December 12, 2005

Phishing Scams – Paypal

Filed under: Idiots,Technology — Cory @ 1:34 pm

Recently I have started receiving more phishing emails, so I thought I would explain these things and give an example of one. For those that don’t know, phishing is when scammers send email disguised as reputable companies such as Paypal and eBay, and sometimes as banks. The messages tend to look very similar to emails sent by those companies, in an attempt to trick you into clicking on a link in the email. Often, you will be asked to enter some login information such as your email address and password, or even worse, your credit card number. These email messages are sometimes very difficult to distinguish from the authentic messages from the actual company, so unsuspecting recipients rarely know the difference. Here’s an example of one that I recently received:

Dear PayPal User,

We recently noticed one or more attempts to log in to your PayPal
account from a foreign IP address.

If you recently accessed your account while traveling, the unusual log
in attempts may have been initiated by you. However, if you did not
initiate the log ins, please visit PayPal as soon as possible to verify
your account:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run

Changing your password is a security measure that will ensure that you
are the only person with access to the account.

Thanks for your patience as we work together to protect your account.

Sincerely,
PayPal

—————————————————————-
PROTECT YOUR PASSWORD

NEVER give your password to anyone, including PayPal employees. Protect
yourself against fraudulent websites by opening a new web browser (e.g.
Internet Explorer or Netscape) and typing in the PayPal URL every time
you log in to your account.

—————————————————————-

Please do not reply to this email. This mailbox is not monitored and
you will not receive a response. For assistance, log in to your PayPal
account and click the Help link located in the top right corner of any
PayPal page.

PayPal Email ID PP321

Anyone who has a Paypal account will know that this looks very similar to the official messages that are sent out. However, this message was from a phisher, not Paypal. When I moved my mouse over the link in the above message, it pointed to http://paypalusupdate.info/cgibin/webscrcmd=_login+run/?logIN (DO NOT VISIT THAT LINK) rather than the official https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run link that it appeared in the email.

The phisher even took the time to modify the message header so that it would appear the email originated from a Paypal mail server:

From: [email protected]
Subject: PayPal Email ID PP321
Date: December 11, 2005 1:28:53 PM CST
To: XXXXXX
Reply-To: [email protected]
Return-Path: <service @paypal.com>
Delivered-To: XXXXXX
Received: (qmail 12824 invoked by uid 533); 11 Dec 2005 19:38:58 -0000
Received: from 217.79.182.36 by silver.standblue.net (envelope-from <service @paypal.com>, uid 504) with qmail-scanner-1.25 ( Clear:RC:0(217.79.182.36):. Processed in 1.311025 secs); 11 Dec 2005 19:38:58 -0000
Received: from y036.yellow.fastwebserver.de (HELO 217.79.182.36) (217.79.182.36) by a.mx.standblue.net with SMTP; 11 Dec 2005 19:38:57 -0000
Received: from mexmmgabg.paypal.com (mexmmgabg.paypal.com [128.235.17.2]) by with Microsoft SMTPSVC(5.0.2195.6824); Sun, 11 Dec 2005 12:33:53 -0700
X-Qmail-Scanner-Mail-From: [email protected] via silver.standblue.net
X-Qmail-Scanner: 1.25 (Clear:RC:0(217.79.182.36):. Processed in 1.311025 secs)
Message-Id: <[email protected]>
X-Mailer:
Mime-Version: 1.0
Organization:
Content-Type: multipart/alternative; boundary=”=_IhfLiENz5z0″

If you receive a message from Paypal, eBay or any bank, please do not click on any link in the email. If you want to be sure, open your browser and type in the URL of the site, such as www.paypal.com or www.ebay.com, login, and update your information from there. Just please, please do not click on the links in these emails.

• • •

1 Comment »

  1. When I was living in Oklahoma, I had a bank account at Bank of Oklahoma. It’s like a real bank, but located in Oklahoma — they have printed checks, tellers, Internet Banking and everything else you might expect from a legitimate financial institution. Except, of course, they were in Oklahoma.

    I don’t get very many phishing emails after Spam filtering (I was using SpamCop + SpamAssassin). I found it curious that out of all the phishing emails I might get, I got a … Bank of Oklahoma one, originating from some post-Soviet republic. I don’t remember which one. “Dear Bank of Oklahoma customer, we forgot your account number and mother’s maden name…” (or something equally stupid.)

    Anyway, I was wondering how they knew my email address was associated with Bank of Oklahoma. I had an Oklahoma street address on my webpage and whois record, but some kind of intelligent email spider seemed unlikely. I decided BOK’s mailing list server must have been 0wN3d and I forwarded them the email and called to tell them about it.

    They froze my account.

    I reminded them that no, I hadn’t clicked on any links. No, I hadn’t given any information to anyone. I was just letting them know about the spam. And yet… they locked my account and made me open a new one. The reason, as it was explained to me, was that sometimes these phishing emails have attachments that could run on your computer, “like a virus”. The email had no attachments, I don’t store my bank login in my webbrowser, and even if I did, I ran Thunderbird on Linux. But alas, expecting help from someone who has the words “Customer” and “Service” in their job title is unrealistic.

    Kind of like expecting an institution located in Oklahoma not to suck — unrealistic.

    Comment by Ken Kinder — December 12, 2005 @ 10:14 pm

Comments RSSTrackBack URI

Leave a comment

Powered by: WordPress • Template by: Priss