober
08-25-2004, 12:20 PM
The phone number was to some old lady who just kept saying "hello" when I didn't say anything. Someone else came into the room and said "is there something wrong momma?". So I think that was a random number too. The email address is bunk.

Salem
08-25-2004, 12:27 PM
You could go to the spoof site and create lots and lots of spoof entries which will at least slow them up for a while ;)

A few million scripted entries posted via an anonymous relay or two should make them think twice about pulling this stunt again

ober
08-25-2004, 12:41 PM
I've input about 20 manually so far... anyone have a quick mock-up of an automated version? They want the name on my credit card? "Feds R Coming" ;) Billing Address... my state? Prison. ;)

I need a way to do it faster! C'mon people... go to the link... put a bunch of fake info in! They don't do a very good job of checking it! It's fun :D

ober
08-25-2004, 12:43 PM
Did you know I was from the Azerbaijan Republic? Neither did I!

holden
08-25-2004, 12:50 PM
Hmm this is too interesting....I googled just a little and this is what I found:

First of all, the whois owner for ironald.org is Ronald DeCarufel. I found some posts on a real estate message board from that name, somebody from Charlotte NC which matches the whois information. I also found some 19 year old female from Charlotte NC named Katrina DeCarufel who apparently is a runner: http://www.doitsports.com/newresults3/client/49562_56054_2004.htm. You could try (704) 504-8941 and ask for Katrina or Ronald....

So I'd try the phone number and ask for Katrina or Ronald. If you can get ronald, tell him you are from Paypal management or something, and say Paypal has sued him for Internet Fraud and unauthorized transfer of e-funds. Just think of something that would scare him HAH! I don't wanna pay for long distance on the phone otherwise I would try...anyone from around there or don't care about long distance calls?

holden
08-25-2004, 01:00 PM
OOOH I've got the best idea!

If you've ever heard those celebrity sound boards at www.ebaumsworld.com they are great for prank calls! There is this one for arnold schwarzenneger from a movie where he played a cop, so he says things like "Hey, I'm a police officer" "I'm going to ask you a bunch of questions and I want you to answer immediately" "I'm detective John Kimble!" etc etc

That'd be great to call him up using that !!!!! And record the call too.

PS: To set it up easy and record it I tape a microphone to the earpiece of a cordless phone, for recording the call. Tape headphones to the part of the phone you speak into. Lay that on your monitor with the headphones and microphone taped on. Then take another cordless phone. Turn them on at the same time, dial, start recording on your computer. You listen with the phone in your hand, and the sound files will play out headphones into the phone and be recorded and it'll record everything.

YAHAHA!

ober
08-25-2004, 01:03 PM
Dude... I already called the number. It's bunk.

holden
08-25-2004, 01:07 PM
hmm how about the email too?

Salem
08-25-2004, 01:22 PM
Mmm, I get


Forbidden
You don't have permission to access /.S/ on this server.

Apache/1.3.27 Server at ironald.org Port 80

anonytmouse
08-25-2004, 01:28 PM
Hmm this is too interesting....I googled just a little and this is what I found:

First of all, the whois owner for ironald.org is Ronald DeCarufel. I found some posts on a real estate message board from that name, somebody from Charlotte NC which matches the whois information. I also found some 19 year old female from Charlotte NC named Katrina DeCarufel who apparently is a runner: http://www.doitsports.com/newresults3/client/49562_56054_2004.htm. You could try (704) 504-8941 and ask for Katrina or Ronald....

So I'd try the phone number and ask for Katrina or Ronald. If you can get ronald, tell him you are from Paypal management or something, and say Paypal has sued him for Internet Fraud and unauthorized transfer of e-funds. Just think of something that would scare him HAH! I don't wanna pay for long distance on the phone otherwise I would try...anyone from around there or don't care about long distance calls?


The whois information is almost certainly fake (or site hacked, see below). Let's not defame someone whose likely only "crime" is to have his name and details swiped off the web by some pathetic crook.

