How a phish works

Filed Under: SophosLabs

Recently we have received a PayPal phishing email and it looks like this.

 

It is not hard to spot that this email is a phish since clicking on the link does not take us to PayPal.com but to some remote site (which is already blocked by Sophos's web appliance).

The web page loaded from this site disguises itself as PayPal.com as shown below.

 

However, this web page is just an image of the real PayPal.com web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake  email address and password we were lead to the following page.

 

By clicking on the link we were directed to another web page as shown below.

How can we tell that this web page is fake? It is quite simple, this page has the following URL.

We  provided some fake  account and address information, the site then redirects  us to a page asking us to supply our banking details.

We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.

 

Finally, the site will refresh and redirect us to the genuine PayPal.com web page.

 

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s