Another Paypal Fish

ErikAlbert · Jun 4, 2008

I received this email today :

Dear PayPal Member,

As part of our efforts to provide a safe and secure environment for the online community, we regularly screen account activity. While reviewing your PayPal accounts, we observed activity that we would like to further verify. For this reason, limitations have been placed on your account until your will review your registered intormation. In order to resolve the account limitations, complete our online form by clicking on the following link :

"Log into your PayPal account" (= link)

After we have gathered the necessary information, your account will be reviewed for reinstatement and you will be notified by e-mail of our decision.

We thank you for your prompt attention to this matter and apologize for any inconvenience.

Sincerely,
Account Review Department
Click to expand...

I have indeed a Paypal account which I needed to collect my "Free Lotto" winnings in the past.
I stopped playing "Free Lottos", so I don't use this account anymore for a very long time, more than 3 years ago.
They screen my account activities, what is there to screen ? My account is as good as dead with less than $10.00.

Would you trust this email ? I don't, it's already deleted.
Some users seem to receive such emails, even when they don't have a Paypal account.

Empath · Jun 4, 2008

It's classic phishing.

The claim of noticing unusual activity on your account
The claim that it's resulting in limited use or potential closure
The link to use included in the mail

All classic inclusions.

Rmus · Jun 4, 2008

ErikAlbert said:

Some users seem to receive such emails, even when they don't have a Paypal account.
Click to expand...

I don't have an account, but do receive them from time to time; they resemble what Empath describes.

In case the email looks legitimate, there are things to look for.

Where the link is spoofed, it is easy to check:

_________________________________________________________________

Note that the address resolves as http and not https. Users should know the correct URL for their financial sites.

In case of a Pharming attack where https is used, a custom address group for your https sites
will allow the firewall to alert to an attempt to connect to an https/port 443 address not in your custom group.

However, this can all be avoided by following PayPal's instructions for logging in:

Open a new browser window,
type h t tps://www.paypal.com
and log in to your PayPal account directly.
Click to expand...

This should be the procedure for all sites on which a person transacts business.

I've always recommended that people get to know the procedures for each account.
My bank, as an example, does not communicate by email with customers about their account.

I received by email my domain renewal. I was expecting it, yet, rather than clicking on the link provided (even though it looked legitimate) I used my bookmark which is the IP numerical address, not the name of the site. Then, I logged into my account directly.

----
rich

Mrkvonic · Jun 4, 2008

Hello,
And if you use plain text emails and not html, then the "hidden" links show in plain sight and ... problem solved.
Mrk

Rmus · Jun 4, 2008

Here is an example of what Mrk is talking about.

A Google phish displays as text only in my email program.
The link in the text is the legitimate Google URL.
The MIME_HTML part shows as an attachment.

__________________________________________________________________

If I open the HTML attachment in the browser, the message displays as HTML and the spoofed link
is obvious:

__________________________________________________________________

However, not all emails arrive with a TEXT part, as in the example I used in my above post.
Here is how it looks in my inbox:

__________________________________________________________________

From the header analysis:

----------------------------------------------------------------
X-Spam-Report:

* MDAEMON_SPF_SOFTFAIL - MIME_HTML_ONLY
* FORGED_OUTLOOK_TAGS, HTML_MESSAGE
* BAYES_99 BODY: Bayesian spam probability is 99 to 100%
----------------------------------------------------------------

Users can avoid being tricked by understanding how their financial sites communicate
with customers, and avoid clicking on links in an email message, as given in the PayPal
instructions above.

----
rich

ErikAlbert · Jun 4, 2008

My bank website has its own tool to communicate with their customers, no emailing needed.

MikeBCda · Jun 4, 2008

With respect to Paypal, they repeatedly remind you that legit email from them will always address you by your full name (or company name, if that's how you're registered) rather than "Dear valued customer" or some variation of that.

Obviously phishers and spammers will sooner or later catch on to that (assuming they can find your full name), if some haven't already. But you can guarantee that any "Dear member" mail is phony.

Rmus · Jun 4, 2008

MikeBCda said:

Obviously phishers and spammers will sooner or later catch on to that (assuming they can find your full name), if some haven't already.
Click to expand...

When you think about it, there are many ways that you can be targeted -- when your name/email address can be found, most common being if someone's or some organization's email list is compromised.

A couple of examples:

Targeted at Executives - More Better Business Bureau phish malware
http://isc.sans.org/diary.html?storyid=3224

executive staff at 3 corporations are still being targeted with emails with mailicious attachments that AV vendors are finding hard to identify.
Click to expand...

JavaScript/HTML droppers as a targeted attack vector
http://isc.sans.org/diary.html?storyid=3400

all recipients of these e-mails were members of the Falun Gong,
Click to expand...

----
rich

ccsito · Jun 10, 2008

This is the actual intended message.

As part of our efforts to provide a safe and secure environment (actually unsafe and insecure)for the online community, we regularly screen account activity. While reviewing your PayPal accounts(phishing for Paypal users), we observed (came across your email address)activity that we would like to further verify. For this reason, limitations (classic urgent attempt to scare you into jumping into their scam )have been placed on your account until your will review your registered intormation. ( your will review? Most phishing email has bad grammer) In order to resolve the account limitations, complete our online form by clicking on the following link :

"Log into your PayPal account" (= link)

After we have gathered the necessary information, your account will be reviewed for reinstatement (emptied of its current balance )and you will be notified by e-mail of our decision( slapping yourself beside the head blaming yourself for being so stupid).

We thank you for your prompt attention to this matter and apologize for any inconvenience.(We thank you for providing us the opportunity of bilking you out of your money)
Click to expand...

Log in or Sign up

Another Paypal Fish

ErikAlbert Registered Member

Empath Registered Member

Rmus Exploit Analyst

Mrkvonic Linux Systems Expert

Rmus Exploit Analyst

ErikAlbert Registered Member

MikeBCda Registered Member

Rmus Exploit Analyst

ccsito Registered Member

Log in or Sign up

Another Paypal Fish

ErikAlbert Registered Member

Empath Registered Member

Rmus Exploit Analyst

Mrkvonic Linux Systems Expert

Rmus Exploit Analyst

ErikAlbert Registered Member

MikeBCda Registered Member

Rmus Exploit Analyst

ccsito Registered Member

Useful Searches