Very authentic-looking phishing e-mail
 

I get bad ones all the time, but I just got one that is very convincing. I bet lots of people will fall for it. First off, it came address to ME by name at my real Paypal address (an address I use ONLY for Paypal). So it looks like someone I've done business with in the past has sold my address to spammers. Secondly, it uses reasonably good grammar and proper spelling. And finally, the URL is nicely diguised so a non-technical reader would likely assume it's a real URL. The site is well done and it uses real, live credit card authentication (I entered bogus but plausible info to test it, and it failed authentication).

As always, the only safe way to be protected is to delete ALL e-mails like this and then MANUALLY enter the address for Paypal or your bank into your web browser.

Care to post it here? I'd like to see how they are hiding the url.

I'm curious too.

Don't forget the possibility that that person's machine has been infected with a virus or other malware which is sending out the collected email addresses. Or even that their machine has been taken over and is being used to send out the phishing email!

What are you going to do about it ?
Have you been able to find out more about this specific scam, by googling for the fraudulent site, for example ?

Might sending a word of caution to your PayPal correspondents be appropriate ?
haynes suggestion sounds like quite a likely explanation to me.

See this Macworld report and discussion.

http://www.macworld.com/news/2006/06...ypal/index.php

I can't think of anything useful to do about it other than report it to Paypal and spread the info on forums like this. On another forum, several people reported getting the same thing.

http://www.cbr1100xx.org/temp/jun/paypal.png

Carlos, what is the destination of the hyperlink?

FWIW, the account info which was blacked out is still legible (in a photo editing program). I tried viewing it just to see if it was possible. It was suspect because the brush you used was feathered and as a result not 100% black.

I doubt many nefarious characters are in this forum, but better safe than sorry.

It's easy to spoof a link:

http://www.apple.com

Anyway, just check the full email headers to see where it came from, although most people won't bother to look.

In Mail.app, you just hover the mouse over the link and it tells you the actual URL as a tooltip. I use this all the time to detect phishing emails, almost all of which are already classified as Junk by Mail's junk mail filter.
You will usually see that the URL is something like paypal.evildoers.com or just an IP address.

The trickier ones will do a http://www.paypal.com-cgi-bin.evildo.../from/you.html

I've even seen one that used the actual numerical value of the IP address (not the IP address) to create the spoof. I'm trying to remember the math, but so far I'm coming up short.

Another one is http://www.paypal.com@192.168.0.100/cgi-bin/haha.pl, but Camino and Firefox catch the spoof and warn you.

They sometimes use ascii numbers/symbols/whatever to confuse thr browser/mail app.

Is there a way to do something like that when a link appears on a website, such as in a forum, accessed by Safari and/or Firefox. (I know that both browsers have been upgraded to deal with some spoofing. And PithHelmet, which I use with Safari, has a preference that can be selected to "check host spoofing.)

Respectfully, Norm

Edited to add: Specific example, the apple.com link in ThreeDee's post that take you to a Microsoft site.

1) Use the Status Bar at the bottom of the window. If you don't have one turn it from teh Menu Bar by choosing View => Show Status Bar.

2) I have a plugin, app or component that creates a small box with the address when I hover over a link. I'll have to hunt it down as I can't remember it's name.

Thanks very much. What a pleasant surprise to see that this works in both Safari and Firefox!

Respectfully, Norm

Yeah, I figured it wasn't a completely secure job, but I wasn't sure why I was blocking it out anyway. It's not like that's secret info.

The URL is:

http://www.paypal.com.webscr-cmd-j4u...e.com&ref=pp18

So while it's obvious to most of us here, the common user would simply see the first part and assume it's a valid URL. Mail was happy to open the URL for me.

The page Carlos got pulls it's images form paypalobjects.com (legit). Stupid question, but I wonder why doesn't paypal just check the referrer page for it's images and sent out alternate graphics?

That would work, but I guess PayPal doesn't want to get into an arms race with the phishers. The latter could just grab the images from a real PayPal page and copy them to their own server. Using the REFERER header would put more of a load on PayPal's servers.
Also, the current situation allows PayPal to see in their logs how much phishing is going on.

If that's true, then two particularly stupid morons have met:
The phishers for basically waving their hands while jumping up and down yelling: "we so 0wn you, we even steal your bandwidth to serve our scam pages" and paypal for not doing what acme suggested. Then, like hayne said, they'd at least have to copy the site.

Anyway, as long as paypals policy in these matters, once you cut through the crap, basically reads: "Should Bad Things happen, whoever makes a case that costs paypal as little money as possible" wins, don't expect anything significant to happen.
Some PP customers get screwed real bad. Typically PP charges the party stupid enough to leave some money on his account, case closed.

Doing a Whois on the domain returns odd stuff:
http://www.dnsstuff.com/tools/whois....d-j4udria6.com

EDIT: Found it, probably false information:

Registrant:
Sorial, Andrew

5040 NW 24th Circle
Boca Raton, FL 33431-4330
US

http://www.google.com/maps?f=q&hl=en...06781&t=h&om=1

BTW, did you at least report it to PayPal yet?

spoof@paypal.com

Yeah, it's not perfect. I sent the suggestion to PayPal and they actually sent me a personally-written reply (not canned or an autoresponder) , so at least they hire thinking staff!

Any email that asks you to confirm account information and threatens loss of privileges unless done within a certain time period should be considered a phishing scam. No reputable business will do that.

Not so sure, how would an organization deal with it if their customer database, including login information, gets stolen ?
Sit tight ?
Hopefully not.

A reputable business whose customer database got stolen would notify their customers about the security breach and ask them to take some action. However, phishing emails always contain the additional threat that if action is not taken within a certain timeframe (usually a few days), the account will be limited or terminated in some way. No reputable business would send a threat to their customers.

BTW, they (PayPal, feds, whoever) closed down the site. not sure exactly when, though.