Phishing fraudsters pretending to be from Paypal email me most days. Sometimes, they even have my real name (eBay transactions with the Muslim community is usually to blame for the name getting out there). However, you likely landed here after Googling “notice@security.org” or “patrick1178@btconnect.com”
Paypal do not send out emails from a “security.org” address – certainly not a fake one. The domain security.org is a site about lock-picking Medeco locks (whatever they are). Nothing to do with Paypal anyway.
This email comes addressed to “Dear Paypal Customer” – which is wrong. Paypal know your name. If they are writing to you, they will use it.
Apart from the bullsh*t domain, wrong email and not knowing the name of the customer, this one has other howlers: Sending attachments – Paypal don’t do that. Specifying which browser you must open the attachment with – yeah, Paypal don’t do that either. That just means the virus they are sending you only works in insecure browsers. Spelling mistakes: A true sign of a non-English speaking scammer. I wont highlight them so they cannot correct them when they read this.
So, here is the email:
Dear PayPal Customer,
You have added patrick1178@btconnect.com as a new email address for your Paypal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.
NOTE: The form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9)
Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
Sincerely, PayPal Account Review Department.
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the “Help” link in the footer of any page.
Copyright © 1999-2011 PayPal. All rights reserved.
All rubbish of course. DO NOT open the attachment called “PersonalProfileForm-payPal.htm” – that is full of viruses! If you did, change your Paypal passwords immediately and do a virus check on your computer.
So lets see where this fake email was sent from:
It comes from the IP 96.57.179.66 which is traced to a company called Allen Linen in North Brunswick in the USA.
Here is their contact details:
Allen Linen Supply
407 20th Ave.
Paterson, NJ 07513
Phone: (973) 742-6131
linenguy@allenlinen.com
Why not contact them and ask why someone is sending phishing emails off their server? That is surely a crime in the land of the free.
However, more digging reveals that “109.203-211-146.static.qala.com.sg” is the sender. That resolves to someone in Barnaul in Russia but has Singapore tags on it. The plot thickens when “www.edenhotelsandresorts.com 203.211.146.108” is introduced into the mix – also from the email headers. That does trace to Singapore. The site www.edenhotelsandresorts.com doesn’t work and also traces to Singapore. Here is the domain info:
Domain Name:edenhotelsandresorts.com
Record last updated at 2011-09-20 06:05:47
Record created on 1/18/2006
Record expired on 01/18/2014Domain servers in listed order:
ns1.webdesignwebdev.com ns2.webdesignwebdev.comAdministrator:
Unit 107, Marina Residence, No.8, Kabaaye Pagoda Rd
Yangon
YGN,
MM
Mayangonename:(Eden Group Co., Ltd.)
mail: it.mm.eden@gmail.com
+95.01650624
Eden Group Company Limited
Technical Contactor:
#3/1, Myanmar Info-Tech, Universities Hlaing Campus
Yangon
YGN,
MM
11052name:(Zaw HTUT)
mail: it.mm.eden@gmail.com
+1.7079880300
Myanmars.NET
Billing Contactor:
Unit 107, Marina Residence, No.8, Kabaaye Pagoda Rd
Yangon
YGN,
MM
Mayangonename:(Eden Group Co., Ltd.)
mail: it.mm.eden@gmail.com
+95.01650624
Eden Group Company LimitedRegistration Service Provider:
name: Myanmars.NET
tel: +95.01652250
fax: +1.7079880300
web:http://www.myanmars.net
So what we have here is likely a scammer from Singapore routing through a proxy server in Russia, and again through another via an innocent linen company in the US to send you his Paypal scam email. Now don’t go writing about his scheme on the internet will you? Dammit…….. I just did!
Thank you so much for the information. Net dummies like me need it!
thanks for tracing this – interesting how you found out all this info – the scumbags also sent me this fake email and I googled to see if anybody else had it
Keep up the good work
Rgds
Mike
Mike, all this info is out there and can be had from the net in minutes, if you know how and where to look using the email headers attached to any email.
The reason the final routing is through the servers of a random company in the US is so email servers around the world don’t treat it as spam mail as they might with mail visibly originating in Russia or Singapore.
Notice the address of the domain above is a campus. This is likely IT students in Singapore. Students are often behind such things.
Professionals can cover their internet tracks better and know how to spell!
Thanks for that. Interesting to know the ins and outs of scammers. I always report fake paypal e-mails to paypal so they can investigate it. They should employ someone with your skill to track them down. Excellent work!!
Thanks again! I just got another of these e-mails and have warned everyone on my staff not to open them.
Ramona in Tokyo
why does this yoyo keep using may email………. (patrick1178@btconnect.com )