Only EBay and Paypal Scams Allowed Here
On Thursday, a source of mine pointed out a live phishing Web site constructed to look exactly like eBay's user login page. Another page on the site contained an identical copy of eBay's Paypal login page (actually, both were still live at the time this was posted.)
This screen shot shows the login page for the eBay phishing site. Users entering information into the site would simply be sending their sensitive data to scam artists, not eBay. (Click for a larger version)
I went poking around the phishing site and began knocking on its doors. The site's FTP service -- which site owners use to send files to and from the Web site -- was accepting connections, so I decided to fire up my FTP software and try to connect. Alas, the site was password-protected, but the message that it sends to all visitors when they try to log in indicated that this particular phishing site was being rented out to other criminals who wanted to use the site's scam pages but send out their own phishing e-mails.
The FTP server, which identified itself as "Chupala" (more on that later), displays the following message:
THIS IS THE 1st AND ONLY WARNING
*REMEMBER NO MAILERS .of any kind
(AND/OR) BANK SCAMS ALLOWED!
*ONLY eBay and Paypal SCAMS IN HERE!
*UR ACCT WILL BE SUSPENDED IF UR CAUGHT!
That's not all that will get suspended if you get caught, I thought. When I got done laughing at the prospect of a scam site posting an acceptable-use policy, it occurred to me that this whole site may be part of a "phishing kit." These kits are prepackaged sets of fake bank or e-commerce Web pages, often sold on underground Internet relay chat channels that cater to online fraudsters who want to get scams up and running with little or no effort.
I thought, what if "Chupala" is actually the name of this particular kit? A quick Google search of "chupala and eBay" turned up a cached result of an advertisement on an IRC channel for a Chupala eBay/Paypal phishing toolkit. Bingo.
This screen shot shows the "Chupala" phishing kit being offered for sale on an underground IRC channel. (Click for a larger version)
Intrigued, I decided to follow the white rabbit farther down the hole and pay a visit to the IRC channel listed in the cached advertisement. I first visited this particular IRC server back in December 2004, when I spent several weeks trolling fraud forums to report a series of stories on the growing phishing epidemic.
Sure enough, there was the same set of scam pages advertised at the very top of the IRC channel: "For Paypal/Ebay Scam:Chupala." I'd found the place where our phishers purchased their scam pages. But alas, none of the guys in the channel were answering my queries, so I couldn't find out any more information, such as how much the folks behind this latest scam site had paid for the kit or how many versions of it had been sold.
By Brian Krebs |
June 9, 2006; 10:19 AM ET
From the Bunker
Previous: Fake Blogs Use Security Fix to Support Bad Advice |
Next: Security Fix Pop Quiz
Posted by: deaal.com | June 9, 2006 10:59 AM
Nice sleuthing, Brian. Why do you suppose they don't want people running banking scams from that server? More risky? If that's the case, I wonder what it says about the vigor with which Ebay/Paypal combat phishing.
Posted by: Qian Wang | June 9, 2006 1:15 PM
Brian: Nice work...
"When I got done laughing at the prospect of a scam site posting an acceptable-use policy..."
I about fell out of my chair when I read what they posted....LOL.
Posted by: DOUGman | June 9, 2006 8:39 PM
Thanks for your strategic intelligence on the e-battle against scammers and phishers.
I'm thinking about a website to check out + or - banks, credit cards, internet offers, etc. and I've playing around with the deluge of spam i got when i answered a few. While most are obvious scams [ target audience:gullible morons] some appear real, such as some surveys...i think...but others i have saved to check out later; other than googling their respective company names, what would you recommend? R
Posted by: rrandyrrandy | June 10, 2006 4:40 AM
Thanks for your strategic intelligence on the e-battle against scammers and phishers.
I'm thinking about a website to check out + or - banks, credit cards, internet offers, etc. and I've playing around with the deluge of spam i got when i answered a few. While most are obvious scams [ target audience:gullible morons] some appear real, such as some surveys...i think...but others i have saved to check out later; other than googling their respective company names, what would you recommend? R
Posted by: rrandyrrandy | June 10, 2006 4:41 AM
Great articles and information Brian,
Keep up the good work for us users out here. BJS
Posted by: Barry Singer | June 12, 2006 10:05 AM
Yup, yup, good work as far as it goes, Brian. But do our law enforcement types have the resources or even motivation to go after fraudsters like these jerks? Surelky they are violating our laws. People (even the dumb ones) get hurt financially. Remember how police would pursue bunko artists in the old days? In my mind, there is no difference. In what country was this site?
Posted by: Pete in Arlington | June 12, 2006 12:13 PM
Knock-Knock | Who's There?
What's missing from your Story Brian? Just how does the unsuspecting victim wander to the door of this phishing web page? What if your reader here is New to Phishing?
Will it be just email bait today, or are there other forms of fishing chum that these fraudsters deploy?
PayPal is in the spotlight of today's news for an uncovered vulnerability found at its own web site. Just how is this PayPal Vulnerability being exploited and What should we be on the lookout for?
Thanks for the great work here.
Robin.D.Hood
.O)
Posted by: Robin.D.Hood | June 16, 2006 3:31 PM
I *just* got hit with a very realistic phish email. I think it was this scam. I didn't fall for it, but noticed that the log-in page was exactly identical to the ebay log-in.
Posted by: J.H | June 20, 2006 4:10 PM
The eBay scammers are still at it with more sophisticated tools, we have been tracking them for over 3 years now and even created a real time tracker of current LIVE SCAM AUCTIONS on eBay in an effort to assist SafeHarbor and Law Enforcement in tacking these scammers down.
Take a look - the tracker is at
www.companyexposed.com - hope it will help in your research.
Posted by: Genie | July 29, 2006 3:03 PM
The comments to this entry are closed.
It is very easy to get source code from browsers and create pixel to pixel. Should be more careful about the credibilty of the websites and also should look out for dns name.