Phish of the Day: PayPal (interesting)

This particular phish is not your run-of-the-mill PayPal "verify your account" rubbish. It uses a number of techniques I haven't encountered before. The email was received from 67.18.187.106 (s1.ultraunix.net) on Thu, 17 Mar 2005 02:30:42 +0000. The subject was "Xeter Xhilbin has just sent you $52.00 USD with PayPal" [name partially redacted to protect the innocent]. That's the first difference: the lure is someone sending you money, rather than PayPal demanding that you reactivate your account under threat of being locked out. The text is very neatly laid out HTML which I expect has been copied from a real PayPal notice of this kind. I'll only reproduce the plain-text content of the message here, however.

PayPal <http://www.paypal.com.cgi-bin.webscr.cmd.login-run.com/>

You've got cash!

Xeter Xhilbin just sent you money with PayPal.

Xeter Xhilbin is a Verified buyer.

To complete this payment, you must accept or deny it within 30 days. If you do 
not accept or refuse this payment within 30 days, it will be cancelled and the 
funds will be returned to _eter _hilbin's account.
--------------------------------------------------------------------------------
Payment Details

Amount:   $52.00 USD
Transaction ID:   4UA98825E3568683F
  

View the details of this transaction online 
<http://www.paypal.com.cgi-bin.webscr.cmd.login-run.com/>

--------------------------------------------------------------------------------
Address Information

Address:   Xeter Xhilbin
X XXXXXXXXXXX XXX
XXXX, XX XXXXX
United States
Address Status:   Confirmed 
<http://www.paypal.com/uk/cgi-bin/webscr?cmd=p/pop/confirmed_address>  
  

--------------------------------------------------------------------------------
Thank you for using PayPal!
The PayPal Team

PayPal Email ID PP59195

--------------------------------------------------------------------------------

  
Protect Your Account Info

Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open a new web 
browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL 
(https://www.paypal.com/ 
<http://www.paypal.com.cgi-bin.webscr.cmd.login-run.com/>) to be sure you are on 
the real PayPal site.

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our 
Security Tips at https://www.paypal.com/securitytips/ 
<http://www.paypal.com.cgi-bin.webscr.cmd.login-run.com/>

Protect Your Password

You should never give your PayPal password to anyone, including PayPal employees.

The second interesting fact about this phish is the fake URL provided: namely, <http://www.paypal.com.cgi-bin.webscr.cmd.login-run.com/>. At a glance, it might look like a real PayPal sort of URL, but it's actually one very long name in the zone "login-run.com". That domain was registered through NameZero on 19-Feb-2005. The registrant appears to have opted for NameZero's masked URL forwarding service, which redirects to <http://eshop.uvt.bg/includes/.login-run/>. Any valid hostname ending in ".login-run.com" will currently be redirected to that address -- it's a wildcard match. Fortunately, the destination address of "eshop.uvt.bg" seems to be nonexistent for now, so there's nothing further to report -- people falling for this lure will wind up with an error page, or a blank page for the time being.

NameZero has a fairly reasonable-looking web page for reporting abuse, and I've taken the liberty of telling them about this one.

Update on 2005-07-07. I have received an email from someone claiming that the name and address information given in this phish is his address, and asking me to delete the information. I have therefore replaced portions of the name and address with "X". Take note: phishers are quite happy to use your personal information for whatever reason suits them.