PayPal phishing scams - take care of yourself online this Christmas

Filed Under: Data loss, Featured, Phishing

Australian PayPal users are being targeted in what is a now-typical pattern of phishing against the global payment service.

The trick is short and simple: you receive an email "acknowledging" a smallish payment. It's $79 to an eBay advertising service in our example:

Paypal phishing email

You know you didn't spend that money yourself. Perhaps, at this time of the year, you're worried than someone else in your household, like an unsupervised child, clocked up the charge?

Your natural inclination is to dispute the transaction. Indeed, it seems small enough that the PayPal's online dispute resolution ought to be enough to take care of it, so you may be inclined to click through to kick off a dispute right away.

And that's the ploy, of course. Hovering over the "Press here to cancel this payment" link should be enough to reveal the bogosity. You won't be sent to PayPal but to a lookalike impostor site that helps itself to your login details:

Paypal phishing site

You should spot easily that the site is bogus - the URI isn't PayPal's; the look and feel isn't quite right; and the site doesn't use an encrypted connection (https) like the real site:

Paypal's real site

The main page of the website used as a link in our example phish looks like a holding page from a server that was never properly configured.

It's a reasonable assumption that the crooks behind this phish simply plundered resources on an insecure server - very likely using automated tools that help them "find-and-own" improperly configured sites:

Website with 'now configure me' warnings

Don't become part of the problem this Christmas season.

  • Be wise about what and where you click. Don't rely on login links sent to you in email.
  • Be cautious about where you enter your password. Check that the site looks right, and uses https, before you start typing.
  • Secure your servers before you put them online. Don't go live and then worry about locking the door. Crooks need just a few seconds to set up "cybersquat" pages on your web properties.

(To learn more, why not take a look at the Sophos Security Threat Report 2013? It's full of advice on how to be a safer surfer.)

, , ,

You might like

5 Responses to PayPal phishing scams - take care of yourself online this Christmas

  1. Good to read link addresses for legitimacy.
    Which is why the spelling of this article's address is ironic: "payapl-phising-scams-take-care-of-yourself"
    Payapl-phising. Unless that's on purpose.
    It's just interesting coming from you guys, that's all.

    • Paul Ducklin · 649 days ago

      Irony, indeed. Well spotted :-)

      I'd love to say it was a touch of deliberate satire...but it was a plain old blunder. (The system we use for publishing gives you a giant web form for the title of your article, but about 23.5 pixels for the URI. And once you've published your URI, you're kinda stuck with it.

      Oh well. At least we don't ask for a password anywhere on the page - and the host-and-domain-name part (nakedsecurity.sophos.com) is what you'd expect.

      I did groan when I spotted my mistake, about 0.026 seconds after publishing it. But then I thought, "Cool. I'll repurpose it as irony," which was a sort of meta-irony in its own right. Or something.

  2. Jay Vincenzo · 648 days ago

    After being hit up with several attempts like this - and similar, I always do an immediate mental check back on any of my last 10 plus payments made through PREYPAL - and immediately send them through to their spoof@paypal.com address.......

    The y ALWAYS - but ALWAYS reply back with their usual screed of looking out for "suspicious" phishing attempts [DOH!] and to be very careful about "clicking" on any links ......

    Like I mean to ask - - WHY do you think I sent the "spoof" message to them in the first place - but for their information and possible tracking [ highly unlikely most times] - sometimes - well most times actually - I wish they could respond on an equal level sometimes instead of treating me like an uneducated child.......?

    After all I know I bray a bit sometimes - my big ears flop in the afternoon sun - but that is because I am a donkey who brays - not an ass!

  3. BrianA · 647 days ago

    I just delete unsolicited mails then visit the supposed sender account to see if they have any messages or actions for me. Takes a little longer than clicking on a spoof link but I can live with losing 30 seconds now and then.

  4. Karen · 565 days ago

    Found this email in my "junk" and thought it looked suspicious! My son just had unauthorized use on his debit card, so tis hit close to home. But I figured that it was a scam, since my email account knew to stick it in my junk mail! Thanks for the info!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog