PayPal Fraud

Hi,

Today my girl reported me an evident attempt of Fraud linked to PayPal Account. Let’s analyse it!

——————————–

—– Original Message —–

From: PayPaI Notice!
Sent: Thursday, April 17, 2008 2:21 PM
Subject: THE PAYMENT IS PENDING FOR THE MOMENT

We recorded a payment request from “Live Strip Chat Camera Sexy Girls -www.video-chat.co.uk – Girls Show
to enable the charge of $127.34 on your PayPal account. Because the order was made from an european internet address,
we put an Exception Payment on transaction id #POS 03 4573 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT .

If you made this transaction or if you just authorize this payment, please ignore or remove this email message.
The transaction will be shown on your monthly statement as “Live Strip Chat Camera Sexy Girls“.
If you didn’t make this payment and would like to decline the $127.34 billing to your card,
please follow the link below to cancel the payment : Cancel this payment ( transaction id #POS 03 4573)

Thank you for using PayPal!
The PayPal Team

Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the Help link located in the top right corner
of any PayPal page.

————————————-

The Fraud WebSite is http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/

The home page looks truly similar to the true PayPal one, but it hasn’t an SSL connection (one of the classical signs of Fraud) and ask you Email Address and PayPal Password, if mail and password have a correct format (presence of @ and Dots) we are suddenly prompted here:

http://217-33-56-79.capitalchelmsford.mezzonet.net/webscr/revalidate.htm?cmd_submitaccess0023044-submit=data_refund

where we’re asked for:

  • Card number
  • Expiration date
  • CVV Code
  • Electronic Signature

Card Number, as we can see by the source code:

if((signupFORM.car.value == “”)){
alert(“Please fill in your Card number”);
signupFORM.car.focus();
return false;
}
if(!isNumeric(signupFORM.car.value)){
alert(“Please fill a numeric card number”);
signupFORM.car.focus();r
return false;
}

if(signupFORM.car.value.length <= 15){
alert(“This is not a valid card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “0000000000000000”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “8888888888888888”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}
if((signupFORM.car.value == “4111111111111111”)){
alert(“Sorry! This is not a valid credit card number.”);
signupFORM.car.focus();
return false;
}

So our Card need to be Not Empty at least 15 digits long and different from 0000000000000000, 8888888888888888,

4111111111111111

CVV Code:

if(!isNumeric(signupFORM.cl.value)){
alert(“Please fill a numeric CVV2”);
signupFORM.cl.focus();
return false;
}
if((signupFORM.cl.value == “”)){
alert(“Please fill in your CVV2 number”);
signupFORM.cl.focus();
return false;
}
if(signupFORM.cl.value.length < 3){
alert(“This is not a valid CVV2.”);
signupFORM.cl.focus();
return false;

Electronic Signature (PIN):

if(signupFORM.ins.value.length < 4){
alert(“This is not a valid PIN.”);
signupFORM.ins.focus();
return false;
}
if((signupFORM.ins.value == “”)){
alert(“Please fill in your PIN”);
signupFORM.ins.focus();
return false;

If all these field are compiled correctly, we land to the final page where we’re asked for our Bank Name, and finally the congrats pageūüôā

From DomainTools we obtain this:

IP Location: United Kingdom United Kingdom Ftip002881171 Capital Enterprise Centres Chelmsford
Resolve Host: 217-33-56-79.capitalchelmsford.mezzonet.net
IP Address: 217.33.56.79
Blacklist Status: Clear

Whois Record

inetnum:¬†¬†¬†¬†¬†¬†¬†¬†217.33.56.64¬†–¬†217.33.56.127
netname:        CEC-CHELMSFORD
descr:          FTIP002881171 Capital Enterprise Centres Chelmsford
country:        GB
admin-c:        PC6279-RIPE
tech-c:         PC6279-RIPE
status:         ASSIGNED PA
mnt-by:         BTNET-MNT
mnt-lower:        BTNET-MNT
mnt-routes:        BTNET-MNT
remarks:        Please send abuse notification to 

See you to the next post..ūüôā

PS: Thanks P√¨ūüėČ

9 Responses to PayPal Fraud

  1. Tim Ramsey says:

    I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog.

    Tim Ramsey

  2. Good Blog. I will continue reading it in the future. Nice layout too.

    Aaron Wakling

  3. Pì says:

    ^_^ You are welcome my dearūüôā

  4. evilcodecave says:

    Hi,

    Many thanks for your comments,
    they are greatly appreciatedūüėČ

    See you to the next post!

  5. sowhat-x says:

    Pretty nifty analysis!ūüėČ

  6. Songna Yang says:

    omg. yea I happened to have gotten one EXACTLY LIKE this just today and freaked out and searched and found this blog. thx for verifying that it’s a fraud.

  7. evilcodecave says:

    Nice to hear that!

    Thanks for your commentūüôā

  8. Not that I’m impressed a lot, but this is a lot more than I expected for when I found a link on Furl telling that the info is quite decent. Thanks.

  9. tommy vig says:

    How do I collect from you any payments customers make for using my website, carvalu.com

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: