PayPal Phishing Spam

Just a heads up to anyone else getting the occasional PayPal phishing spam.. Usually it’s pretty easy to spot one of those crafty phishing emails, just hover over any links before clicking to view the real URL in the status bar. You know, the link says something like, “click here to restore your PayPal account,” but you know that’s garbage and could easily prove it by checking the actual link URL, which is usually something completely bonkers, like:

http://luqomu-qiry.freewebportal.com/puvermiqer.html

Yeh right, stuff like that isn’t even close to PayPal.com or Chase.com or any other authentic website. There are a million ways to identify these sorts of phishing scams, including:

  • you don’t do business with that particular company
  • the email just looks weird (poor graphics/design)
  • email is poorly written (grammar, syntax, tone, etc.)
  • anything that sounds too urgent or important
  • they don’t address you by name, but request some specific account action
  • Disguised links (links go to phishing site)

That last one is a fast, easy way to discredit even the most well-crafted phishing spam. Here are some examples showing the obviousness of most phishing emails — notice how hovering over links reveals the true URL in the status bar:

[ PayPal Phishing Spam Email ]

[ PayPal Phishing Spam Email ]

Obviously “http://qan-ajidyt.virtue.nu/hsdadria.html” does not equal PayPal.com, so dismissing this kind of garbage is a no-brainer. But watch out, because the little bastards are getting sneakier about how they craft their phishing links. For example, this email rolled in the other day and hovering over the link almost fooled me:

[ PayPal Phishing Spam Email ]

..and here is another that arrived recently:

[ PayPal Phishing Spam Email ]

Look at that — it says “paypal.com” right there at the beginning of the URL, so it must be legit, right? So instead of clicking the link that I think might be real, I copy/pasted into a plain text file to examine further..

Here is what a typical legitimate PayPal URL looks like:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=MpHa_hHUj321dZnjFYN4xbFElxhCr0_HYlLwhbFkxWKE6uq9GjK3dpwe&dispatch=38ebb9cf0857de5aa44fd01837204ea000ee2a3114de1a3b2f88683c1178a267c59c90680d

And here is the disguised URL from the phishing email:

http://paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700.viemzaza.com/sas/cgi-bin/ias/A/1/FGT/ibd/IAS/presentation/pm_token=C2886KJEHD89483JSO3829ENDHU8392OJD/

As you can see, they are strikingly similar, with the main difference that periods/dots are used in place of forward slashes. With a carefully constructed series of subdomains, the phishing link looks like it goes to somewhere at PayPal.com, but the real domain is viemzaza.com, using the following subdomain structure:

paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700

I’m guessing more than a few people fall for this sneakier tactic, so hopefully this post will help raise awareness. Keep a close eye on those URLs and assume every business/bank/account/whatever email is bogus until proven otherwise.

More..

Here are more examples of phishing emails. And for reference, here are screenshots from the phishing emails that sparked this post: