Tag Archives: paypal phishing

Phishing: PayPal Notice of Policy Updates

Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.

pshishing-paypal-notice-of-policy-update

The malicious link present in the email is:

hxxp://lnko.in/bhqr

The user is redirected to these malicious links (in order):

hxxp://107.6.59.96/recordings/misc/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c

The HTML page of the last malicious link is encrypted:

phishing-paypal-html-page-encrypted

If the JavaScript is enabled in your browser, the HTML page loads correctly:

phishing-paypal-final-url

When the user enters the login details, the form sends the POST data to a script:

phishing-paypal-post-fields

The malicious script is named:

paypal.php

The script is used to collect the login details entered by the user.

This kind of phishing attack can be easily detected because the user can quickly check the address bar of the web browser and notice that the website is not paypal.com (legit) but it is an IP address, plus there is no HTTPS secure connection, and in case the user has JavaScript disabled, the HTML page is blank.