There is a particularly nasty new phishing effort in the name of PayPal which just started going around this week.
Rather than the typical “update your account” request, which fewer and fewer people are falling for, this one says “New email address added to your PayPal account!”, and tells you that you, or someone, has successfully updated your PayPal account by adding an additional email address.
This one takes full advantage of how worried people are about identity theft, and it’s entirely believable that someone may have hacked into your PayPal account, and added their own email address. And what could be the harm of checking it out to be sure?
The harm, of course, is that the link in the email doesn’t go to PayPal at all, but rather the phishing site.
|Get notified of new Internet Patrol articles for free!
Here is the full text of the email, and below I dissect it and show you the tricks:
You have added firstname.lastname@example.org as a new email address for
your PayPal account.
If you did not authorize this change or if you need assistance
with your account, please contact PayPal customer service at:
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot
be answered. For assistance, log in to your PayPal account and choose
the “Help” link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
https://www.paypal.com/. Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape)
and typing in the PayPal URL every time you log in to your account.
PayPal Email ID PP105
Looks pretty official, eh?
This is what your typical email reader, with html rendering turned on, as it is by default in most email programs, shows you.
But that URL, https://www.paypal.com/us/wf/f=ap_email, really goes somewhere completely different.
Let’s take a look at this email again, without it turning the HTML code into what the phisher wants it to..here is the actual raw source of the email (with HTML code removed, so it doesn’t trick your browser or mail reader):
Received: from unknown (HELO User) (email@example.com@220.127.116.11 with login)
by smtp101.biz.mail.mud.yahoo.com with SMTP; 2 Nov 2005 19:55:48 -0000
(First, note how this email really came through Yahoo via onestsicinstit.com, not from PayPal at all!)
From: PayPal Notice
(PayPal probably doesn’t have employees send email from Yahoo accounts, but many people never bother to look at these details in their email before clicking on a URL.)
Subject: New email address added to your PayPal account !
Date: Thu, 3 Nov 2005 06:55:45 +1100
(Ok..here comes the payload for the phishers:)
You have added (“http://paypaldept.net/login.html”)
firstname.lastname@example.org as a new email address for your
(See how the email address is set up as a link to the phishing URL, which is “http://paypaldept.net/login.html”? You’ll see this again in a moment.)
If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at [fake link]
Ok, do you see that? Do you see how they have made the link look like https://www.paypal.com/us/wf/f=ap_email?
And this is why you should never, ever click on a link in email if you have any doubt at all. Just type the URL for the company into your browser. If they really need you to do something with your account, they’ll let you know when you log in to your account through the front door of the website.
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!