New Bookstore! Save 20% on books with discount code: LAUNCH
Web Dev + WordPress + Security

PayPal Phishing Spam

Just a heads up to anyone else getting the occasional PayPal phishing spam.. Usually it’s pretty easy to spot one of those crafty phishing emails, just hover over any links before clicking to view the real URL in the status bar. You know, the link says something like, “click here to restore your PayPal account,” but you know that’s garbage and could easily prove it by checking the actual link URL, which is usually something completely bonkers, like:

http://luqomu-qiry.freewebportal.com/puvermiqer.html

Yeh right, stuff like that isn’t even close to PayPal.com or Chase.com or any other authentic website. There are a million ways to identify these sorts of phishing scams, including:

  • you don’t do business with that particular company
  • the email just looks weird (poor graphics/design)
  • email is poorly written (grammar, syntax, tone, etc.)
  • anything that sounds too urgent or important
  • they don’t address you by name, but request some specific account action
  • Disguised links (links go to phishing site)

That last one is a fast, easy way to discredit even the most well-crafted phishing spam. Here are some examples showing the obviousness of most phishing emails — notice how hovering over links reveals the true URL in the status bar:

[ PayPal Phishing Spam Email ][ PayPal Phishing Spam Email ]

Obviously “http://qan-ajidyt.virtue.nu/hsdadria.html” does not equal PayPal.com, so dismissing this kind of garbage is a no-brainer. But watch out, because the little bastards are getting sneakier about how they craft their phishing links. For example, this email rolled in the other day and hovering over the link almost fooled me:

[ PayPal Phishing Spam Email ]

..and here is another that arrived recently:

[ PayPal Phishing Spam Email ]

Look at that — it says “paypal.com” right there at the beginning of the URL, so it must be legit, right? So instead of clicking the link that I think might be real, I copy/pasted into a plain text file to examine further..

Here is what a typical legitimate PayPal URL looks like:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=MpHa_hHUj321dZnjFYN4xbFElxhCr0_HYlLwhbFkxWKE6uq9GjK3dpwe&dispatch=38ebb9cf0857de5aa44fd01837204ea000ee2a3114de1a3b2f88683c1178a267c59c90680d

And here is the disguised URL from the phishing email:

http://paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700.viemzaza.com/sas/cgi-bin/ias/A/1/FGT/ibd/IAS/presentation/pm_token=C2886KJEHD89483JSO3829ENDHU8392OJD/

As you can see, they are strikingly similar, with the main difference that periods/dots are used in place of forward slashes. With a carefully constructed series of subdomains, the phishing link looks like it goes to somewhere at PayPal.com, but the real domain is viemzaza.com, using the following subdomain structure:

paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700

I’m guessing more than a few people fall for this sneakier tactic, so hopefully this post will help raise awareness. Keep a close eye on those URLs and assume every business/bank/account/whatever email is bogus until proven otherwise.

More..

Here are more examples of phishing emails. And for reference, here are screenshots from the phishing emails that sparked this post:

Jeff Starr
About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
GA Pro: Add Google Analytics to WordPress like a pro.

4 responses to “PayPal Phishing Spam”

  1. “Caveat emptor” as they say.

  2. I always tell people to look at the strings that are surrounding last dot before the first slash (not including the // at the beginning) in the url. That’s the domain. If it’s not paypal.com (or whatever you really expect the site’s domain to be), it’s not legit. For example in your second “sneaky” screenshot, the domain is mixsert.net. Evil.

    And thanks for sharing all the info you do. I have particularly benefitted from your posts about htaccess blacklisting.

    tree

  3. Yep, I got these same emails saying my Paypal account had been “limited” ..weird thing is, I started getting the “account limited” stuff immediately after my Paypal account actually WAS limited for real. I had to send Paypal proof of address, etc. Do spammers have a way of tracking that kind of thing? It was uncanny, cause the language of the spam seemed to coincide.

  4. This is a great article that I just sort of surfed into. I am kind of amazed how much trouble people go to in telling you to type in www (when you really do not have to anymore) and then we all often forget to look at the whole long url!

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
Take a screenshot with Firefox (no extension required). Open Developer Tools Settings and enable the “Take a screenshot” button. Then click the button :)
Take a screenshot with Chrome (no extension required). Open DevTools, type Cmd + Shift + P, then type screenshot.
After 10 years working on my 2010 iMac, my upgrade finally arrived. Shiny new iMac shipped from Ireland :)
Too much caffeine weirds me out. But I love the taste of coffee. So once in a while I enjoy a small cup of decaf. Hits the spot.
Chris Coyier is a truly awesome person. One of the finest people I've ever worked with. Just #gottasayit
Excel won't open CSV file because SYLK format? Open it with text editor and add an apostrophe ' at the beginning of the file, save changes, done.
Displaying too many social media buttons and links all over the place imho makes you look desperate and frankly kinda sad.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.