Reported .. yet another hacked site. On 28 Feb 2007 at 15:55, Steve Pirk wrote:
> Paypal site at: > > http://deathstar.m0zart.com/paypal.com/update/index.htm > > Interesting that it came from a Google mx server... > > Active as of Feb 28th 15:50 PST. > -- > Steve > panic: can't find / > > ---------- Forwarded message ---------- > Return-Path: <[EMAIL PROTECTED]> > Received: from wx-out-0506.google.com (wx-out-0506.google.com > [66.249.82.234]) > by mail.pirk.com (8.13.7/8.12.0.Beta19) with ESMTP id l1SNoTbJ023577 > for <[EMAIL PROTECTED]>; Wed, 28 Feb 2007 15:50:29 -0800 > Received: by wx-out-0506.google.com with SMTP id h31so284795wxd > for <[EMAIL PROTECTED]>; Wed, 28 Feb 2007 15:50:25 -0800 > (PST) > DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; > d=googlemail.com; s=beta; > > h=domainkey-signature:received:received:from:to:subject:date:x-mai > ler:conten > t-type:content-transfer-encoding:content-disposition:message-id; > > b=KBTMF153tDOad0VEJP74QZM0oDqgYbbuQAp+V5RZCYlu3eydkDG+LOLJ+SISoZiY > CWLKFp27tx > +EMU5FwfW5XDy2nNWzey2cR9ZaBHFLucQ0Ml5v5mPnDI+F2o1EN43mSvz59LufgEod > jOiub9I03T qKY1fffTqcKClFvzZKCxs= > DomainKey-Signature: a=rsa-sha1; c=nofws; > d=googlemail.com; s=beta; > > h=received:from:to:subject:date:x-mailer:content-type:content-tran > sfer-encod ing:content-disposition:message-id; > > b=PLURXtfme17mypf04m5E4D9p1qWVXgjWBbY06JJsENGAMU8Q8X9BUQQ4s7QJrrAO > 8HuwmbOszU > o36O2TQ9iec5Jjk3Yyl1q5u4HWN1DeCw7BSS/1EH+aWILkvwYacDjgJxYB9OYidsmL > t6LjgvSV/V 2+OZbTTxSrOevcOLJYFzc= > Received: by 10.70.69.11 with SMTP id r11mr1997609wxa.1172706619906; > Wed, 28 Feb 2007 15:50:19 -0800 (PST) > Received: from ensim.ev1servers.net ( [67.15.6.100]) > by mx.google.com with ESMTP id > i17sm1078667wxd.2007.02.28.15.50.18; Wed, 28 Feb 2007 15:50:19 > -0800 (PST) > From: "PayPal" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Update Your Identity and Billing Information - Urgent Action > Required > Date: Wed, 28 Feb 2007 17:50:17 -0600 > X-Mailer: XPM2 v.0.1 <www.xpertmailer.com> > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > Content-Disposition: inline > Message-ID: <[EMAIL PROTECTED]> > > <html>=0A<head>=0A<title></title>=0A<style > type=3Dtext/css>=0A<!--=0Abod= y { margin: 0px; padding: 0px; > background: #fff; }=0A.panel{-moz-border-= radius: .3em .3em .3em > .3em; border: 1px dotted silver; background-color= : > #F7F6F4;=0A}=0A-->=0A</style>=0A</head>=0A<body>=0A=0A<TABLE > align=3D"= center" width=3D"100%" border=3D0>=0A<tr>=0A<td > align=3D"left">=0A<img s= > rc=3D"http://images.paypal.com/en_US/i/logo/email_logo.gif"; > border=3D0><= br>=0A<i>Copyright © 1999-2006 PayPal. All rights > reserved.</i>=0A<= > /td>=0A</tr>=0A<TR>=0A</TR>=0A<TR><TD></TD><br></TR>=0A<TR><TD></TD><b > r>= </TR>=0A<TR>=0A<TD > class=3D"panel"><b></b></TD>=0A</TR>=0A<TR>=0A<TR><TD= ></TD> > </TR>=0A<TR><TD></TD> </TR>=0A<TR><TD></TD></TR>=0A<TR>=0A=09<TD>= > <font color=3D"Navy" size=3D"3"><b>Dear PayPal > Client,</b></font><br>=0A= =09<br>=0A<font face=3D"Arial" > size=3D"2px">During our regularly schedul= ed account maintenance and > verification we have detected a =0Aslight err= or<br>=0Ain your > billing information on file with PayPal.<br>=0A<b>This=20= might be > due to either following reasons :</b>=0A=0A<br>=0A<ul>=0A =20= > <li> A recent change in your personal information (I.E. change of > addr= > ess)=0A <li> Submitting invalid information during initial > signup= > process=0A <li> An inability to accurately verify your > selected=20= > option of payment due of an internal error within our > =0Aprocessors=0A</= ul>=0A=0AIn accordance with PayPal`s User > Agreement and to ensure that y= our account has not been compromised , > access to your =0Aaccount was lim= ited. Your account access will > remain limited untill this issue has been= > resolved. In order to secure =0Ayour account and quickly restore full > a= > ccess we may require some specific information from you for the > followin= g =0Areason :=0A<br>=0A<br>=0A <br> <b>- We encourage you > to restore f= ull access as soon as possible</b>=0A<br>=0A<a > href=3D"http://deathstar.= > m0zart.com/paypal.com/update/index.htm">https://www.paypal.com/cgi-bin > /w= ebscr?cmd=3Dlogin-run</a>=0A</td>=0A</tr>=0A<TR><TD></TD> > </TR>=0A<TR><T= D></TD> </TR>=0A<TR><TD></TD> </TR>=0A<TR><TD></TD> > </TR>=0A<TR><TD></TD= > </TR>=0A<TR><TD></TD> </TR>=0A<TR>=0A<TD > class=3D"panel"></td></tr>=0A= <tr>=0A<td>=0A<br>Thanks for your > patience as we work together to protec= t your > account=0A<br>=0A<br>Please do not respond to this e-mail adress=20= > as your reply will not be recieved =0A <br>=0A=09<b>Best > regards<= /b>,<br>=0A=09<font size=3D"2"><i>PayPal`s > Team</i>.</font>=0A</td>=0A</= tr>=0A</table> > _______________________________________________ phishing mailing list > [email protected] > http://www.whitestar.linuxbox.org/mailman/listinfo/phishing > _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
![http://images.paypal.com/en_US/i/logo/email_logo.gif"](http://images.paypal.com/en_US/i/logo/email_logo.gif"){kind=link}