Save 15% on our Pro WordPress plugins with discount code: LAUNCH2021
Web Dev + WordPress + Security

PayPal Phishing Spam

Just a heads up to anyone else getting the occasional PayPal phishing spam.. Usually it’s pretty easy to spot one of those crafty phishing emails, just hover over any links before clicking to view the real URL in the status bar. You know, the link says something like, “click here to restore your PayPal account,” but you know that’s garbage and could easily prove it by checking the actual link URL, which is usually something completely bonkers, like:

http://luqomu-qiry.freewebportal.com/puvermiqer.html

Yeh right, stuff like that isn’t even close to PayPal.com or Chase.com or any other authentic website. There are a million ways to identify these sorts of phishing scams, including:

  • you don’t do business with that particular company
  • the email just looks weird (poor graphics/design)
  • email is poorly written (grammar, syntax, tone, etc.)
  • anything that sounds too urgent or important
  • they don’t address you by name, but request some specific account action
  • Disguised links (links go to phishing site)

That last one is a fast, easy way to discredit even the most well-crafted phishing spam. Here are some examples showing the obviousness of most phishing emails — notice how hovering over links reveals the true URL in the status bar:

[ PayPal Phishing Spam Email ][ PayPal Phishing Spam Email ]

Obviously “http://qan-ajidyt.virtue.nu/hsdadria.html” does not equal PayPal.com, so dismissing this kind of garbage is a no-brainer. But watch out, because the little bastards are getting sneakier about how they craft their phishing links. For example, this email rolled in the other day and hovering over the link almost fooled me:

[ PayPal Phishing Spam Email ]

..and here is another that arrived recently:

[ PayPal Phishing Spam Email ]

Look at that — it says “paypal.com” right there at the beginning of the URL, so it must be legit, right? So instead of clicking the link that I think might be real, I copy/pasted into a plain text file to examine further..

Here is what a typical legitimate PayPal URL looks like:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=MpHa_hHUj321dZnjFYN4xbFElxhCr0_HYlLwhbFkxWKE6uq9GjK3dpwe&dispatch=38ebb9cf0857de5aa44fd01837204ea000ee2a3114de1a3b2f88683c1178a267c59c90680d

And here is the disguised URL from the phishing email:

http://paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700.viemzaza.com/sas/cgi-bin/ias/A/1/FGT/ibd/IAS/presentation/pm_token=C2886KJEHD89483JSO3829ENDHU8392OJD/

As you can see, they are strikingly similar, with the main difference that periods/dots are used in place of forward slashes. With a carefully constructed series of subdomains, the phishing link looks like it goes to somewhere at PayPal.com, but the real domain is viemzaza.com, using the following subdomain structure:

paypal.com.us.cgi-bin.ebscr.cmd.home.general.dispatch.0db1f38432c9462fe7313791b4c12e10393700

I’m guessing more than a few people fall for this sneakier tactic, so hopefully this post will help raise awareness. Keep a close eye on those URLs and assume every business/bank/account/whatever email is bogus until proven otherwise.

More..

Here are more examples of phishing emails. And for reference, here are screenshots from the phishing emails that sparked this post:

Jeff Starr
About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

4 responses to “PayPal Phishing Spam”

  1. “Caveat emptor” as they say.

  2. I always tell people to look at the strings that are surrounding last dot before the first slash (not including the // at the beginning) in the url. That’s the domain. If it’s not paypal.com (or whatever you really expect the site’s domain to be), it’s not legit. For example in your second “sneaky” screenshot, the domain is mixsert.net. Evil.

    And thanks for sharing all the info you do. I have particularly benefitted from your posts about htaccess blacklisting.

    tree

  3. Yep, I got these same emails saying my Paypal account had been “limited” ..weird thing is, I started getting the “account limited” stuff immediately after my Paypal account actually WAS limited for real. I had to send Paypal proof of address, etc. Do spammers have a way of tracking that kind of thing? It was uncanny, cause the language of the spam seemed to coincide.

  4. This is a great article that I just sort of surfed into. I am kind of amazed how much trouble people go to in telling you to type in www (when you really do not have to anymore) and then we all often forget to look at the whole long url!

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
WP 5.8 Gutenberg/Block Widgets is breaking many sites. Fortunately Disable Gutenberg makes it easy to restore Classic Widgets with a click.
Easily the most common exploit scan for WordPress is /{path}/wp-login.php.
Pushing 110+ ℉ for several days now, expected for at least another week or so.
After 12 intense weeks the Plugin Planet redesign is now live. Much work still happening behind the scenes.
June, July, August historically are slow months on the Web. Perfect time to get some real work done (think projects).
Redesigning Plugin Planet is one the most challenging things I’ve done online. Almost there, about another two weeks ’til launch.
I could listen to Mouse Rat all day.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.