[ISN] Malaysian government portal used in PayPal phishing scam

Tue Nov 21 00:49:26 CST 2006

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9005231

By Robert McMillan
November 20, 2006
IDG News Service

An antispam researcher has uncovered a phishing scam that uses computers 
belonging to a medical transcription outsourcing company and the 
government of Malaysia to send out fraudulent e-mails.

The scam was discovered by Bill Carton, an engineer in San Diego who has 
spent the past 10 years as a volunteer antispam activist working to shut 
down bulk e-mailers in his spare time. Carton received an e-mail Friday 
morning that purported to be from eBay Inc.'s PayPal service.

The message read like a standard phishing pitch: "It has come to our 
attention that your account information needs to be updated. If you 
could please take 5-10 minutes out of your online experience and update 
your personal records you will not run into any future problems with the 
online service."

What was unusual, however, was the fact that the link in the e-mail was 
to a fake PayPal site hosted by servers in the Malaysian government's 
gov.my domain. "This one was interesting because of the Malaysian angle. 
A government server usually gets my attention," Carton said.

Closer investigation revealed that computers from another trusted source 
had also been used to send out the phishing e-mail.

"The compromised mail server used to relay the spam and scrub off any 
evidence of where the spammer is was not the typical home cable customer 
with a zombie infection, but RxDocuments.com," Carton said. "They boast 
of having HIPAA-compliant software for patient privacy, but they were 
compromised and used as a spam-spewing relay. How trustworthy is that?"

Paul Laudanski, owner of Computer Cops LLC and the leader of the 
Phishing Incident Reporting and Termination Squad, examined the phishing 
e-mail and agreed that it appeared to have been relayed by RxDocuments.

RxDocuments LLC provides dictation transcription services for 
physicians. It bills its products as "cost-effective, secure 
transcription adhering to the highest professional, ethical and legal 
standards," according to the company's Web site.

Neither Rxdocuments.com nor the Malaysian government responded to 
requests for comment. Rxdocuments.com is headquartered in Miami, but the 
Web site is registered to RxDocuments Pvt. in Bangalore, India, 
according to the Whois database.

This is not the first time that the gov.my Web site has been used by 
phishers, according to Laudanski. It has been used at least four other 
times since April of this year to spoof brands such as those of Chase, 
Citibank and eBay, he said.

Phishers have become increasingly sophisticated as criminals have 
realized that there is real money to be made in online fraud. Research 
company Gartner Inc. estimates that U.S. consumers will lose $2.8 
billion to phishing in 2006, with the average attack netting $1,244.

"There's definitely more of it than we've seen ever," said Dave Jevans, 
chairman of the Anti-Phishing Working Group. "Spam has gone up hugely in 
the last two months, and the volume of phishing has gone up with that."

Jevans agreed and said that this latest PayPal scam is unusual. "It's 
interesting because it's basically two entities that you would think 
would have security nailed down," he said.

Erik Larkin of PC World contributed to this story.