How a phish works

Recently we have received a PayPal phishing email and it looks like this.


It is not hard to spot that this email is a phish since clicking on the link does not take us to but to some remote site (which is already blocked by Sophos’s web appliance).

The web page loaded from this site disguises itself as as shown below.


However, this web page is just an image of the real web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake  email address and password we were lead to the following page.


By clicking on the link we were directed to another web page as shown below.

How can we tell that this web page is fake? It is quite simple, this page has the following URL.

We  provided some fake  account and address information, the site then redirects  us to a page asking us to supply our banking details.

We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.


Finally, the site will refresh and redirect us to the genuine web page.