The fake PayPal address I was given was this (it was disguised in the hyperlink):

http://www.paypal.com.webscrz.us:808/us/cgi-bin/login.html

Using webscrz.us brings up an Under Construction page.

Using webscrz.us:808 brings up... nothing.

Using www.paypal.com.webscrz.us:808 brings up a weird foreign page.

Using www.paypal.com.webscrz.us:808/us brings up a Forbidden page...
...and also translates the address to gms4.co.kr/us/

Using gms4.co.kr/us/cgi-bin also brings up a Forbidden page.

Using gsm4.co.kr/us/cgi-bin/login.html brings up a convincing PayPal login screen.

Having logged in with a fake email and password (on another computer), it took me to gsm4.co.kr/us/cgi-bin/protect.php, which asks for all your personal information. Something PayPal would never ever do in such a fashion.

After having filled it in with extremely bogus information (it accepted letters for the credit card? haha), it dumps you at the REAL PayPal site. I signed in with a fake account, so it dropped me at the log-in screen saying I'm invalid... so I don't know where it'll take you when you give it a REAL account.

I just finished a portscan on gsm4.co.kr:

21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
184/tcp open ocserver
3306/tcp open mysql
9776/tcp open unknown
20001/tcp open unknown
32768/tcp open unknown
45680/tcp open unknown

NMap also thinks it's running a "i686-pc-linux-gnu" system.

Feel free to do whatever you want with this information.

So here I was, finishing up some daily auctions email housekeeping and I decided to log into GMail directly and see how much space I had left. (I'm only using about 38MB of 3GB, heh.) While I was there, I noticed two messages in Spam.

Great... might as well see what they are just to make sure.
Hmm... they're from PayPal. Better un-Spam them and download them.
So I did.

Once they downloaded, I pulled up the latest one which was called "PayPal Account Issue" from "PayPal Customer Support", of which was the first clue I missed. I read it and it claimed it thought there was unauthorized access on my account, and I should verify my identity. So I did... and Thunderbird (as it always does) went "HEY! I THINK THIS IS A SCAM! ARE YOU SURE YOU WANT TO GO TO (website that wasn't PAYPAL'S SITE!!)".............. I about had a heartattack.

I was SO CLOSE to being phished out of my PayPal account information... and Thunderbird's feature that I hated so much actually saved me. (Heck, even Google was smart enough to label it SPAM!! and lock it away.)

So I check the other Spam message and it was an elaborately constructed PayPal "Payment Sent" email saying I'd purchased a $400 watch. Which I then doublechecked against the REAL PayPal records and nope... no REAL purchase.

So the villian faked a payment email, then, a few days later, sent a message that faked PayPal saying "hey! something's up!" Pretty ingenious, really... considering it almost fooled me... and I pretty much feel like a fool for needing Thunderbird to wake me up. Because after I examined the other emails closely, there were major flaws that set them apart from PayPal's stuff.

...and that, kids, is why you should never disable safeguards, even when you think you know what you're doing. (Thank God I didn't when I was thinking about doing it a few days ago.) It's also a good lesson that you should always do record comparisons on stuff like this. I had a moment of stupidity and it could have ended very, very badly.

TW was right. Today is, officially, a bad day.
Except he was talking about yesterday... technically.
...and about other stuff... and yeah. But still.