PayPal Phishing Spam
Just a heads up to anyone else getting the occasional PayPal phishing spam.. Usually it’s pretty easy to spot one of those crafty phishing emails, just hover over any links before clicking to view the real URL in the status bar. You know, the link says something like, “click here to restore your PayPal account,” but you know that’s garbage and could easily prove it by checking the actual link URL, which is usually something completely bonkers, like:
http://luqomu-qiry
.freewebportal
.com/puvermiqer
.html
Yeh right, stuff like that isn’t even close to PayPal.com
or Chase.com
or any other authentic website. There are a million ways to identify these sorts of phishing scams, including:
- you don’t do business with that particular company
- the email just looks weird (poor graphics/design)
- email is poorly written (grammar, syntax, tone, etc.)
- anything that sounds too urgent or important
- they don’t address you by name, but request some specific account action
- Disguised links (links go to phishing site)
That last one is a fast, easy way to discredit even the most well-crafted phishing spam. Here are some examples showing the obviousness of most phishing emails — notice how hovering over links reveals the true URL in the status bar:
Obviously “http://qan-ajidyt
.virtue
.nu/hsdadria
.html
” does not equal PayPal.com, so dismissing this kind of garbage is a no-brainer. But watch out, because the little bastards are getting sneakier about how they craft their phishing links. For example, this email rolled in the other day and hovering over the link almost fooled me:
..and here is another that arrived recently:
Look at that — it says “paypal.com” right there at the beginning of the URL, so it must be legit, right? So instead of clicking the link that I think might be real, I copy/pasted into a plain text file to examine further..
Here is what a typical legitimate PayPal URL looks like:
https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=MpHa_hHUj321dZnjFYN4xbFElxhCr0_HYlLwhbFkxWKE6uq9GjK3dpwe&dispatch=38ebb9cf0857de5aa44fd01837204ea000ee2a3114de1a3b2f88683c1178a267c59c90680d
And here is the disguised URL from the phishing email:
http://paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700.viemzaza.com/sas/cgi-bin/ias/A/1/FGT/ibd/IAS/presentation/pm_token=C2886KJEHD89483JSO3829ENDHU8392OJD/
As you can see, they are strikingly similar, with the main difference that periods/dots are used in place of forward slashes. With a carefully constructed series of subdomains, the phishing link looks like it goes to somewhere at PayPal.com, but the real domain is viemzaza.com
, using the following subdomain structure:
paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700
I’m guessing more than a few people fall for this sneakier tactic, so hopefully this post will help raise awareness. Keep a close eye on those URLs and assume every business/bank/account/whatever email is bogus until proven otherwise.
More..
Here are more examples of phishing emails. And for reference, here are screenshots from the phishing emails that sparked this post:
- Phishing Spam Email – Example #1
- Phishing Spam Email – Example #2
- Phishing Spam Email – Example #3
- Phishing Spam Email – Example #4
4 responses to “PayPal Phishing Spam”
“Caveat emptor” as they say.
I always tell people to look at the strings that are surrounding last dot before the first slash (not including the // at the beginning) in the url. That’s the domain. If it’s not paypal.com (or whatever you really expect the site’s domain to be), it’s not legit. For example in your second “sneaky” screenshot, the domain is mixsert.net. Evil.
And thanks for sharing all the info you do. I have particularly benefitted from your posts about htaccess blacklisting.
tree
Yep, I got these same emails saying my Paypal account had been “limited” ..weird thing is, I started getting the “account limited” stuff immediately after my Paypal account actually WAS limited for real. I had to send Paypal proof of address, etc. Do spammers have a way of tracking that kind of thing? It was uncanny, cause the language of the spam seemed to coincide.
This is a great article that I just sort of surfed into. I am kind of amazed how much trouble people go to in telling you to type in www (when you really do not have to anymore) and then we all often forget to look at the whole long url!