You can report the matter to paypal. (http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside) Surprisingly, you have to have an account and sign in to report a scam.

anonytmouse
08-25-2004, 01:31 PM
Mmm, I get


Forbidden
You don't have permission to access /.S/ on this server.

Apache/1.3.27 Server at ironald.org Port 80


Shouldn't have posted a clickable link. He must have seen this site in the referrer data and has probably read this thread. (Someone could check the IPs of the non-members who have read this thread if they were really keen).

webmaster
08-25-2004, 01:33 PM
It's also possible that the server hosting the page was hacked, and that the original owners are completely innocent. Judging from the name of the directory in the URL, it looks like they're trying to hide it from the admin of the server. In the past, I've received emails linking to apparently legitimate sites that were hijacked in that manner. After a nice email sent to their webmaster and a voicemail message left on their machine, along presumably with many others, they removed the offending site.

holden
08-25-2004, 02:06 PM
Well if anybody wants, Ronald DeCarufel's real phone number is [Mod edit: let's leave this guy alone]

From qwestdex: [Mod edit: let's leave this guy alone]

If indeed his site was hacked, why would he put in a number one digit off if it is his real domain?

I was thinking about calling this guy and conducting a survey, and eventually ask silly questions like "Have you ever committed any type of internet fraud?"

webmaster
08-25-2004, 02:52 PM
"If indeed his site was hacked, why would he put in a number one digit off if it is his real domain?"

If I were a scammer, I wouldn't go anywhere near buying a domain name with my real name, my real credit card number, or my real phone number -- and I would probably pay the extra $5 or so to hide my fake registration information through a proxy buyer. The fact that the phone number is off by one digit doesn't really convince me that he's a spammer (unless he is an incredibly foolish scammer, in which case he will likely get his due soon enough without your hassling him). I think a typo is a far more likely explanation -- especially because changing a single digit in a phone number is a really pathetic way of spoofing data.

The domain name itself is also not conducive to scamming. He could at least have chosen something a little bit less personal than I Ronald.org. I think it's far more likely he wanted to use the domain as a personal site. (Or someone wanted to make it look like his site.) The better scams I've seen tend to use legitimate-sounding domain names that one would associate with a scam. The only reason I can see for using something like ironald.org is because it was on a server left conveniently undefended.

If you really feel the need to be an upstanding citizen, you could contact his site's host (though they seem to be aware of the issue already) or the FBI, who are far better equipped to dealing with scammers. I also find it unlikely that the scammer pulled the page because he was looking at the referrer logs and reached this site -- my instinct would be that the page was pulled because someone reported it to the host of ironald.org, who then changed the permissions on the directory to prevent people from being scammed while maintaining the evidence. I find this more likely than the alternative explanation because if I were a scammer, I would prefer to keep my link up and simply filter individuals referred from Cprogramming.com; why waste the leads from the advertisement, if at all possible? (If he were a true amateur, then perhaps the mention of threats to call him or submit his site to Paypal's abuse department would cause him to pull the page. Then again, I find it hard to believe a true amateur would be checking the referrer logs.)

Betazep
08-25-2004, 03:59 PM
I also find it unlikely that the scammer pulled the page because he was looking at the referrer logs and reached this site -- my instinct would be that the page was pulled because someone reported it to the host of ironald.org, who then changed the permissions on the directory to prevent people from being scammed while maintaining the evidence.

I would have to agree with you...

http://ironald.org/

This is just a hijacked site that wasn't ever used by Mr. Ronald.

itld
08-25-2004, 09:28 PM
Howdy,
But in the mean time this scam probably netted a bucket load of $$$.
The PayPal spoof I got ended up being an off shore deal, eastern Europe if I remember it.

M.R.

holden
08-25-2004, 09:45 PM
You mean there are suckers that actually fall for crap like that?

itld
08-25-2004, 09:55 PM
Howdy,
I just guessing...

