Another Paypal Fish

Discussion in 'other security issues & news' started by ErikAlbert, Jun 4, 2008.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I received this email today :
    I have indeed a Paypal account which I needed to collect my "Free Lotto" winnings in the past.
    I stopped playing "Free Lottos", so I don't use this account anymore for a very long time, more than 3 years ago.
    They screen my account activities, what is there to screen ? My account is as good as dead with less than $10.00.

    Would you trust this email ? I don't, it's already deleted.
    Some users seem to receive such emails, even when they don't have a Paypal account. :rolleyes:
     
  2. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    It's classic phishing.

    The claim of noticing unusual activity on your account
    The claim that it's resulting in limited use or potential closure
    The link to use included in the mail

    All classic inclusions.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't have an account, but do receive them from time to time; they resemble what Empath describes.

    In case the email looks legitimate, there are things to look for.

    Where the link is spoofed, it is easy to check:

    paypalphish.gif
    _________________________________________________________________

    Note that the address resolves as http and not https. Users should know the correct URL for their financial sites.

    In case of a Pharming attack where https is used, a custom address group for your https sites
    will allow the firewall to alert to an attempt to connect to an https/port 443 address not in your custom group.

    However, this can all be avoided by following PayPal's instructions for logging in:

    This should be the procedure for all sites on which a person transacts business.

    I've always recommended that people get to know the procedures for each account.
    My bank, as an example, does not communicate by email with customers about their account.

    I received by email my domain renewal. I was expecting it, yet, rather than clicking on the link provided (even though it looked legitimate) I used my bookmark which is the IP numerical address, not the name of the site. Then, I logged into my account directly.


    ----
    rich
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    And if you use plain text emails and not html, then the "hidden" links show in plain sight and ... problem solved.
    Mrk
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here is an example of what Mrk is talking about.

    A Google phish displays as text only in my email program.
    The link in the text is the legitimate Google URL.
    The MIME_HTML part shows as an attachment.

    googleAd_agent.gif
    __________________________________________________________________

    If I open the HTML attachment in the browser, the message displays as HTML and the spoofed link
    is obvious:

    googleAd_2.gif
    __________________________________________________________________

    However, not all emails arrive with a TEXT part, as in the example I used in my above post.
    Here is how it looks in my inbox:

    paypal_2.gif
    __________________________________________________________________

    From the header analysis:

    ----------------------------------------------------------------
    X-Spam-Report:

    * MDAEMON_SPF_SOFTFAIL - MIME_HTML_ONLY
    * FORGED_OUTLOOK_TAGS, HTML_MESSAGE
    * BAYES_99 BODY: Bayesian spam probability is 99 to 100%
    ----------------------------------------------------------------

    Users can avoid being tricked by understanding how their financial sites communicate
    with customers, and avoid clicking on links in an email message, as given in the PayPal
    instructions above.


    ----
    rich
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My bank website has its own tool to communicate with their customers, no emailing needed.
     
  7. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    With respect to Paypal, they repeatedly remind you that legit email from them will always address you by your full name (or company name, if that's how you're registered) rather than "Dear valued customer" or some variation of that.

    Obviously phishers and spammers will sooner or later catch on to that (assuming they can find your full name), if some haven't already. But you can guarantee that any "Dear member" mail is phony.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When you think about it, there are many ways that you can be targeted -- when your name/email address can be found, most common being if someone's or some organization's email list is compromised.

    A couple of examples:

    Targeted at Executives - More Better Business Bureau phish malware
    http://isc.sans.org/diary.html?storyid=3224
    JavaScript/HTML droppers as a targeted attack vector
    http://isc.sans.org/diary.html?storyid=3400
    ----
    rich
     
  9. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    This is the actual intended message.

    :mad:
     
Loading...
Thread Status:
Not open for further replies.