August 20, 2009
 

Amazing phishing attempt for PayPal

A short while ago, I got an email which read

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with a secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?

Your account access has been limited for the following reason(s):

We determined that someone may have tried to access your PayPal account without your permission. For your protection, we have limited your account access. To lift this limitation, log in to your PayPal account and follow the steps in the Resolution Centre.

How can I restore my account access?

Please visit the Resolution Centre and complete the "Steps to Remove Limitations."

Completing all the checklist items will automatically restore your account access.


Sincerely,
PayPal Account Review Department

I had the gut feeling that this was a phishing attempt.

I clicked on the link in the email and I was taken to a site that looks identical to the PayPal login page.

There were 3 things I noticed:

1. The PayPal logo showed up near the URL bar
   
2. This wasn't a HTTPS URL
   
3. My email address was pre-filled in the username field (the URL I clicked on had the username hashed)

The 2nd one made me suspicious, because I've always seen the PayPal site being served on HTTPS.

So I provided my PayPal password but with an extra suffix "1" at the end. The reasoning was that if it was really PayPal, it would not authenticate me. As I suspected, it authenticated me and then took me to a screen where I was asked to fill out stuff like my name, address, social security number, etc. All this confirmed that this was a phishing attempt.

That's when it hit me. I had a re-look at the URL (http://www.paypal.com.login-session-7t0ukr34oim.database.xq039.com/us/cgi-bin/webscr?cmd=_login-run&id=c19qYWdhZGlzaEB5YWhvby5jb20=) and I then realized that even though I was alert enough to confirm the URL before filling in the (wrong) password, my mind had assumed that since there was www.paypal.com immediately after the http://, this was trustworthy. I didn't realize that the part after paypal.com was actually ".login-session". Mentally, I probably thought it was "/login-session".

So, the domain was actually xq039.com, which is (as expected) a Chinese IP (121.11.165.165).

Then, when I re-read the email, I noticed that it said "Resolution Centre". PayPal, a USA-based company, would have used "Resolution Center". Further, the From address was service-jwxo5m8hwh3@6985.paypal-update.database.xq039.com.

All said and done, I think this is an amazing phishing attempt. One that perhaps at least 99% of the folks clicking on the link in the email would fall for.

PS: I did go and change my PayPal password immediately!

Labels: internet, internet security, paypal, phishing, security

Rambled @ 4:34 PM

Did you like the post? [ Subscribe to the blog feed - | | Blogline me | Add to Google | Add to del.icio.us ]

0 comment(s)

I'd prefer if you posted comments with your real name to add more credibility to your opinions. Obviously comments containing offensive and unsuitable language will be deleted. The opinions in the comments are your own views. You are welcome to provide a URL to your own blog, especially if it discusses issues you find here.

Post a Comment

Links to Amazing phishing attempt for PayPal

Technorati

Bloglines

Blogger search:

  <$BlogBacklinkTitle$>  

<$BlogBacklinkSnippet$>
posted by <$BlogBacklinkAuthor$> @ <$BlogBacklinkDateTime$>

Create a Link