XMS Systems


    Facebook Page LinkedIn Pinterest Twitter YouTube Facebook Messenger

Back to Fred Mac Donald's Blog

Phishing scam - PayPal Support - Resolve Your Account Problems

Phishing scam - PayPal Support - Resolve Your Account Problems

Phishing scam to get hold of your PayPal information.

Found an interesting but highly dangerous phishing scam in my inbox today and decided to take a look at how and what they trying to do.

Received Email had a couple of very obvious errors and for those that uses PayPal on a regular basis should be easy enough to spot.

Email Received

I stripped out all the fancy fonts and things the scammer used to try and make it look legit.

Dear Customer

We are unable to Confirm your account information.

As a result, your account has been temporarily Suspended.
All the services related to your account has been suspended pending resolution. Please provide us with your details as soon as possible.

Just click on Confirm My Account and Login to your PayPal account and follow the instructions :

Confirm My Account

This is an automated message. Please do not reply to this email. If you need additional help, visit PayPal Support.
Notice: If this email was sent to you in your Junk or Spam folder please mark it as not spam due to our new security update.

Sincerely,
PayPal Inc.

Copyright 1999-2016. All rights reserved.

Headers

Using googleapps header analyzer returned the following.

Scam email headers

  • You will notice that the server the email is sent from is not paypal.com but rather server.sanvil.com
  • the email address is paypal@server.sanvil.com
  • This criminals know what they are doing. You will see 17 mins and 16 mins. Those are a delay I have set on my internet servers as a method of an automated whitelisting function.

    The idea is that if an unknown email address is seen on the server it will be blocked forcing the sender to resend the email. Normally scammers and spammers will not resend. If it is a valid sender the sending server will automatically resend the email after 15 minutes.

    This software this spammer is using is obviously aware of this functionality and passed the first test to try and block the spam.

Figuring out where the actual phishing trap is

Using an URL analyzer like http://urlquery.net showed a numberof interesting things, amongst others the first time this specific Phishing url is used.

The Phishing link pointed to this url: paypal-webapps-security-purchases-intl.spikeflail.com/sys/rez/ 

It would be easy enough to only look at the beginning of the url and see “paypal-webapps-security” and think you are ok. However the actual domain name the url is located on is “spikeflail.com”. Clearly not “paypal.com”

Do not click on any links in any email unless you know what you are doing

The website opening up is worrying similar to the actual PayPal website. Even down to the “Favicon” that looks like a PayPal and a SSL certificate to make sure your “PayPal” information is transmitted securely.

There are a couple of things that is wrong here.

The blue block in the URL doesn’t say “PayPal” but “spikeflail.com”

Fake paypal site

Be careful

Be careful when opening emails even from familiar senders. Know what the email is suppose to look like. Having said that do not simply click on any link in the email. Rather open a new window in your browser and type in the url of the website you want to visit.

When the new website is opened take a couple of seconds to verify the website is actually the website you are expecting to see. Not one that looks familiar.

Read more about PayPal security here https://www.paypal.com/uk/webapps/mpp/phishing

Written by:  - 10 Oct, 2017  
comments powered by Disqus
flashy