Site Feed -
Badri's Tamil thoughts
Ganesh's Happily Haphazard
Raghu the reluctant Delhiite
Sankhya the busy idler
Srini the movie critic
Amazing phishing attempt for PayPal
A short while ago, I got an email which read
PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with a secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.I had the gut feeling that this was a phishing attempt.
I clicked on the link in the email and I was taken to a site that looks identical to the PayPal login page.
There were 3 things I noticed:
So I provided my PayPal password but with an extra suffix "1" at the end. The reasoning was that if it was really PayPal, it would not authenticate me. As I suspected, it authenticated me and then took me to a screen where I was asked to fill out stuff like my name, address, social security number, etc. All this confirmed that this was a phishing attempt.
That's when it hit me. I had a re-look at the URL (http://www.paypal.com.login-session-7t0ukr34oim.database.xq039.com/us/cgi-bin/webscr?cmd=_login-run&id=c19qYWdhZGlzaEB5YWhvby5jb20=) and I then realized that even though I was alert enough to confirm the URL before filling in the (wrong) password, my mind had assumed that since there was www.paypal.com immediately after the http://, this was trustworthy. I didn't realize that the part after paypal.com was actually ".login-session". Mentally, I probably thought it was "/login-session".
So, the domain was actually xq039.com, which is (as expected) a Chinese IP (18.104.22.168).
Then, when I re-read the email, I noticed that it said "Resolution Centre". PayPal, a USA-based company, would have used "Resolution Center". Further, the From address was firstname.lastname@example.org.
All said and done, I think this is an amazing phishing attempt. One that perhaps at least 99% of the folks clicking on the link in the email would fall for.
PS: I did go and change my PayPal password immediately!
Some of the sites linked in my rants may require registration/subscription. Links within my ramblings open in a new window.
Some of the links may now be broken/not take you to the expected report since the original content providers may have archived/removed the contents.
All opinions expressed are mine alone. My employers (past, present or future) are in no way connected to the opinions expressed here.
All pictures, photographs used are copyrights of the original owners. I do not intend to infringe on any copyright.
Pictures and photographs are used here to merely accentuate and enhance the content value to the readers.