Mar 05

PayPal phishing attacks

by in Spam Filtering, Techie :: Techno ::

We seem to get one or two of these emails a week, possibly more.
They are usually very well crafted and unless you actually read (and understand) mail headers it is easy to see how someone could be duped by them.
The one we got this morning is below:
paypal phishing email
It looks and feels like a genuine Paypal email, until you look at the headers or the HTML source.
The scammers have, of course, gone to great lengths to make sure that a cursory glance will not reveal anything "strange", so they use a mouseover link in the email to display what looks like a genuine link to the paypal site.
So what happens if you are duped into visiting this site?
In this instance the site was called paypol.biz
After you get past the front page you are asked to agree to a number of legal statements and then passed onto this page:
paypal spoof site
where they ask you not only for your credit card details, but also your bank details, social security number and more. With this kind of detail the scammer would have little difficulty in gaining access to your credit card and other sources of funds.

Related Posts:

  • No Related Posts

3 Responses to “PayPal phishing attacks”

  1. From David:

    I imagine this could potentially be made all the worse by exploits such as the firefox IDN issue (http://secunia.com/advisories/14163/)
    I also recieve emails like this fairly regularly, and Microsoft Outlook does not make it easy to check headers (you have to select View/Options to see them). Even then they appear in an insignificant little box on the screen that pops up.
    Which is not going to be obvious to the average user.
    Perhaps MUAs need to display the mail hosts the mail has passed through a little more clearly? Maybe just showing the first mail host the mail came from, then at least if that shows xyz.paypal.com a user will have more confidence the email came from paypal than customer5446-22.home-dsl.verizon.com.

    Posted on March 5, 2005 at 3:16 pm #
  2. From blacknight:

    David
    It’s probably better to do the blocking on the server-side where you can use DNSBLs to check the URIs referenced in the email body. This is possible using MailScanner although I am yet to enable it on any of our installs
    M

    Posted on March 5, 2005 at 8:34 pm #
  3. From Tom Raftery:

    That’s scary – ‘cos 1) it looks genuine so it will fool a lot of people and 2) if they give that amount of info – it is easy to change your credit card no. but you can’t change your mother’s maiden name, for instance and that is a pretty standard security question.
    Bruce Schneier has an article on the folly of secret questions here

    Posted on March 7, 2005 at 5:01 pm #

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

css.php