PayPal Phishing Page at Hong Kong University Removed
When I checked agin, I found the PayPal phishing page that was located
on a webserver at the Hong Kong Polytechnic University this weekend was
now gone.
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The recipient doesn't have a PayPal account. Whoever created the spam message probably sent it to thousands of people with no way of knowing how many of those recipients might have PayPal accounts.
I checked the online directory for the university today and sent another message regarding the spoofed site; this time I sent the message to the chair of the School of Design at the university plus email addresses for people who appeared to be IT people at the university, and some general contact addresses. Hopefully, one of them can get the spoofed webpages removed and take action that will result in the perpetrator being apprehended and disciplined.
Going to http://mic.polyu.edu.hk/ instead, I found the following information for the site:
I reported the spoofed site to to the contact address listed for the Hong Kong Polytechnic University. The webserver being used to host the spoofed PayPal site apparently belongs to the Multimedia Innovation Centre School of Design at that university. I also reported this phishing attempt to PayPal via the PayPal Report Fake Site/Spoofwebpage. And I reported the spoofed site at the following phishing report wepbages:
| Organization | Reporting Page |
|---|---|
| CastleCops | Phishing Incident & Termination |
| Symantec Phish Report Network | Report Suspected Phishing Sites |
The message attempted to trick PayPal users to going to a spoofed PayPal website to confirm the addition of an email address to a user's PayPal account. In reality, the link in the message would take the victim to http://sv1.melbhosting.com.au/%7Eforcast/index.html, which would redirect him to http://bourke.pcpro.net.au/icons/.pay/pal/index.html. There he would see a website mimicking the PayPal site where he would be prompted for his PayPal userid and password. If he entered a userid and password, he would see a form asking for personal information, including a credit card number.
I reported the spoofed site at 10:33 A.M. using PayPal's Contact Us - Protections/Privacy/Security - Report Fake Site/Spoof form. I also reported the site to the Phishing Incident Reporting and Termination (PIRT) Squad at 10:48 A.M. At 11:15 A.M. the webpage to which the link pointed, http://sv1.melbhosting.com.au/%7Eforcast/index.html was removed from the webserver on which it resided, resulting in a "HTTP 404 - File not found" message, but the spoofed PayPal site at bourke.pcpro.net.au was still accessible.
I see that the website, www.paypal.com.sdll.us, that was being used on Monday for a PayPal scam (see PayPal Phishing Attempt at www.paypal.com.sdll.us) has been taken down. Hopefully, the person running the spoofed site has been identified.
I received three copies of an attempt to garner PayPal account information today. The spoofed PayPal site was at http://www.paypal.com.sdll.us/webscr/index.html. The phisher used a JavaScript technique for overlaying Internet Explorer's address bar with a URL pointing to the real PayPal site, making it appear that anyone clicking on a link in the message had gone to the real site, whereas they would actually be at the spoofed site.
[ More Info]
