kgrr-clan.de - Phishing Attempt

[Neophyte]

I got a strange email in my inbox today. It said that I had spent $119.88 with Paypal to Starbucks Coffee. I was quite shocked, and wanted to make sure that I didn't accidently subscribe to anything which would have made this purchase automatic. But then, I realized that the message, although it looked legitimate, was a fake. The group who sent it were Phishing me. (Trying to appear as a large business in order to steal your information.) Had I actually tried to cancel with them they would probably have my PayPal information and then use it against me.

Something that didn't add up:

A) I don't drink coffee.
B) The email account receiving the message is not my Paypal Account.
C) The URL's with-in the message are not legitimate.

Don't let this happen to you! Here's the exact email that they sent me:



How can you tell that this message is a fake? Look for things to confirm or cancel payment. Then try to find those words in the message body. Here, they tell me to click "Deny Payment" to stop the fake transaction. When you find those words look for an "A HREF=" link and see if it points to a legitimate site. In this case, it points to "http://kgrr-clan.de/docs/vwar/backup/.% ... /index.htm" THIS IS NOT PAYPAL!!! If you actually go to that site, they have a very authentic PayPal looking website. And I'm sure they have all the pages necessary to steal your information.

That site is right here, notice the URL is not PayPal!


Here's the actual body of the email that they sent me:

Code: Select all

Return-path: <aw>
Received: from ASSP-nospam (****.net [127.0.0.1]) by ****.net
 (Vircom SMTPRS 4.5.186) with SMTP id <B0000012715> for <net>;
 Sat, 24 Jun 2006 10:41:04 -0700
Received: from 204.16.252.100 ([204.16.252.100] helo=mail1.no-ip.com) by 
 ASSP-nospam ; 24 Jun 06 17:41:01 -0000
Received: (qmail 16146 invoked by uid 89); 24 Jun 2006 17:40:44 -0000
Received: from unknown (HELO soaserver3.architecture.local) (208.141.108.121)
  by mail1.no-ip.com with SMTP; 24 Jun 2006 17:40:42 -0000
Received: from hci1 ([68.33.211.140]) by soaserver3.architecture.local with 
 Microsoft SMTPSVC(6.0.3790.1830);
	 Sat, 24 Jun 2006 12:40:30 -0500
From: "PayPal"<aw>
Subject: Payment confirmation for StarbucksStore
Date: Sat, 24 Jun 2006 13:40:52 -0400
MIME-Version: 1.0
Content-Type: text/html;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: aw-confirms@paypal.com
Message-ID: <SOASERVER3K6UtEnUyR00003b73>
X-OriginalArrivalTime: 24 Jun 2006 17:40:31.0064 (UTC) FILETIME=[49DB9580:01C697B5]
X-Assp-Spam-Prob: 0.00128
X-Assp-Envelope-From: aw-confirms@paypal.com

