Fresh Phish disguised as a PayPal Urgent Account Review Notification

Filed Under: Data loss, Featured, Malware, Phishing, Spam

No Phishing Creative Commons photo courtesy of alex_lee2001's Flickr photostreamWhile browsing the web this evening waiting for thotcon 0x3 general admission tickets to go on sale, my wife's spidey senses were tingling when she asked me, "Is this a scam?"

Turning towards her monitor I see she has an email open inside her webmail account. The email has a pretty good sense of urgency written into it that compels the reader to follow the instructions provided and protect their information.

PayPal phish

It begins:

"As of the 3rd of November 2011, our security system has blocked unusual charges to a credit card linked to your account."

And concludes:

"Sincerely, PayPal Account Review Team"

Unfortunately, the average person who does not read Naked Security might easily be duped of their PII (Personally Identifiable Information).

Phishing scams are nothing new. Hopefully, if people stopped falling for them, then perhaps the phishing scams might stop?

It really comes down to education and great protection (for when education fails).

Mal/Phish-A Sophos Anti-Virus detectionThe home use version of Sophos Endpoint Security and Control did a fantastic job of catching the attack as Mal/Phish-A.

The home use version is available to Sophos customer's employees. Check with your employer if the home use program is available at your organization before installing Sophos software willy nilly.

I spoke earlier in the week with a security professional who sent 500 spear phishing attacks internally to his colleagues. Of the 500 emails sent, 25 people responded by completing the form and surrendering their information.

While a 5% rate may seem small, he felt even 1% was too high. Education helped a lot, but not completely. Do you agree?

When read, this fresh phish posing as PayPal immediately puts the recipient into an emotional state that their account was compromised and their funds are in jeopardy which then clouds their judgement.

Since PayPal is a trusted name in the electronic payments industry, they of course have controls to prevent fraudulent transactions (but no one is perfect). This phish takes advantage of that trust by explaining that the breached account has been locked for your protection.

Attached HTML phish fileNow to regain access to your funds it's imperative to download the attachment and complete the form.

After downloading and opening the attachment it will open your web browser. As you can see, this web page looks very genuine and might lower your guard into believing it really came from PayPal.

PayPal phishing site

There are a few mistakes in this poorly executed phish which caused education to prevail over emotion.

The most basic one is that there isn't a PayPal email address associated with the inbox which received this phish.

Another one to point out is that the (From: "PayPal") is really not from PayPal.

The phisher used a domain name which based on a whois look up doesn't have anything to do with PayPal. It belongs to an instrumentation company out of Massachusetts that happens to have similar initials as PayPal.

While my wife isn't a security professional or an expert with computers, her education to not trust every email in her inbox (beyond spam) triggered a gut feeling to think more clearly.

If it doesn't feel right, then it's not. Go with your gut!

Until next time, stay safe and secure online.

Creative Commons photo of "No Fishing" courtesy of alex_lee2001's Flickr photostream.

, , ,

You might like

4 Responses to Fresh Phish disguised as a PayPal Urgent Account Review Notification

  1. Luis Alicea · 1432 days ago


    Excellent article! You are correct. Most of the PC users are that, just users. They procced with they daily routine, because the PC has and antivirus/antispam software installed on it. I always have seen a lot of problems with Facebook by other users.

    This issue is not new to me. I have received a lot of those, even from banks and from different countries.

    Since I have heard of this issue, I follow a check procedure:

    1 - Analyze the subject
    2 - Check the sender's address (if the address does not contain (in this case)) I dectect the phish/spam inmediately. I also detect it by the time zone.
    3 - Check the to, cc and bcc
    4 - Read the email in full. Point to the links without clicking, doing this,I can read the fake URL
    5- If the previous steps were not helpful, then I check the message headers to trace the message and verify the IP's

    Luis Alicea
    Puerto Rico

  2. David · 1398 days ago

    I received a convincing-looking phishing email recently, but on careful reading a few things made me suspicious. There were some errors of English grammar and punctuation which suggested the email might not have been composed by a native English-speaker, e.g. the word 'active' being used as a verb where the context seemed to require 'activate'. I also noticed that in one place 'PayPal' was spelt 'paypal', which seemed unlikely in an official email from PayPal. But overall it was quite a plausible job, and a lot of people would probably be fooled by it.

  3. Greg · 1235 days ago

    I received an email, supposedly from PayPal today. It told me that I'd sent a payment to eBay for $79.3AUD (an odd amount) and that if I thought it was an error, I should click on the link attached to it, fill in my details, and click the 'Cancel Payment' button. Sounds pretty good except for two things: 1. This email was sent to my work email address, which is not associated with PayPal - I only have my private email address linked to PayPal. 2. When you click on the link, it accepts any old password you give it, but wants your credit card number to proceed to the 'Cancel Payment' button. I don't think so. Pretty convincing looking email though, even has the 'secure' lock. One thing I noticed too was in the browser window, the address starts with ' So be aware good people.

  4. Godsgirl · 1169 days ago

    I received this email and was very uncomfortable because I don't use pay pal soi google the heading of the email and read your article . Thanks to Apple I was unable to open the attachment anyway.

    Thanks again

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

David Schwartzberg is a Senior Security Engineer at Barracuda Networks, a security company where he specializes in network security. Utilizing his 6 years accounting experience and combined 17 years InfoTech and InfoSec experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. David holds a black belt in Taekwondo and is an amateur competitor. You can follow David on Twitter as @DSchwartzberg.