A PayPal Phishing Scam
Mar 21st, 2008 by Greg Bulmash
So, this one came in to an address I don't use for Paypal (first sign it was bogus), but there was much more to show how bogus it was.
Here's the the text with some of the headers included...
Received: from hhc.iscs.co.kr (unknown [121.1.120.28])
by randymail-mx3.g.dreamhost.com (Postfix) with ESMTP id 5B28278410
for <[my address]>; Thu, 20 Mar 2008 18:17:32 -0700 (PDT)
Received: from [121.1.120.28] by adtfree.tv; Fri, 21 Mar 2008 10:17:32 +0900
From: update@paypal.com
Reply-To: akstcadtfreemnsdgs@adtfree.tvDear PayPal ® customer,
We recently reviewed your account, and we suspect an unauthorized transaction on your account.
Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information.
Paypal features.To ensure that your account is not compromised, simply hit "Resolution Center" to confirm your identity as member of Paypal.* Login to your Paypal with your Paypal username and password.
* Confirm your identity as a card memeber of Paypal.Please confirm account information by clicking here Resolution Center and complete the "Steps to Remove Limitations."
*Please do not reply to this message. Mail sent to this address cannot be answered.
Copyright © 1999-2008 PayPal. All rights reserved.
Note the headers I highlighted. Received: from hhc.iscs.co.kr means that the identified sender was in Korea. Now that doesn't mean it's where the sender really was, but it's not where PayPal would send mail from. Then you have the received by and reply to information with adtfree.tv, which is a Nevada burglar alarm dealer's "coming soon" web site with a mail server they neglected to lock down. That's also known as an "open relay". And you can bet your bippy that PayPal is not going to send e-mails through there or have an adtfree.tv address as the address you should reply to.
Of course, the obvious dead giveaway is the link they want you to click. The way you find out the link is just by running your mouse over it. It's an HTML link, so instead of showing the URL, it shows the text they want you to see and click on. Most browsers (if you're using a web based mail program) or e-mail programs will show the URL in the bottom status bar when you put your mouse pointer over a link without clicking. Here's a demo of how that looks on my machine with Mozilla Thunderbird.
I had to shrink it down a little, but I've circled the link in the title and the URL being displayed down in the bottom bar. Notice the URL does not go to PayPal.com. It goes to http://paypal.user-confirmation.com/acc/login.php. If you don't know how to read a url, let me dissect it for you.
Only the "XYZ.com" really counts. That's the domain. Anything before it (separated with dots) are "subdomain" names which merely instruct the computer at XYZ.com to handle the request in a specific way. Anything after XYZ.com (separated by a forward slash /, or question mark ?) is document information, telling the web server what page to open and what information you feed to it.
So, paypal.user-confirmation.com/acc/login.php means you're going to a site called user-confirmation.com. The "paypal." before "user-confirmation.com" is just an instruction to their web server which is put there to fool you into thinking this has something to do with PayPal. I could actually cxreate a paypal.brainhandles.com address in 10 to 20 minutes with a page up there that looks like a PayPal login screen, but it would be my site and not Paypal.
So if you got this e-mail... ignore it. Don't even click the link. It's some LAZY and STUPID crook making a really half-assed try to fool you into giving him information he can use to steal from you.
Best of luck.
UPDATE: Got another copy approx 24 hours later, also seeming to originate in Korea, this time relayed through animalhope.at and just as lazy and stupid about presenting these huge red flags.