Aye! Right!

I just got this email purporting to be from PayPal. I don’t believe the email.

Dear valued PayPal member:

It has come to our attention that your PayPal account information needs to be
updated as part of our continuing commitment to protect your account and to reduce
the instance of fraud on our website.  If you could please take 5-10 minutes out
of your online experience and update your personal records you will not run into
any future problems with the online service.

However, failure to update your records will result in account suspension.
Please update your records on or before July 06, 2007.

Once you have updated your account records, your PayPal session will not be
interrupted and will continue as normal.

To update your PayPal records click on the following link:

Thank You.

What makes me think it is a fake? The URL does not contain PayPal’s domain name. It is a simple IP address.

So, who owns the IP Address?

OrgName:    Road Runner HoldCo LLC
OrgID:      RRSW
Address:    13241 Woodland Park Road
City:       HerndonState
Prov:       VA
PostalCode: 20171
Country:    US

And what about the real PayPal. Their IP Address is

Also, the email didn’t have my address in the “TO” box (So I’m guessing all the recipients were BCC’d into the list) and the reply address is no-reply@google.com.

I have sent an appropriate email to Road Runner letting them know that someone is using their servers to host phishing sites. Hopefully it can be taken down promptly to prevent any less savvy people falling victim to this really quite amaturish attempt at a phishing scam.



  1. Mike Dimmick says:

    I believe RoadRunner are an ISP. That’s probably a DSL customer. Whether the customer are themselves committing the scam, or they’re a zombie, I don’t know. I wouldn’t be too surprised if infected machines weren’t merely used to send the scam emails but also to collect the results. Fewer links back to the perpetrator.

  2. I would guess that you are right. It is most likely to be a zombie machine.

  3. This very IP is also the one hacking (or attempting to hack) into SQL servers. It is a computer that is running a program trying out all possible login names, and of course with each login name, various passwords. If you are running SQL server, ensure that you check your Event Viewer, and the chances are that you will find the IP listed (don’t forget to deny access for it)

Leave a Reply to Mike Dimmick Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s