Ping (zestyping) wrote,
Ping
zestyping

Trying to stop phishers.

Today at 4:10 pm, i received an e-mail message addressed from service@paypal.com with the subject line "PayPal Notification: Upgrade your information". I get these scams all the time, especially since i recently told my spam filter to let them through so i can collect them. When i added this one to my collection i noticed i had gathered over a hundred specimens. A hundred scams is a lot. It bugged me, so i thought i'd do something about this one.

You can see the entire scam message here with its headers. The body is a forged message from PayPal formatted in HTML, which i've posted here in case you want to check it out.

The second Received line shows the message being sent from xxx.lugardesexo.com. The IP address on that line checks out: xxx.lugardesexo.com resolves to 216.127.92.116, and 216.127.92.116 reverse-resolves to ns0.lugardesexo.com.

The message body asks me to log in on a scam page at http://paypal.l8t.com/, which is actually a frame around the real scam page at http://www.sexohuanuco.com/. And where is sexohuanuco.com? It resolves to the same address as the source of the message — 216.127.92.116.

A quick call to traceroute reveals that ev1.net hosts the site:
% traceroute www.sexohuanuco.com
traceroute to sexohuanuco.com (216.127.92.116), 30 hops max, 38 byte packets
...
9 216-54-253-2.gen.twtelecom.net (216.54.253.2) 11.643 ms 11.568 ms 11.597 ms
10 ivhou-207-218-245-28.ev1.net (207.218.245.28) 11.553 ms 11.630 ms 11.534 ms
11 ivhou-207-218-245-126.ev1.net (207.218.245.126) 11.636 ms 11.542 ms 11.568 ms
12 ns0.lugardesexo.com (216.127.92.116) 11.659 ms 11.830 ms 11.823 ms
I called EV1's customer service number to report abuse. After getting through the touch-tone menu, i finally got a person and explained about the problem. He told me to send my complaint to abuse@ev1servers.net instead. So i wrote a message explaining the whole thing and mailed it off at 4:24 pm.

Both domains, lugardesexo.com and sexohuanuco.com, are registered at Go Daddy. So i called Go Daddy as well. I got through to a person pretty quickly, but she couldn't help me either, and told me to send my report to abuse@godaddy.com instead. This i did, at 4:34 pm.

At 4:46 pm, i received a reply from the "Ev1servers.net Abuse Team" thanking me for my report.
Dear Sir or Madam,

We appreciate you bringing this to our attention. This issue is currently being investigated. Due to privacy policies we will most likely not be able to provide you with information regarding the outcome of our investigation.

Regards,
Jennifer
Abuse Team
Everyones Internet
Ev1servers.net
It is now 2:00 am. That's over 9 hours since EV1 said the issue was "being investigated". Go Daddy has not responded. And the scam site is still up, collecting PayPal passwords.

Why hasn't anyone at either company spared the two minutes necessary to glance at the site, recognize that it's an obvious scam, and shut off its network connection?
Subscribe
  • Post a new comment

    Error

    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 14 comments