The link supposedly would take me to https://www.paypal.com/fraudcheck/secure/bill.html?sl=070304 but actually it would go to http://smba.swu.ac.kr/css/cash/hide/index2.htm which is a site in Korea.

I don't know what they did to their web page, but I tried to actually go there to see how well they replicated the PayPal site, and everytime I tried to go there, it closed the browser window. They did something on their server to prevent VisualRoute from saving a jpg file of the route, but like the article in March I was able to do it with PrintKey

I can't read Korean, but I tried going to http://smba.swu.ac.kr, and they have a professional looking site there:

http://smba.swu.ac.kr/css/ is a poorly set up Ebay Identity Theft site

http://smba.swu.ac.kr/css/cash shows:

and http://smba.swu.ac.kr/css/cash/hide/ shows:

Which is also a PayPal Identity Theft site, or actually three sites with <title statements of PayPal - Processing Login, PayPal - Limited Account Access Details, and PayPal Help

Interestingly, even though I could not get the web page by going directly there by my web browser, I clicked the index2.htm and got there. Note it says "https", but it is not a secure server, because there is no yellow padlock in my Internet Explorer screen.

They had three other web pages index3.htm, index4.php, and index5.htm. None of them would open up in a browser, but they were also planned as PayPal Identity Theft sites, because they had <title statements of PayPal - Access Account Limited, PayPal - verify your account information, and PayPal - Thank You respectively

It appears the email was sent from Orlando Florida but that may have been spoofed.

Supposedly the server (203.246.40.19) in Korea just has the one website on it. That website is http://www.cdskorea.com/.

For more information on the Tulsa Computer Society click here