Welcome to Netrider ... Connecting Riders!

Interested in talking motorbikes with a terrific community of riders?
Signup (it's quick and free) to join the discussions and access the full suite of tools and information that Netrider has to offer.

New PAYPAL phishing email scam! June 2008

Discussion in 'The Pub' at netrider.net.au started by robsalvv, Jun 11, 2008.

  1. There's a new PAYPAL phishing email doing the rounds. It goes along the lines:

    It looks utterly legit, but it's NOT.

    In general, NEVER click on any link in any email purporting to take you to a site you're a member of. ALWAYS go to the website directly via placing the URL in the address bar or via a bookmark and log in. If the email is legit, when you log in you will see some kind of notification that you need to do something.

    So DON'T click on the link. DO go to your PAYPAL account and check whether charges have been indeed levelled. DO forward the email and email header to spoof@paypal.com.au.

    If you clicked on the link in the hope of initiating a dispute procedure, DO go directly to the paypal site, login, check whether you now do have unauthorised charges... if you don't, CHANGE your password and report the situation to paypal. If you do have charges, change the password and report the situation to paypal... you might have to wear the charges...



  2. Doesn't effect me since I don't use paypal but I'm curious - what does clicking on the link actually do?
  3. Typically a scam like this would take the victim to a website which LOOKS like Paypal (often with a well-spoofed URL, by hiding the 'http://www.paypal.com' within a username for a website hosted at an IP address) and ask them to input their username and password so that "a dispute can be lodged".

    Of course, by entering your user/pass on the scammers' website, you've handed access to your account to them on a silver platter. The scammers can then go wild, racking up charges on your paypal with you unable to dispute the charges at all. They'd probably even change YOUR password so that you can't dispute them when the real transaction receipts come through. ;)
  4. Paypal always address you BY NAME.
    that makes it easier to identify when you're the victim of a scam
    paypal have said any e-mail starting with 'dear paypal customer' or 'dear paypal member' is not from them.
  5. Ahh okay, thought it might have somehow automatically added the charges when you clicked on the link.
  6. Social engineering has always been the best hack. These scams have been around for so long it's not funny, they usually try to exploit a flaw in IE/outlook that hides certain parts of the URL - or by sending the email as HTML.

    I'd suggest the following precautions for all emails / sites that require username / password access..
    Don't open a link from an email or an untrusted site. If you absolutely have to right click on the link and copy it. Then paste the link into a new tab within Firefox 3. Does the URL look dodgy? Does Firefox 3 warn you that it's a know scam site? If no to both then it's probably safe to continue.
  7. I should elaborate on the "spoofed URL" thing I mentioned above, so people know just how 'bad' it can get:


    Looks like a totally legitimate URL for imaginary internet-money-sending website "SpotsPal", doesn't it?

    But it's actually a totally legitimate URL for whatever evil scamming server is hosted on

    I agree with Robsalvv - best to write the ordinary SpotsPal URL in by hand (ie: www.spotspal.com ), log in normally and check to see if the actual service mentions recent transactions.
  8. You evil scammer Spots! :p

    I'm always surprised that despite everything that you hear, someone always seems to get done by these scams. Of course it's possible to make emails look legit, some can even modify the email headers to show real email addresses - even if it's not sent by them, but one thing that can't be changed (short of hacking a DNS) is the URL in the IE/Firefox address bar. A lot of phishing scams use URLs that are almost like the real one, sometimes with a slight typo that you may not pick up if you're not paying enough attention.

    So make sure that really says http://www.paypal.com etc, and you should be right.
  9. Spots, they didn't even get that sophisticated. Just to highlight how blatant a phish this email was, this was the address that the dispute link went to:


    Doesn't mention paypal at all. Hovering the mouse over the link and looking at the lower tool bar would have shown you the address that looked pretty dodgey. The above was obtained by a right click and copy link.

    Looking at the email header makes it pretty clear too:

    Return-Path: <service@securesuite.net>
    Authentication-Results: mta253.mail.mud.yahoo.com from=securesuite.net; domainkeys=neutral (no sig)
    Received: from (EHLO server2.nccray.com) ( by mta253.mail.mud.yahoo.com with SMTP; Thu, 29 May 2008 18:04:59 -0700
    Received: from User (unknown []) by server2.nccray.com (Postfix) with ESMTP id 75DE3674439; Thu, 29 May 2008 20:01:47 -0500 (CDT)
    From: "service@intl.paypal.com"<service@securesuite.net>Date: Fri, 30 May 2008 04:05:13 +0300
    MIME-Version: 1.0
    Content-Type: text/html; charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    Message-Id: <20080530010147.75DE3674439@server2.nccray.com>

    Look at the bolded bits... No mention of Paypal at all. BIG giveaway!!

    The scammers RELY on the user being outraged and clicking on the link. DO NOT enter your log in details.

    In comparison, a proper PAYPAL email refers to my full account name and all links have simple paypal.com.au based urls. Also, the header includes a simple paypal domain return address in the first line, a long and convoluted digital signature and mentions paypal a lot.