The fake PayPal address I was given was this (it was disguised in the hyperlink):

http://www.paypal.com.webscrz.us:808/us/cgi-bin/login.html

Using webscrz.us brings up an Under Construction page.

Using webscrz.us:808 brings up... nothing.

Using www.paypal.com.webscrz.us:808 brings up a weird foreign page.

Using www.paypal.com.webscrz.us:808/us brings up a Forbidden page...
...and also translates the address to gms4.co.kr/us/

Using gms4.co.kr/us/cgi-bin also brings up a Forbidden page.

Using gsm4.co.kr/us/cgi-bin/login.html brings up a convincing PayPal login screen.

Having logged in with a fake email and password (on another computer), it took me to gsm4.co.kr/us/cgi-bin/protect.php, which asks for all your personal information. Something PayPal would never ever do in such a fashion.

After having filled it in with extremely bogus information (it accepted letters for the credit card? haha), it dumps you at the REAL PayPal site. I signed in with a fake account, so it dropped me at the log-in screen saying I'm invalid... so I don't know where it'll take you when you give it a REAL account.

I just finished a portscan on gsm4.co.kr:

21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
184/tcp open ocserver
3306/tcp open mysql
9776/tcp open unknown
20001/tcp open unknown
32768/tcp open unknown
45680/tcp open unknown

NMap also thinks it's running a "i686-pc-linux-gnu" system.

Feel free to do whatever you want with this information.

This entry was posted on Saturday, February 25th, 2006 at 2:11 am and is filed under General.