Tag Archives: paypal

Phishing: PayPal Notice of Policy Updates

Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.

pshishing-paypal-notice-of-policy-update

The malicious link present in the email is:

hxxp://lnko.in/bhqr

The user is redirected to these malicious links (in order):

hxxp://107.6.59.96/recordings/misc/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c

The HTML page of the last malicious link is encrypted:

phishing-paypal-html-page-encrypted

If the JavaScript is enabled in your browser, the HTML page loads correctly:

phishing-paypal-final-url

When the user enters the login details, the form sends the POST data to a script:

phishing-paypal-post-fields

The malicious script is named:

paypal.php

The script is used to collect the login details entered by the user.

This kind of phishing attack can be easily detected because the user can quickly check the address bar of the web browser and notice that the website is not paypal.com (legit) but it is an IP address, plus there is no HTTPS secure connection, and in case the user has JavaScript disabled, the HTML page is blank.

Phishing: Your Paypal Account Will Be Limited

New phishing email related to PayPal accounts:

Return-Path: <servviice@paybal.com>
Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
From: "Paypal"<servviice@paybal.com>
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
To: undisclosed-recipients:;

Message:

Image

Note that the email come from:

From: "Paypal"<servviice@paybal.com>

The domain paybal.com is parked!

Malicious URL that redirects to the phishing PayPal login page:

hxxp://www.doncastersc.vic.edu .au/calendar/paypal.secure.update.service/paypal.secure.login/safe.login.process/language&id=en/80a13c0db1f1ff80d546411d7f8a8350c132bc41e0934c/us/webscr.php?cmd=_login-run&dispatch=3885d80a13c0db1f1ff80d546411d7f8a8350c132bc0

URLVoid domain analysis:

http://www.urlvoid.com/scan/paybal.com
http://www.urlvoid.com/scan/doncastersc.vic.edu.au