PayPal Phishing

You thought phishing attacks were losing ground? Not at all! I've just received a phishing message, so I thought I'd check it out.

1. The message pointed me to the following URL (I intentionally split it here):
   
   http://rds.yahoo.com/_ylt=A0LaSV66fNtDg.kAUoJXNyoA;
   _ylu=X3oDMTE2ZHVuZ3E3BGNvbG8DdwRsA1dTMQRwb3MDMw
   RzZWMDc3IEdnRpZANGNjU1Xzc1/SIG=148vsd1jp/EXP=113854
   4186/**http%3a//r-h-enterprises.com/.confirm/index.
   php?MfcISAPICommand=SignInFPP
   
   So much for trusting Yahoo, this looks like an open redirect.


2. The landing page looks like a "standard" phishing page, imitating Paypal pages by including logos and links. A bit of background check (whois) on r-h-enterprises.com shows nothing suspicious, so the server was probably hacked and a hacker installed the phishing scripts.


3. And now for the funny part... you can get a listing of the /.confirm directory on the site (there's no index file), and thus you can easily gain access to the "bag of phish" containing email addresses, passwords (are they the passwords for the email accounts? or for paypal? who knows...), and of course card numbers, pins, cvv codes, and the rest of the goodies. The card list is here: (again, a space was added)
   
   http://r-h-enterprises.com/.con firm/cards.txt
   
   So the phisher didn't bother to keep it private, they shared it to the entire world.

Conclusions:

• NEVER enter your card number, PIN, or other sensitive information on any non-SSL enabled site. ALWAYS check the "lock" icon to make sure the SSL certificate is valid.


• ALWAYS check the URL in the address bar to make sure you are visiting the right website.


• ALWAYS use Firefox for browsing the web. It is less vulnerable to address bar hijacking attacks, and shows the address on a yellow background whenever you are visiting a secure site.