BEWARE !

Phishing attempt

Do you have a Paypal account? Then beware of attempts to retrieve you account password - and therefore gain acess to your accouint at Paypal - which may include your creditcard information, or use your account for fraud.

It's the second phishing attempt I received - assuming I'm stupid. I got a similar message on
on 15-Jan-2006, appearantly from an Italian site using a Polish (Apple MAC-based?) mailserver - to direct me to a (hacked?) site. Just this afternoon, I received another one. I didn't get to the site (of course) but displayed the HTML-code. It contains a message stating:

Attention! Your PayPal account has been violated!

Someonewith ip address 149.225.126.87 tried to access your personal
account!

Please click the link below and enter your account information to confirm that you are not currently away. You have 3 days to
confirm accountinformation or your account will be locked.

The "link below" reads:

<a target="_blank"href="http://202.29.41.99/src/.cgi-bin/.paypal/index.htm">Click here to activate your account</a>

and it also specifies:

You can also confirm your email address by logging into your PayPal account
at < a target="_blank" href="http://202.29.41.99/src/.cgi-bin/.paypal/index.htm"><br>http://paypal.com/</a>.

Who is 202.29.41.99:

inetnum: 202.28.0.0 - 202.29.255.255
netname: THAINET-TH
descr: UniNet(Inter-university network)
descr: Office of Information Technology Administration
descr: for Educational Development
descr: Ministry of University Affairs
country: TH
admin-c: YT7
admin-c: UV1-AP
tech-c: UNOC1-AP
remarks: UniNet is the outgrowth of THAINET
notify:
email('noc-uninet', 'it.chula.ac', 'th', 'noc-uninet@it.chula.ac.th');
noc-uninet@it.chula.ac.th
notify:
email('noc', 'uni.net', 'th', 'noc@uni.net.th');
noc@uni.net.th
mnt-by: APNIC-HM
mnt-lower: MAINT-TH-UNINET
status: ALLOCATED PORTABLE

and more.
No PAYPAL, therfore.
Since this seems to be a university account, it might be a signal the machine is tampered - University sites are notoriously badly secured.
Also, this is quite likely a Unix box - given the name of the directories (/(dot)cgi-bin/(dot)paypal/ - these directories are hidden from normal view.

Who is said to access the account (145225.126.87)

inetnum: 149.225.0.0 - 149.225.255.255
remarks:
remarks: This inetnum has been transfered as part of the ERX.
remarks: It was present in both the ARIN and RIPE databases, so
remarks: the information from both databases has been merged.
remarks: If you are the mntner of this object, please update it
remarks: to reflect the correct information.
remarks:
remarks: Please see the information for this process:
remarks: http://www.ripe.net/db/erx/erx-ip/network-149.html
remarks:
remarks: **** INFORMATION FROM ARIN OBJECT ****
remarks: netname: CUMULUS-1
descr: EUnet Deutschland GmbH
descr: Emil-Figge-Str. 80
descr: D-44227 Dortmund
remarks: country: DE
admin-c: UH266-RIPE
tech-c: UH266-RIPE
remarks: changed: hostmaster@arin.net 19970728
remarks: changed: hostmaster@arin.net 20030121
remarks: **** INFORMATION FROM RIPE OBJECT ****
netname: CUMULUS
descr: UUNET Deutschland GmbH
descr: Sebrathweg 20
descr: D-44149 Dortmund
country: DE
admin-c: HE15-RIPE
tech-c: HE15-RIPE
status: ASSIGNED PI
remarks: date of original assignment unknown, possibly 1991-1992
mnt-by: UUNETDE-I
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

Might be the source of the attempt - or a random number.