PayPal Phishers Use Government for Scam

An antispam researcher has uncovered a phishing scam that uses computers belonging to both a medical transcription outsourcing company and the government of Malaysia.

The scam was discovered by Bill Carton, an engineer based in San Diego who has spent the past 10 years as a volunteer antispam activist, shutting down bulk e-mailers in his spare time. Carton received an e-mail Friday morning that purported to be from eBay’s PayPal service.

It read like a standard phishing pitch: “It has come to our attention that your account information needs to be updated,” the e-mail said. “If you could please take 5-10 minutes out of your online experience and update your personal records, you will not run into any future problems with the online service.”

What was unusual, however, was the fact that the link in the e-mail was to a fake PayPal site hosted by servers in the Malaysian government’s gov.my domain.

“This one was interesting because of the Malaysian angle. A government server usually gets my attention,” Carton said.

Closer investigation revealed that computers from another trusted source had been used to send out the phishing e-mail.

“The compromised mail server used to relay the spam, and scrub off any evidence of where the spammer is, was not the typical home cable customer with a zombie infection, but Rxdocuments.com,” Carton said. “They boast of having HIPAA-compliant software for patient privacy, but they were compromised and used as a spam-spewing relay. How trustworthy is that?”

Paul Laudanski, owner of Computer Cops and the leader of the Phishing Incident Reporting and Termination squad project, examined the phishing e-mail and agreed it appeared to have been relayed by Rxdocuments.

Rxdocuments.com provides dictation transcription services for physicians. It bills its products as “cost-effective, secure transcription adhering to the highest professional, ethical and legal standards,” according to the company’s website.

Neither Rxdocuments.com nor the government of Malaysia responded to requests for comment. Rxdocuments.com is headquartered in Miami, but the website is registered to RxDocuments in Bangalore, India, according to the Whois database.

This is not the first time that the gov.my website been used by phishers, according to Laudanski. It has been used at least four other times since April of this year to spoof brands such as Chase, Citibank and eBay, he said.

Phishers have become increasingly sophisticated as criminals have realized that there is real money to be made in online fraud. Research company Gartner estimates that U.S. consumers will lose US$2.8 billion to phishing in 2006, with the average attack netting $1,244.

“There’s definitely more of it than we’ve seen ever,” said Dave Jevans, chairman of the Anti-Phishing Working Group. “Spam has gone up hugely in the last two months, and the volume of phishing has gone up with that,” he said.

Jevans agreed that this latest PayPal scam is unusual.

“It’s interesting because it’s basically two entities that you would think would have security nailed down,” he said.

-Robert McMillan, IDG News Service (San Francisco Bureau)

Keep checking in at our Security Feed page for updated news coverage.