Clint asked me to pass this on as it wasn't making it to the list. ----- Original Message ----- From: "Support-OrpheusComputing.com"
(EIGHTH time trying to post this). Here's an example of one of those bogus PayPal URL's from VSNL in Ind!a I mentioned below. https://www.paypal.com/cgi-bin/[EMAIL PROTECTED]://203.197.163.51/ogi-bin/ That URL no longer works correctly, apparently PP caught on to it, but if you click it you'll see it sort of "works", but the redirect doesn't happen. *****DO NOT CLICK OR GO TO THIS URL SUFFIX IP ADDRESS http://203.197.163.51/ogi-bin/ !!!!!***** Now, with that being said and being warned, if you do go to it, your AV software will alert you to a password steal Tr*jan (Tr*jan.JS.steal). This is GOOD AV software, so if you happen to check out the page with AV software that's not the best, you'll get the Tr*jan on your PC. For those of you that don't want to try (or are not running Kaspersky Pro), it's a totally legit **looking** PayPal page with the login. However just clicking that IP URL alone will show it in the address bar (unlike the original obfuscated URL) and to the untrained eye, many would still think it's a PP page. For those of you running a top-notch AV program that's set to scan ALL FILE TYPES in any Real-Time monitor, notice that you can't right click the page and check the source code! These criminal parasites have the right click disabled so the page can't be examined. You also can't save the page because the AV software keeps going off. So, I temp disabled mine and saved the page (while blocking access). I examined the HTML code of the page by right clicking and "send to..." Notepad. FYI, the Tr*jan part of the code is a script tag that sends all login info to that parasite's IP address. I think this type of sc*um should get the [EMAIL PROTECTED] pen*alty via their victims. -Clint ----- Original Message ----- From: "Support-OrpheusComputing.com" Braz!l; that's no surprise. Ind!a is another one that's sending out fraudulent PayPal emails with obfuscated URL's trying to get user's login info. This is specifically why I have ALL of LACNIC and APNIC's IP ranges blocked. Yeah, decent AV software should prevent any auto-executed script from happening, plus OE should be set to open/view emails in the "Restricted sites" zone which should also prevent it. I think OE is set that way by default now from 2k on, I know it's that way in XP. A word more on these "obfuscated" URL's: I just use that term since the full URL is not seen in HTML email, only the prefix which is the VALID URL to where you THINK you're going. There's also an IE exploit that deals with this, but in this case I'm just speaking of "cloaked" URL's. When you click these, the URL in the address bar at the site APPEARS valid, but it's not. If you check the HTML code of the email, you'll see something like [EMAIL PROTECTED] . It may or may not be the @ symbol, sometimes that won't work for some URL's. It might be a % and few other characters in place of the @, but these characters is what redirects you to the criminal domain. Like Jeff mentioned, reading HTML email in plain text will show these URL's as they REALLY are, but that can hurt your HTML content newletters and the like and you have to switch back and forth. Reading in plain text, or, having email open in the Restricted Sites zone along with the best AV software is the only way to notice these things. For newbies, they should subscribe to newletters in plain text ONLY, then set OE to view all email in plain text since that's the only SURE way of noticing it. The later would work for the more computer savvy people. I use that method, plus I always check the HTML code anyway of suspect emails. Just hovering over the link, or even copying the link shortcut and pasting it to view it won't always show the FULL REAL URL and the criminal domain suffix--it depends on the cloaking method used. That's why on suspected emails I just click "forward" on the email (and you have to keep it in HTML format), then open the "Source" tab, then I look for the URL(s) in the code. Of course if you use SpywareBlaster and SpyBot to name only two (which everyone SHOULD), these will lock your Hosts file so it can't be changed in this specific instance. (They are not set that way by default). (Harold for some reason I never got your original post, so I may not be able to see any of your replies. Maybe your IP changed to a range I had to block previously). -Clint God Bless Clint Hamilton, Owner http://OrpheusComputing.com ----- Original Message ----- From: "Harold B" <[EMAIL PROTECTED]> Hello again, I usually ignore these "the sky is falling" emails that often get around the internet. The following came to me and I'd like to know if there is any validity to it. It doesn't matter to me because as a matter of course, I always have the VBScript Script File disabled (I don't even know what it's used for). I quote: "A new and very dangerous Internet attack was reported this week in Braz!l. This new danger is a phishing attack. Phishing is computer slang for attacks in which criminals pretend to be a bank or other institution. They try to trick you into giving up your password and user name. Most people have learned not to fall for this. But this new attack could fool the most careful people. Here's how it works: The criminals send you an e-mail (spam). When you open the e-mail, a small program called a script runs. Note that you only need to open the e-mail; there is no attachment. "The scripting program goes to your HOSTS file, located deep in your computer. The actual path in Windows XP is: C:\Windows\System32\Drivers\Etc\HOSTS It enters your bank's Web address--for instance, www.YourBank.com in the HOSTS file. It also enters an Internet Protocol (IP) number for the criminal's address. "The next time you need to surf to your bank, you attempt to go to www.YourBank.com. When you enter that address, or any other address, the browser first goes to the HOSTS file to find the IP number. If it isn't there (it normally would not be), it goes to a special computer on the Internet to find the IP number. "However, the criminals have put your bank's address in the HOSTS file, along with their IP number. So you are automatically sent to that IP number, which is the criminals' computer. It looks like the bank's Web site, so you enter your user name and password. That gives the criminals the information they need to enter your account and steal your money. How can you protect yourself? Some anti-virus programs guard against this kind of thing; others do not. To be safe, you must disable your computer's scripting ability. To do that: ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