<HTML>
<HEAD>
<META>
<TITLE></TITLE>
</HEAD>
<BODY><FONT></FONT><FONT></FONT><FONT></FONT><FONT></FONT><FONT>
</FONT><FONT></FONT><FONT></FONT><FONT>
</FONT><FONT></FONT><FONT></FONT><BR>
<TABLE>
  <TBODY>
  <TR>
    <TD><A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">
      <FONT><IMG src="http://images.paypal.com/en_US/i/logo/email_logo.gif"></FONT></A>
      </TD></TR>
      </TBODY></TABLE>
<TABLE>
  <TBODY>
  <TR>
    <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif"></FONT>
      </TD></TR>
  <TR>
    <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif"></FONT>
      </TD></TR>
      </TBODY></TABLE>
<TABLE>
  <TBODY>
  <TR>
    <TD><FONT></FONT></TD></TR></TBODY></TABLE>
<TABLE>
  <TBODY>
  <TR>
    <TD>
      <TABLE>
        <TBODY>
        <TR>
          <TD>
            <TABLE>
              <TBODY>
              <TR>
                <TD>
                  <TABLE>
                    <TBODY>
                    <TR>
                      <TD><FONT><STRONG>Get 
                        Verified</STRONG></FONT></TD></TR></TBODY></TABLE>
                  <TABLE>
                    <TBODY>
                    <TR>
                      <TD><FONT><FONT><FONT><SPAN>Get 
                        Verified--Your Key to More Security and Free 
                        Features</SPAN><BR><BR>Get Verified and help increase 
                        the security of your PayPal transactions for yourself 
                        and for everyone with whom you do business. You can 
                        also: </FONT></FONT></FONT>
                        <UL>
                          <LI><FONT>Fund 
                          purchases directly from your checking or savings 
                          account, in addition to using credit cards </FONT>
                          <LI><FONT>Improve 
                          your reputation by letting others know you're a 
                          confirmed, Verified member of the PayPal community 
                          </FONT>
                          <LI><FONT>Send 
                          money to friends, family, and PayPal Personal Account 
                          holders</FONT></LI></UL>
                        <TABLE>
                          <TBODY>
                          <TR>
                            <TD>
                              <TABLE>
                                <TBODY>
                                <TR>
                                <TD><FONT><STRONG><A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">
         Accept Payment</A></STRONG></FONT></TD></TR></TBODY></TABLE></TD></TR>
</TBODY></TABLE><BR></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
            <TABLE>
              <TBODY>
              <TR>
                <TD>
                  <TABLE>
                    <TBODY>
                    <TR>
                      <TD><SPAN><FONT><STRONG>Protect Your Account 
                        Info</STRONG></FONT></SPAN></TD></TR></TBODY></TABLE>
                  <TABLE>
                    <TBODY>
                    <TR>
                      <TD><FONT>Make sure you never provide your password to 
                        fraudulent websites.<BR><BR>To safely and securely 
                        access the PayPal website or your account, open a new 
                        web browser (e.g. Internet Explorer or Netscape) and 
                        type in the PayPal URL to be sure you are on the real 
                        PayPal website.<A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">
                        <SPAN>https:://www.paypal.com/us</SPAN>/</A>) 
                        to be sure you are on the real PayPal 
                        site.<BR><BR>PayPal will never ask you to enter your 
                        password in an email.<BR><BR>For more information on 
                        protecting yourself from fraud, please review our 
                        Security Tips at <SPAN>. <A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">ht<A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">
tps://www.paypal.com/us/securitytips</A></A></A></A></A>/</A></SPAN><BR><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif"></FONT></TD></TR></TBODY></TABLE>
              </TD></TR></TBODY></TABLE>
            <TABLE>
              <TBODY>
              <TR>
                <TD>
                  <TABLE>
                    <TBODY>
                    <TR>
                      <TD><FONT><STRONG>Protect Your 
                        Password</STRONG></FONT></TD></TR></TBODY></TABLE>
                  <TABLE>
                    <TBODY>
                    <TR>
                      <TD><FONT>You should <SPAN><STRONG>never</STRONG></SPAN> give your 
                        PayPal password to anyone, including PayPal 
                        employees.
                        <BR><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif"></FONT></TD></TR></TBODY></TABLE>
              </TD></TR></TBODY></TABLE></TD></TR>
        <TR>
          <TD><FONT></FONT></TD></TR></TBODY></TABLE>
          <FONT>Dear Customer,<BR><BR></FONT>
      <P><FONT>This email confirms that you 
      have a pending payment to </FONT><A href="mailto:admin@starbucks.com">
      <FONT>Starbucks</FONT></A>
      <FONT> (</FONT>
      <A href="mailto:sales@starbucks.com"><FONT>sales@starbucks.com</FONT></A><FONT>)
       $119.88 USD using PayPal.<BR><BR>This credit card 
      transaction will appear on your bill as "PAYPAL 
      *StarbucksStore".<BR><BR><BR></FONT></P><FONT>
      <HR>

