Only EBay and Paypal Scams Allowed Here
On Thursday, a source of mine pointed out a live phishing Web site constructed to look exactly like eBay's user login page. Another page on the site contained an identical copy of eBay's Paypal login page (actually, both were still live at the time this was posted.)
I went poking around the phishing site and began knocking on its doors. The site's FTP service -- which site owners use to send files to and from the Web site -- was accepting connections, so I decided to fire up my FTP software and try to connect. Alas, the site was password-protected, but the message that it sends to all visitors when they try to log in indicated that this particular phishing site was being rented out to other criminals who wanted to use the site's scam pages but send out their own phishing e-mails.
The FTP server, which identified itself as "Chupala" (more on that later), displays the following message:
THIS IS THE 1st AND ONLY WARNING
*REMEMBER NO MAILERS .of any kind
(AND/OR) BANK SCAMS ALLOWED!
*ONLY eBay and Paypal SCAMS IN HERE!
*UR ACCT WILL BE SUSPENDED IF UR CAUGHT!
That's not all that will get suspended if you get caught, I thought. When I got done laughing at the prospect of a scam site posting an acceptable-use policy, it occurred to me that this whole site may be part of a "phishing kit." These kits are prepackaged sets of fake bank or e-commerce Web pages, often sold on underground Internet relay chat channels that cater to online fraudsters who want to get scams up and running with little or no effort.
I thought, what if "Chupala" is actually the name of this particular kit? A quick Google search of "chupala and eBay" turned up a cached result of an advertisement on an IRC channel for a Chupala eBay/Paypal phishing toolkit. Bingo.
Intrigued, I decided to follow the white rabbit farther down the hole and pay a visit to the IRC channel listed in the cached advertisement. I first visited this particular IRC server back in December 2004, when I spent several weeks trolling fraud forums to report a series of stories on the growing phishing epidemic.
Sure enough, there was the same set of scam pages advertised at the very top of the IRC channel: "For Paypal/Ebay Scam:Chupala." I'd found the place where our phishers purchased their scam pages. But alas, none of the guys in the channel were answering my queries, so I couldn't find out any more information, such as how much the folks behind this latest scam site had paid for the kit or how many versions of it had been sold.
The comments to this entry are closed.