Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.
The malicious link present in the email is:
hxxp://lnko.in/bhqr |
The user is redirected to these malicious links (in order):
hxxp://107.6.59.96/recordings/misc/ hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/ hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/ hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/ hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c |
The HTML page of the last malicious link is encrypted:
If the JavaScript is enabled in your browser, the HTML page loads correctly:
When the user enters the login details, the form sends the POST data to a script:
The malicious script is named:
paypal.php |
The script is used to collect the login details entered by the user.
This kind of phishing attack can be easily detected because the user can quickly check the address bar of the web browser and notice that the website is not paypal.com (legit) but it is an IP address, plus there is no HTTPS secure connection, and in case the user has JavaScript disabled, the HTML page is blank.