Network News

X My Profile
View More Activity

Only EBay and Paypal Scams Allowed Here

On Thursday, a source of mine pointed out a live phishing Web site constructed to look exactly like eBay's user login page. Another page on the site contained an identical copy of eBay's Paypal login page (actually, both were still live at the time this was posted.)

This screen shot shows the login page for the eBay phishing site. Users entering information into the site would simply be sending their sensitive data to scam artists, not eBay. (Click for a larger version)

I went poking around the phishing site and began knocking on its doors. The site's FTP service -- which site owners use to send files to and from the Web site -- was accepting connections, so I decided to fire up my FTP software and try to connect. Alas, the site was password-protected, but the message that it sends to all visitors when they try to log in indicated that this particular phishing site was being rented out to other criminals who wanted to use the site's scam pages but send out their own phishing e-mails.

The FTP server, which identified itself as "Chupala" (more on that later), displays the following message:





*ONLY eBay and Paypal SCAMS IN HERE!


That's not all that will get suspended if you get caught, I thought. When I got done laughing at the prospect of a scam site posting an acceptable-use policy, it occurred to me that this whole site may be part of a "phishing kit." These kits are prepackaged sets of fake bank or e-commerce Web pages, often sold on underground Internet relay chat channels that cater to online fraudsters who want to get scams up and running with little or no effort.

I thought, what if "Chupala" is actually the name of this particular kit? A quick Google search of "chupala and eBay" turned up a cached result of an advertisement on an IRC channel for a Chupala eBay/Paypal phishing toolkit. Bingo.

This screen shot shows the "Chupala" phishing kit being offered for sale on an underground IRC channel. (Click for a larger version)

Intrigued, I decided to follow the white rabbit farther down the hole and pay a visit to the IRC channel listed in the cached advertisement. I first visited this particular IRC server back in December 2004, when I spent several weeks trolling fraud forums to report a series of stories on the growing phishing epidemic.

Sure enough, there was the same set of scam pages advertised at the very top of the IRC channel: "For Paypal/Ebay Scam:Chupala." I'd found the place where our phishers purchased their scam pages. But alas, none of the guys in the channel were answering my queries, so I couldn't find out any more information, such as how much the folks behind this latest scam site had paid for the kit or how many versions of it had been sold.

By Brian Krebs  |  June 9, 2006; 10:19 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Fake Blogs Use Security Fix to Support Bad Advice
Next: Security Fix Pop Quiz

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company