M.R.

golfinguy4
08-25-2004, 11:49 PM
The FBI probably wouldn't do crap. They don't come into play unless you are rich/powerful or a boatload of money is involved (think 10s or thousands).

whackaxe
08-26-2004, 03:02 AM
eastern europe? forget about it, they have I am sillyI am sillyI am sillyI am silly all Internet legislation. one thing they fo have is the mafia :( reminds me of an article about casinos getting racketed (newsweek?) for people DDOSing their servers.

and i may add that if everyone wasn't using windows, their wouldn't be enough tcomputer to pull these kindof tricks. :mad:

ober
08-26-2004, 06:42 AM
You can report the matter to paypal. (http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside) Surprisingly, you have to have an account and sign in to report a scam.You do not have to have an account to report fraud. There is a link on the front page that gives an email to a spoof paypal address that I forwarded the offending email to. They promptly responded with an automated, and then a more personal email saying they were looking into it (and probably led to the server being shutdown).

>>and i may add that if everyone wasn't using windows, their wouldn't be enough tcomputer to pull these kindof tricks.

:rolleyes: STFU.

whackaxe
08-26-2004, 08:01 AM
:rolleyes: STFU.

could you elaborate that a bit?

ober
08-26-2004, 10:54 AM
The statement you posted has no type of correlation to the problem.

whackaxe
08-26-2004, 11:07 AM
yeh, sorry. just a small rant on the evolution of cyber-crime.

Davros
08-26-2004, 04:50 PM
On a slightly different topic, I am currently being inundated with 'threatening' emails from PayPal - not hoax emails.

Sometime ago I used my PayPal business account to accept some money from a customer - a relatively large amount by PayPal standards. I knew I wasn't going to use PayPal again, so I removed my credit card details from my account (I was going to close the account but thought I'd leave it open just in case I needed it again).

A few months ago I received an email from PayPal saying my account was 'under investigation' and cannot be closed. They said I MUST supply then with credit card details or they would 'esculate' the situation. Because this 'esculation' is obviously not going to involve closing my account, I was left wondering what they are going to do to me - send the boys round and beat me with a stick with a nail in it, or tell the police that I am a criminal or what?

I have sent them several emails, but they won't respond. I have rang them, but they were less than helpful. The only advice they could give me was to close the account - which I can't.

Since then I receive regular emails telling me that I MUST COMPLY, which I'm determined not to do. I cannot see that a private company should be able to force anyone to hand over their credit card details.

itld
08-26-2004, 06:36 PM
Howdy,
I agree with you Davros, If they don't want to help, screw em. I'd call thier bluff.

M.R.

golfinguy4
08-26-2004, 08:08 PM
Just don't go back to the site. Screw them.

pianorain
08-26-2004, 08:52 PM
Wow, that's interesting Davros. I'd like to hear how that goes for you.

whackaxe
08-27-2004, 03:02 AM
buy a couple of maxi packs of doritos, lots of water, a shotgun, and wait it out:) why would they get so anal if no-one complained?

Davros
08-27-2004, 09:15 AM
My guess is that PayPal will warn the authorities that my transactions are 'suspicious' and the UK Customs & Excise will be getting in touch with me at some point. I have sent all my records off early to my accountant to be on the safe side. If things get really bad, I'll contact the press. Otherwise I plan on forgetting it and to not let it worry me.

ober
08-31-2004, 08:44 AM
Heh... I got 2 more today... they've moved on to a different server tho.

Fordy
08-31-2004, 09:09 AM
My guess is that PayPal will warn the authorities that my transactions are 'suspicious' and the UK Customs & Excise will be getting in touch with me at some point. I have sent all my records off early to my accountant to be on the safe side. If things get really bad, I'll contact the press. Otherwise I plan on forgetting it and to not let it worry me.

As long as you have not fallen foul of any import or tax law I wouldnt worry.

MisterSako
09-01-2004, 05:37 PM
you all got way to crazy into the paypal site deal. it was just another spam email trying to jack your information its nothing new and chances are if this guy knew what he was doing he prolly made it much harder to find out who he is (on account he could be facing criminal charges if caught)