I got a scam email, reproduced below. I was going to write a post about how phishers keep upping their game because, while I get tons of scam e-mail every week this is the first of its type I’ve seen, and it seemed to be a cut above the crowd. “I bet they catch a lot of people,” I thought.
But looking under the hood, it’s odder than I thought.
First, here’s the email (without the live links):
PLEASE READ THIS NOTICE CAREFULLY.
You have received this Notice because the records of PayPal, Inc. indicate you are a current or former PayPal account holder who has been deemed eligible to receive a payment from the class action settlement in accordance with PayPal Litigation, Case No. 02 1227 JF PVT, pending in the United States District Court for the Northern District of California in San Jose.
In your specific case you have been found to be eligible for a payment of $48.99 USD.
The aforementioned settlement funds may be transferred directly to your bank account providing you have a linked card. The funds may not be credited directly to your PayPal account as this would render Paypal to be accumulating interest and thus profiting on litigation settlement funds which contravenes Federal law. Your bank account will be credited within 7 days upon submission of account details.
To credit your bank account please click here. [there was a URL attached to “click here”]
If you are seeking an alternate method of receiving your funds PayPal will be contacting those who do not submit their details by the 31th of March with instructions to receive a cheque in the mail. However this will incur a 7.5% processing fee deducted from the settlement amount and therefore PayPal only recommends this option to those users who do not currently have a bank account with linked Bank Card.
Please Note that under United States federal law credit cards are not a legally approved method of settlement for Class Action suits and cannot be processed for transferal of funds in this case.
This notice is a summary and does not describe all details of the settlement. For full details of the matters discussed in this notice, you may wish to review the Settlement Agreement dated January 11, 2006 and on file with the Court or visit https://www.paypal.com/settlement/. Complete copies of the Settlement Agreement and all other pleadings and papers filed in the lawsuit are also available for inspection and copying during regular business hours, at the Office of the Clerk of the Court, United States District Court for the Northern District of California, 280 South First Street, San Jose, California 95113.
PLEASE DO NOT TELEPHONE THE COURT REGARDING THIS NOTICE.
DATED: March 13, 2006
BY ORDER OF THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF U.S.A.
To the trained eye it’s obviously a fraud. The paragraph about how paypal can’t hold the money is silly — if Paypal were paying it it would be Paypal’s money; if the funds were in escrow the interest would go somewhere agreed as part of the deal. And the last line is wrong too: “BY ORDER OF THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF U.S.A.” Um, what state please?
And anyone who went and looked at https://www.paypal.com/settlement/ would be redirected to the In re PayPal Litigation Settlement Website, where they’d learn the period for making claims ended years ago. So it’s a total scam. Even so, I could see how many people might be taken in by it and might “click here” without investigating.
But that’s not what I found so strange. Sadly, that’s all too commonplace. What’s odd is the URL that “click here” leads to is “http://12012068097/003.paypal.com” which isn’t properly formed. And the URL to which most browsers would proably default is 12012068097.com, which points to a site that doesn’t exist for a domain name that is not even registered.
I understand phishing exercises designed to get your credit card or banking info. But relatively elegant phishing exercises that just waste your time?
No, it’s even worse. That “12012068097” is a dword-format IP address. It’s an obfucation trick.
See: How to Obscure Any URL.
It may not work in certain contexts. But there’s definitely a method to the madness.
Aha: the (new to me) dotless IP bug! But how do I figure out what IP address this is pointing to?
Convert the number from base-10 to base-256.
For an example in the other direction, ropine.com is 126.96.36.199, and 66×256³+92×256²+76×256+237=1113345261. It turns out that http://1113345261/ gives an error message instead of the content that you’d get from http://ropine.com/, but I think that’s because my server is configured to treat URLs containing dotless IPs as invalid. If I were a phisher I’d know how to change that part of the configuration.
There’s many converters. You can use the “URL deobfuscator” (bottom left) on
188.8.131.52 which is a south korean IP allocation.
And it’s indeed a fake paypal site.
http://12012068097/003.paypal.com translates to http://184.108.40.206/003.paypal.com, which gets a copy of a Microsoft tech site. Just plain http://220.127.116.11 gets something that looks like a copy of a Paypal site. I say a copy in each case because a trace shows us that we’re dealing with a site probably in Korea:
Tracing route to 18.104.22.168 over a maximum of 30 hops
(Taking out corporate sites that I know the ID of)
4 1 ms 1 ms 1 ms 66-193-43-145.gen.twtelecom.net [22.214.171.124]
5 18 ms 1 ms 2 ms dist-02-ge-3-0-0-508.sttl.twtelecom.net [126.96.36.199]
6 21 ms 21 ms 21 ms core-01-so-3-0-0-0.okld.twtelecom.net [188.8.131.52]
7 23 ms 23 ms 23 ms peer-01-so-0-0-0-0.palo.twtelecom.net [184.108.40.206]
8 24 ms 23 ms 23 ms ge-0-0-1.0.ejr02.pao001.flagtel.com [220.127.116.11]
9 135 ms 135 ms 135 ms so-0-1-0.0.cjr04.tok002.flagtel.com [18.104.22.168]
10 164 ms 164 ms 164 ms so-0-3-0.0.ejr03.seo002.flagtel.com [22.214.171.124]
11 175 ms 175 ms 175 ms 126.96.36.199
12 175 ms 175 ms 177 ms user217.s163.samsung.co.kr [188.8.131.52]
13 175 ms 175 ms 175 ms 184.108.40.206
14 175 ms 175 ms 175 ms u245.gpu47.samsung.co.kr [220.127.116.11]
15 184 ms 176 ms 176 ms 18.104.22.168
16 176 ms 176 ms 179 ms 22.214.171.124
Another trick they have been up to of late is to bounce URLs off URL redirectors like Google. If you send Google a certain url string the site will return a redirect to a url of your choice.
They have also pulled a number of old tricks out of mothballs. In the early days the perps would simply go find another target to attack as soon as a bank implemented a response system. Now they seem to be running out of undefended targets and they are much more persistent.
Cyota recently announced a ‘new’ attack they have dubbed the intelligent redirector. I am not at all sure how they have only seen two of these to date. Now that they have explained the attack we will no doubt see a lot lot more. Thanks a lot guys, now all the perps know how to do it. You can get away with the full disclosure argument on Bugtraq but I think you will find the banks consider that argument just a little bit self serving.