Warning: This file is the original file, and does contain the links that look legit. Please do not fill out anything. Do not click links if you don’t trust yourself either.
We all get spam in our e-mail. However, I thought I look into where they actually lead.
I recently got an e-mail from paypal. It stated:
We are contacting you to inform you that on Mar. 31, 2005 our Account Review Team identified some unusual activity in your account. In accordance with PayPal’s User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved.
If you would like to see the original email.
I noticed the links the e-mail where something like this:
First things first, notice the url. It is http://palestinechronicle.com/. If you go to their site, it doesn’t seem to be a scam website. Well, it isn’t. It is only a cover for the scammers. What they, the scammers, do is use sites that use premade scripts, such as PHPNuke and others, and route their own site through it.
Lets break it down, http://palestinechronicle.com/portal.php is the site. The ?url= part is used to redirect links on the site. It is primarily used to keep track of link counts. (How many click on a particular link). What the scammers did was use this website to relay to their site.
Now that we know that PalestineChronicle.com isn’t the culprit, we can move on. Notice the text after ?url=. The scrambled looking text, http%3A%2F%2F211%2E46%2E183%2E52%2Fbbs%2Fdata%2F%5F%5F? is actually
zbSessionTMP%2F%2Epp%2F%2F&what=link&item=20010807043647823http://211.46.183.52/bbs/data/__zbSessionTMP/.pp//&what=link&item=20010807043647823. The item=20010807043647823 is actually never used. It is only there for looks and to make you think it is real.
The site leads to http://211.46.183.52/bbs/data/__zbSessionTMP/.pp// after creating a session of your visit (stored at http://211.46.183.52/bbs/data/__zbSessionTMP/). It asks you for your login name and password. I did not want to test this because of many reasons; one being that I am not that stupid. If I assume right, it will save the user name and password. If they did it right, it would log you in also.
After playing around for some time, I decided to pay http://211.46.183.52 a visit. From what I gathered, it is a Middle School in Korea. If anyone out there knows Korean, it would be interesting to know where this school actually is. Playing around with the url, I went to http://211.46.183.52/bbs/ which led to nothing, and then to http://211.46.183.52/bbs/data/. Bingo.
Look around yourself. I am going to assume that the person that made this site (and maybe the paypal scam site) is the webmaster or the person in charge. Also, I assume he put up this picture in, /myalbum/. I found two picture that I believe is the culprit. (Example 1; Example 2) Seems to be just a kid.
Leave a Reply