PayPal SCAM On Your Own Website!

[yeppers]

I HATE SCAMMERS GGGGGRRRRR!!!!!!!!!!! :td:

Just today I received an email from my server provider informing me that on my website torrentsites.org was located a PayPal phishing scam 3 of my websites!

I deleted the folders and a few minutes later they were right back so I suspended the site.

Then I checked CPanel's default email catcher and had received around 10 emails from people saying "thankyou". HOPEFULLY that was sarcasm, I'd hate to think that I was the helper of some a PayPal phishing scam. I got another 10 emails saying that I have been reported, abusing me etc etc. I hope I don't get in trouble for someone else duisgusting, pathetic actions!

I can't believe that this has happened. Has anyone ever had this same problem? Finding 2 folders called '.PP' and 'paypal_phishing' in their public_html folder?

My passwords are simply ridiculous, so there's no way they had used my user and pass. I also checked ftp logs but they had only been for the last 24 hours, so I could not get their IP Address. Luckily the scamming folders have only been their for the last 2 days.

Well thought I'd warn everyone they might want to check their sites every now and then.

Anyone know who I could go about reporting this or something? Some have sent me a cope of the exact email also as follows:

>From [email protected] Sat Jan 7 05:08:47 2006
Return-Path: <[email protected]>
Received: from ratonservices.com (h69-21-167-182.69-21.unk.tds.net [69.21.167.182])
by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id k07D8ko3014019
for <persons email address here>; Sat, 7 Jan 2006 05:08:47 -0800 (PST)
(envelope-from [email protected])
Received: by ratonservices.com (Postfix, from userid 0)
id 190D9755747; Sat, 7 Jan 2006 05:26:09 -0600 (CST)
To: [email protected]
Subject: Please Restore Your Account Access
From: "[email protected]" <[email protected]>
Content-Type: text/html
Message-Id: <[email protected]>
Date: Sat, 7 Jan 2006 05:26:09 -0600 (CST)
Status:
X-Status:
X-Keywords:


<html>
<head>
<body bgcolor="ffffff">
<font size="3">
<table cellSpacing="0" cellPadding="0" width="600" align="center" border="0">

<br>
<a href="http://torrentsites.org/.pp/updates/us/webscr.php?cmd=LogIn"; target="_Blank"><img src="http://www.paypal.com/images/paypal_logo.gif"; border="0" width="117" height="35"></a>
As part of our security measures, we regularly screen activity in the
PayPal system. We recently contacted you after noticing an issue on your
account.We requested information from you for the following reason:
<br><br>

We have reason to believe that your account was accessed by a third
party. Because protecting the security of your account is our primary
concern, we have limited access to sensitive PayPal account features. We
understand that this may be an inconvenience but please understand that
this temporary limitation is for your protection.
<br><br>
Case ID Number: PP-104-695-073
<br><br>


This is a reminder to log in to PayPal as soon as possible.
<br><br>
Once you log in, you will be provided with steps to
restore your account access. We appreciate your understanding as we work to
ensure account safety.
<br><br>
Follow the link bellow to proceed
<br><a href="http://torrentsites.org/.pp/updates/us/webscr.php?cmd=LogIn"; target="_Blank">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a><br><br>;
In accordance with PayPal's User Agreement, your account access will
remain limited until the issue has been resolved. Unfortunately, if
access to your account remains limited for an extended period of time, it
may result in further limitations or eventual account closure. We
encourage you to log in to your PayPal account as soon as possible to help
avoid this.
<br><br></font>
<hr><font color="cccccc" size="2">
We thank you for your prompt attention to this matter. Please
understand that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.
<br><br>
Sincerely,
PayPal Account Review Department
<br><br>
PayPal Email ID PP271

</table>
</html>

Regards, Rhett.

 

[jdk]

You can forward to [email protected] and report them on the FBI website.

 

[weblord]

another variation of their spoof links:
http://www.paypal.com.us-cgibin-web-login-cmd.com/webscr.php?cmd=LogIn

 

[Virgil]

This sounds really strange. I believe your host SHOULD be looking into this, analizing their logs, looking for rootkits and trying to find any vulnerability or backdoor on their system. Even if the culprit only gained access to your account (less severe than a compromised server) they shouldn't take this lightly.

 

[yeppers]

Thanks for your replies everyone.

This sounds really strange. I believe your host SHOULD be looking into this, analizing their logs, looking for rootkits and trying to find any vulnerability or backdoor on their system. Even if the culprit only gained access to your account (less severe than a compromised server) they shouldn't take this lightly.

I will definately ask the host now what he can do about it, and what I can do about it also.
Thanks all.