Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.
The malicious link present in the email is:
The user is redirected to these malicious links (in order):
hxxp://220.127.116.11/recordings/misc/ hxxp://18.104.22.168/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/ hxxp://22.214.171.124/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/ hxxp://126.96.36.199/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/ hxxp://188.8.131.52/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c
The HTML page of the last malicious link is encrypted:
When the user enters the login details, the form sends the POST data to a script:
The malicious script is named:
The script is used to collect the login details entered by the user.