Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

PayPal Phishing Spam

Just a heads up to anyone else getting the occasional PayPal phishing spam.. Usually it’s pretty easy to spot one of those crafty phishing emails, just hover over any links before clicking to view the real URL in the status bar. You know, the link says something like, “click here to restore your PayPal account,” but you know that’s garbage and could easily prove it by checking the actual link URL, which is usually something completely bonkers, like:

http://luqomu-qiry.freewebportal.com/puvermiqer.html

Yeh right, stuff like that isn’t even close to PayPal.com or Chase.com or any other authentic website. There are a million ways to identify these sorts of phishing scams, including:

  • you don’t do business with that particular company
  • the email just looks weird (poor graphics/design)
  • email is poorly written (grammar, syntax, tone, etc.)
  • anything that sounds too urgent or important
  • they don’t address you by name, but request some specific account action
  • Disguised links (links go to phishing site)

That last one is a fast, easy way to discredit even the most well-crafted phishing spam. Here are some examples showing the obviousness of most phishing emails — notice how hovering over links reveals the true URL in the status bar:

[ PayPal Phishing Spam Email ][ PayPal Phishing Spam Email ]

Obviously “http://qan-ajidyt.virtue.nu/hsdadria.html” does not equal PayPal.com, so dismissing this kind of garbage is a no-brainer. But watch out, because the little bastards are getting sneakier about how they craft their phishing links. For example, this email rolled in the other day and hovering over the link almost fooled me:

[ PayPal Phishing Spam Email ]

..and here is another that arrived recently:

[ PayPal Phishing Spam Email ]

Look at that — it says “paypal.com” right there at the beginning of the URL, so it must be legit, right? So instead of clicking the link that I think might be real, I copy/pasted into a plain text file to examine further..

Here is what a typical legitimate PayPal URL looks like:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=MpHa_hHUj321dZnjFYN4xbFElxhCr0_HYlLwhbFkxWKE6uq9GjK3dpwe&dispatch=38ebb9cf0857de5aa44fd01837204ea000ee2a3114de1a3b2f88683c1178a267c59c90680d

And here is the disguised URL from the phishing email:

http://paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700.viemzaza.com/sas/cgi-bin/ias/A/1/FGT/ibd/IAS/presentation/pm_token=C2886KJEHD89483JSO3829ENDHU8392OJD/

As you can see, they are strikingly similar, with the main difference that periods/dots are used in place of forward slashes. With a carefully constructed series of subdomains, the phishing link looks like it goes to somewhere at PayPal.com, but the real domain is viemzaza.com, using the following subdomain structure:

paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700

I’m guessing more than a few people fall for this sneakier tactic, so hopefully this post will help raise awareness. Keep a close eye on those URLs and assume every business/bank/account/whatever email is bogus until proven otherwise.

More..

Here are more examples of phishing emails. And for reference, here are screenshots from the phishing emails that sparked this post:

About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
BBQ Pro: The fastest firewall to protect your WordPress.

4 responses to “PayPal Phishing Spam”

  1. “Caveat emptor” as they say.

  2. I always tell people to look at the strings that are surrounding last dot before the first slash (not including the // at the beginning) in the url. That’s the domain. If it’s not paypal.com (or whatever you really expect the site’s domain to be), it’s not legit. For example in your second “sneaky” screenshot, the domain is mixsert.net. Evil.

    And thanks for sharing all the info you do. I have particularly benefitted from your posts about htaccess blacklisting.

    tree

  3. Yep, I got these same emails saying my Paypal account had been “limited” ..weird thing is, I started getting the “account limited” stuff immediately after my Paypal account actually WAS limited for real. I had to send Paypal proof of address, etc. Do spammers have a way of tracking that kind of thing? It was uncanny, cause the language of the spam seemed to coincide.

  4. This is a great article that I just sort of surfed into. I am kind of amazed how much trouble people go to in telling you to type in www (when you really do not have to anymore) and then we all often forget to look at the whole long url!

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
GA Pro: Add Google Analytics to WordPress like a pro.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.