Phishing Alert: PayPal Phishing Email — A Good One

paypal-phishing-20130717

A few days ago I received the above email in my Spam folder (click on the image to see the whole email).  It appeared to have come from PayPal, claiming to be a receipt of a $150 payment to some dude for some evening dress.  I was instantly alarmed, because I don’t recall buying any evening dress from this random person.

There are many things about this email made me suspect that it was a phishing attempt to get my PayPal login info (again, click the image to see these red flags):

  • Red Flag #1: The sender email is clearly not “service@paypal.com” as it claims to be.
  • Red Flag #2: The email is dated Feb 18, 2013… And I just got it now? Yeah, right…
  • Red Flag #3: Mousing over the link revealed an URL with a www.invest-report.at domain… Clearly not a PayPal nor an eBay domain.
  • Red Flag #4: Again, mousing over the link revealed the same www.invest-report.at URL.
  • Red Flag #5: The item I supposedly purchased is supposedly an eBay item. However an eBay logo is no where to be found. A legit eBay purchase email should have a eBay logo where Red Flag #5 is at.
  • Red Flag #6: Finally, one last place to trick you into visiting that www.invest-report.at. Mousing over the www.paypal.com/help reveals that.

And of course the fact that the email landed in the Spam folder makes it suspicious in the first place.

I took a look at the email in its raw format, headers and all, and saw the following damning evidence that this is, in fact, a phishing email:


Transaction ID: <a href="http://www.invest-report.at/wp-sts.php?VS2P1ITF" 
target="new">X5B133P18025I2XD4</a>

<a href="http://www.invest-report.at/wp-sts.php?5EP0020EKQKM3A" target="new">
NEW WOMEN'S MAXI CHIC CHIFFON VINTAGE LONG BALL PARTY IRREGULAR EVENING 
DRESS</a>

A scan on the URL http://www.invest-report.at/wp-sts.php came back with this result:
paypal-phishing-20130717-sucuri

Image: Sucuri

Obviously not a good sign… But the scariest part of the email is the following… You thought you were going to PayPal’s help page? Think again!


Questions? Go to the Help Center at:
<a href="http://www.invest-report.at/wp-sts.php?JLCY17T50P5" target="_blank">
www.paypal.com/help</a>

There is also this odd little image hosted at a suspicious domain (Kaspersky has classified the domain a phishing site)…


<img alt="" src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?
pageName=system_email_PP843" width="1" height="1" border="0" />

I logged into my PayPal and eBay accounts directly to make sure they have not been breached (and they were not). I also sent the suspicious email over to spoof@paypal.com to report it. PayPal actually verified that it was a phishing email.

So again, no matter how familiar an email looks to you, pay close attention to the small details.

If you ever receive any email alerting you to suspicious activities on your online account(s), keep calm. Instead of clicking the links provided in the email to find out what’s going on, go to your account directly — that means typing in the site-in-question URL into a browser.

Scammers are getting more clever each day, and even the most seasoned IT expert could become complacent and get pwnd with simple social engineering techniques. Keep your guard up and be alert at all times is the only way to avoid getting scammed.