      <HR>
      </FONT>
      <P><FONT>Payment 
      Details</FONT></P>
      <TABLE>
        <TBODY>
        <TR>
          <TD><FONT>Transaction ID:</FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT>6BU26546N1998200E</FONT></TD></TR>
        <TR>
          <TD><FONT>Sales Tax:</FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT>$12.22 
          USD</FONT></TD></TR>
        <TR>
          <TD><FONT>Total:</FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT>$119.88 
          USD</FONT></TD></TR>
        <TR>
          <TD><FONT>Item/Product Name:</FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT>House Blend Coffee, 1-lb.
          </FONT></TD></TR>
        <TR>
          <TD><FONT></FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT></FONT></TD></TR>
        <TR>
          <TD><FONT></FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT></FONT></TD></TR></TBODY></TABLE><FONT>
      <HR>
      <BR><BR></FONT>
      <P><FONT>Business 
      Information</FONT></P>
      <TABLE>
        <TBODY>
        <TR>
          <TD><FONT>Business:</FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT><A href="http://www.starbucksstore.com/paypal/">StarbucksStore</A>
            </FONT></TD></TR>
        <TR>
          <TD><FONT>Contact E-Mail:</FONT></TD>
          <TD><FONT><IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></TD>
          <TD><FONT><A href="mailto:info@starbucks.com">
            info@starbucks.com</A></FONT></TD></TR>
</TBODY></TABLE><FONT>
      <HR>
      <BR>If you have questions about the shipping and tracking of your 
      purchased item or service, please contact StarbucksStore at <A href="mailto:sales@sturbucksstore.com">
        sales@sturbucksstore.com</A>.<BR><BR>
      <HR>
      <BR></FONT>
      <P><FONT>Get Verified _ Your 
      Key to More Security and Free Features
      <IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif"></FONT></P>
      <P><FONT>Get Verified and help increase the 
      security of your PayPal transactions for yourself and for everyone with 
      whom you do business. You can also:</FONT></P>
      <UL>
        <LI><FONT>Fund purchases directly from your 
        checking or savings account, in addition to using credit cards </FONT>
        <LI><FONT>Improve your reputation by letting 
        others know you're a confirmed, Verified member of the PayPal community 
        </FONT>
        <LI><FONT>If you do not wish to proceed with 
        the payment please click on "Deny Payment" link under and follow the 
        instructions</FONT></LI></UL>
      <TABLE><TBODY>
        <TR>
          <TD><STRONG><FONT>
          <IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
            </FONT></STRONG><SPAN><FONT><STRONG>
<A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">
Deny Payment</A></STRONG></FONT></SPAN></TD></TR></TBODY></TABLE>
<BR><FONT><FONT><FONT>
<IMG alt="" src="http://images.paypal.com/en_US/i/scr/pixel.gif">
      </FONT>Thank you for using PayPal!<BR>
      The PayPal Team<BR><BR> </FONT></FONT> 
      <P></P>
      <P><FONT>Please do not reply 
      to this email. This mailbox is not monitored and you will not receive a 
      response. For assistance, </FONT>
      <A href="https://www.uspaymentsystem.com/paypal.htm"><FONT>log 
      in</FONT></A><FONT> to your PayPal account and 
      choose the Help link located in the top right corner of any PayPal 
      page.<BR><BR>To receive email notifications in plain text 
      instead of HTML, update your preferences </FONT><A href="http://kgrr-clan.de/docs/vwar/backup/.%20/www.paypal.com/index.htm">
      <FONT>here</FONT>
      </A><FONT>.</FONT></P><BR><BR><SPAN><BR><SPAN><FONT>PayPal 
      Email ID PP120</FONT></SPAN></SPAN></TD></TR></TBODY></TABLE>
</BODY>
</HTML>

Be careful! I don't know where they stold my email address from, but it's an address I rarely use for sign-up with web sites. And one that I've used for some gaming organizations.

[KrAzYdAvE]

I've seen this going around a few times.
The CEO of my company actually fell for it once too...

[Scion]

Yeah, I've gotten a couple bad paypal emails recently, too. Very yucky stuff. Can't be too careful.

[D.A.R.K.[CotC]]

My mom's gotten a couple of those, and a bunch more from people trying to steal her EBay account, so many to the point that someone had successfully hacked my mom's EBay account, and she had to shut it down and create a new one

[BD]

Return-path: <aw>

Crap... busted.

[TooLBlue]

I suppose I've been lucky that I haven't seen anybody phishing for my paypal account.

Then again... because I have gamespy, newegg, and tigerdirect newsletters as an exception for my filters the email might have been lost beneath the several hundred of unread emails I'm 'collecting'.