My tweets

    Site Feed - Site Feed

    My other writings
    Cricket 24 x 7
    Yahoo! 360
    My Bloglines
    My 43 things
    My LinkedIn
    My Facebook Profile On Orkut

    Mail me
    About me
    FlickrFlickr Feed

    Yahoo! Search

    Baakiyon ke blog
    Badri's Tamil thoughts
    Ganesh's Happily Haphazard
    Nitin's Acorn
    Prabhu's Pethals
    Raghu the reluctant Delhiite
    Samanth's blahg
    Sankhya the busy idler
    Srini the movie critic

    Creative Commons License
    Rabble Rousing Random Ramblings by S Jagadish is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

    August 20, 2009

    Amazing phishing attempt for PayPal

    A short while ago, I got an email which read

    PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with a secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
    Why is my account access limited?

    Your account access has been limited for the following reason(s):

    We determined that someone may have tried to access your PayPal account without your permission. For your protection, we have limited your account access. To lift this limitation, log in to your PayPal account and follow the steps in the Resolution Centre.

    How can I restore my account access?

    Please visit the Resolution Centre and complete the "Steps to Remove Limitations."

    Completing all the checklist items will automatically restore your account access.

    PayPal Account Review Department
    I had the gut feeling that this was a phishing attempt.

    I clicked on the link in the email and I was taken to a site that looks identical to the PayPal login page.

    There were 3 things I noticed:
    1. The PayPal logo showed up near the URL bar
    2. This wasn't a HTTPS URL
    3. My email address was pre-filled in the username field (the URL I clicked on had the username hashed)
    The 2nd one made me suspicious, because I've always seen the PayPal site being served on HTTPS.

    So I provided my PayPal password but with an extra suffix "1" at the end. The reasoning was that if it was really PayPal, it would not authenticate me. As I suspected, it authenticated me and then took me to a screen where I was asked to fill out stuff like my name, address, social security number, etc. All this confirmed that this was a phishing attempt.

    That's when it hit me. I had a re-look at the URL (http://www.paypal.com.login-session-7t0ukr34oim.database.xq039.com/us/cgi-bin/webscr?cmd=_login-run&id=c19qYWdhZGlzaEB5YWhvby5jb20=) and I then realized that even though I was alert enough to confirm the URL before filling in the (wrong) password, my mind had assumed that since there was www.paypal.com immediately after the http://, this was trustworthy. I didn't realize that the part after paypal.com was actually ".login-session". Mentally, I probably thought it was "/login-session".

    So, the domain was actually xq039.com, which is (as expected) a Chinese IP (

    Then, when I re-read the email, I noticed that it said "Resolution Centre". PayPal, a USA-based company, would have used "Resolution Center". Further, the From address was service-jwxo5m8hwh3@6985.paypal-update.database.xq039.com.

    All said and done, I think this is an amazing phishing attempt. One that perhaps at least 99% of the folks clicking on the link in the email would fall for.

    PS: I did go and change my PayPal password immediately!

    Labels: , , , ,

    Some of the sites linked in my rants may require registration/subscription. Links within my ramblings open in a new window.
    Some of the links may now be broken/not take you to the expected report since the original content providers may have archived/removed the contents.
    All opinions expressed are mine alone. My employers (past, present or future) are in no way connected to the opinions expressed here.
    All pictures, photographs used are copyrights of the original owners. I do not intend to infringe on any copyright.
    Pictures and photographs are used here to merely accentuate and enhance the content value to the readers.

    Previous Posts

    China's national newspaper took a while, didn't it...

    Can North Korea withdraw from the United Nations?

    Too early to cheer for 'queer'?

    Why call it queer?

    Farce and symbolism

    "Please sir, I want some more"

    The 2009 Indian election

    And then there were none

    Karunanidhi's amazing defense of the LTTE and Prab...

    This page is powered by Blogger.