There is a particularly nasty new phishing effort in the name of PayPal which just started going around this week.
Rather than the typical “update your account” request, which fewer and fewer people are falling for, this one says “New email address added to your PayPal account!”, and tells you that you, or someone, has successfully updated your PayPal account by adding an additional email address.
This one takes full advantage of how worried people are about identity theft, and it’s entirely believable that someone may have hacked into your PayPal account, and added their own email address. And what could be the harm of checking it out to be sure?
The harm, of course, is that the link in the email doesn’t go to PayPal at all, but rather the phishing site.
Here is the full text of the email, and below I dissect it and show you the tricks:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
You have added everytime_john@yahoo.com as a new email address for
your PayPal account.
If you did not authorize this change or if you need assistance
with your account, please contact PayPal customer service at:
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot
be answered. For assistance, log in to your PayPal account and choose
the “Help” link in the header of any page.
—————————————————————–
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
https://www.paypal.com/. Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape)
and typing in the PayPal URL every time you log in to your account.
—————————————————————–
PayPal Email ID PP105
WESIYSWGIMVJJTUHFMSBBUIUFJYUDPEYPIZNIE
—
Looks pretty official, eh?
This is what your typical email reader, with html rendering turned on, as it is by default in most email programs, shows you.
But that URL, https://www.theinternetpatrol.com/brick-wall/, really goes somewhere completely different.
Let’s take a look at this email again, without it turning the HTML code into what the phisher wants it to..here is the actual raw source of the email (with HTML code removed, so it doesn’t trick your browser or mail reader):
Received: from unknown (HELO User) (9@onestsicinstit.com@210.10.90.15 with login)
by smtp101.biz.mail.mud.yahoo.com with SMTP; 2 Nov 2005 19:55:48 -0000
(First, note how this email really came through Yahoo via onestsicinstit.com, not from PayPal at all!)
Reply-To: lancelaura@yahoo.com
From: PayPal Notice
(PayPal probably doesn’t have employees send email from Yahoo accounts, but many people never bother to look at these details in their email before clicking on a URL.)
Subject: New email address added to your PayPal account !
Date: Thu, 3 Nov 2005 06:55:45 +1100
(Ok..here comes the payload for the phishers:)
You have added (“http://paypaldept.net/login.html”)
everytime_john@yahoo.com as a new email address for your
PayPal account.
(See how the email address is set up as a link to the phishing URL, which is “http://paypaldept.net/login.html”? You’ll see this again in a moment.)
If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at [fake link]
—-
Ok, do you see that? Do you see how they have made the link look like https://www.theinternetpatrol.com/brick-wall/
And this is why you should never, ever click on a link in email if you have any doubt at all. Just type the URL for the company into your browser. If they really need you to do something with your account, they’ll let you know when you log in to your account through the front door of the website.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
I GOT ONE OF THESE ALSO, IF I FIND THAT SOB I WILL BREAK BOTH HIS HANDS!
TO THE PUBLISH; WERE GETTING CLOSER!
Hey, I got this twice today in my junk folder.
“You’ve added an additional email address to your PayPal account.
If you don’t agree with this email jerry54@aol.com”>jerry54@aol.com and if you need assistance with your account,
please click here to login to your account.
To make sure you can use your PayPal account the next time you make a purchase,
all you need to do is confirm or not your email address.
If your email program has problems with hypertext links,
you may also confirm your email address by logging in to your account.
Thank you for using PayPal!
The PayPal Team
—————————————————————-
Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
For assistance, log in to your PayPal account and click the jerry54@aol.com”>Help link located in the top right corner of any PayPal page.
—————————————————————-”
The paypal accoutn is actually my father’s, but it’s in my email account because he doesn’t know anytihgn about how to use a cmputer. The odd thing about the emai; is the links don’t lik you any where of you know what I mean./ Like where it says “click here” well…there’s nothing to click on. So is this a fake or what?
I just received a similar email and tracked it back to the people behind it. Check out this link for details:
All of these “phishing” expeditions are the reason why I do a bare minimum of shopping on the Internet. It’s still way too easy to steal identities and still way too hard to clean up the mess.
Another EVIL one. You don’t get infected, the malware merely changes your DNS server entries. It is sent as a link to a Paypal Security Tool the perp (supposedly PayPal) tries to get you to download and run.
Quote: “‘PayPal-2.5.200-MSWin32-x86-2005.exe’, is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests for ‘paypal.com’ will be transparently redirected to a phishing website. This same DNS server could also be used to redirect requests for additional websites, but it currently appears to only redirect ‘paypal.com’.”
Newer still is a PayPal phish I received yesterday from “PayPal Security Center.” The social engineering aspect (used before) is a bogus report of someone trying to access your account from several foreign IP addresses. The Subject line is “Security Measures – Are You Traveling?” Then comes the invitation to download the “Ultimate PayPal Security Tool.” The link is to an executable (.exe) file (on a Romanian hosting service). Analysis of the file reveals it to be a Trojan Dropper.
Like Aunty says: Don’t click those links!
I keep all my passwords for any financial websites (banking) and any other websites of interest (probably a couple 100 or so) on a CD and access them only when I need access to the website of interest. I use WordPad to copy/paste my username/password, then close WordPad. Not sure if you should show this tip or not (prying eyes you know)!
This isn’t new, I received the same message a couple months ago.
Hi Aunty;
I thought you’d be interested in another PayPal email I got this week. It looked exactly like the one you get when you make a payment through PayPal, only I hadn’t made a payment to anyone. The worst part, however, was that it automatically attempted to open my web browser and log into PayPal. I didn’t even click on any links!!! It was unsuccessful, but I can’t help wondering what would have happened if I would have had my password stored on my computer? I sent the email to PayPal but I didn’t get any response from them. I did immediatley change my PayPal password and have been keeping a very close eye on it.
Thanks for all the great tips! Keep up the good work, we really appreciate it.