Manage your expenses via Email, SMS, Twitter, Voice (Jott: Call and say your expense), IM (Yahoo, AIM, MSN), or Web.
Anatomy of a Paypal Phishing Scam
Got yet another phishing email scam, this time quite well done. I decided to follow through and see how it works out.
The initial email is nicely put together, doesn’t contain spelling or grammatical errors, and includes Paypal images and logos for improved credibility. This email is good enough quality to fool a high percentage of recepients.
The supposed Paypal login page goes to the phishing site:
https://www.ppp-info-update.com/ssl/secure/128bit/manage/account/webscr/
The phishing site uses an SSL certificate that does not match its domain. Firefox does complain about this, but the wording of the popup is interesting:
“It is possible, though unlikely, that someone may be trying to intercept your communication with this site.”
Or, someone is trying to fool you into thinking the site you’re going to is a different site. In order to get a certificate from an issuing authority you need to provide valid contact information, so the crooks steal the cert instead of getting their own.
The domain that owns the cert is s.p8.hostingprod.com, a domain that’s registered to Yahoo! . I’ll followup with Yahoo as to how the phishers ended up with the cert; I’m guessing they’re using some hosting package.
The actual phising domain is registed to a US PO Box: http://whois.domaintools.com/ppp-info-update.com
The phishing site is almost a perfect copy of the Paypal site. Nice attention to detail here.
I entered the site with a made up ID and password. The log-in process is also nicely done, even including the intermediate “Processing Login” page.
Once logged in, you see a page asking for quite a bit of information, including your credit card information, your ATM pin, your address, social security, and even driver’s license.
There’s fair bit of intelligence built into the form, warning you, for example, if you enter an invalid pin or credit card number.
I fed it fake but valid looking information and ended up at the success page.
Clicking thru on any of the links on this page sends you to the real Paypal site. You could go thru this whole thing, turn all of your information over, and never know you’d been taken.
These are getting more sophisticated all the time. It would be very easy for someone without a lot of internet experience to get taken.
Update: The site has been shut down thanks to the nice folks at Yahoo!
Neat investigation. It would be interesting to try the anti-phishing capabilities of IE7 to see how it does with something that’s well done like this one. Post the next one you get and we can try it.
IE7’s phishing capabilities are built on a database of sites, doesn’t matter if it’s good or not it’ll let you know.. I like to use http://www.opendns.com/ as my DNS servers which have such a capability built in anyway - which works even better and faster
All users need to be educated in the simple facts - most banks and paypal will tell you quite simply that they will never, ever, ask you for such details, if you’re dumb enough to believe such a mail it really is your own fault.
Course, the best thing to do with these things would be for the community at large to get together and fill these people’s databases with invalid data rendering them completely useless - nobody is gonna trawl through 20,000 records looking for a few that may be correct
You say here that the site has been shut down, but I just got a similar phishing email yesterday from a paypal phisher, with a full functioning website. I did not enter my information but contacted paypal instead through their official website. Maybe they have successfully built another site, because it is up and running today! Beware…
Got a good one today, faking as BofA. Subject: Bank of America Member (Your Account Suspension Notice ) which could be plausible given my habits
Had the BofA logo and even showed the link as ….sitekey… that BofA now uses (http://sitekey.verfing.accountinformation.secuirtydepartment.bankofamerica.com ) though it actually goes to http://gameton.com/images/bankofamerica.com/bankofamerica.com/cig-bin/signondo/Online/cigi-bin/ssologincontroller/SignIn/
Given the URL structure, I assume they have this for every bank and just send out random ones. The site, if you go it is done very well, basically captured the old login from BofA site and put their own piece in the middle. All the other links of the page go to the actual BofA site. You can enter anything into the username/password and it lets you in and then asks for lots and lots of info. This piece they screwed up on, because there’s things your bank would never ask you for.
Tried this in IE7 and its anti-phishing is of no help, though this particular pisher didn’t even bother to get the SSL certificate, its just plain HTTP. Anyway, overall they’re getting much better and this is going to be a real problem for people.
That’s interesting that they didn’t do SSL. Makes sense actually - the average person wouldn’t even notice if they were on an ssl site or not, and having an SSL certificate complicates things. Might as well skip it so you don’t get the IE/Firefox SSL warning.
Nice article. I also wanted to point out that a clear tipoff that this is a fraudelent email is that it addressed you as “Dear valued PayPal member”. The real PayPal will address you by your name or by your business.
And if someone did accidentally type in their correct login and password into the phishing site, that means that the fraudster had gotten your login. If that ever happens to anyone, go to the real PayPal site and change your password immediately.
Why would anyone trust Paypal?
A phishing scam can be uncovered here, but the good folks at Paypal don’t seem to actively do anything to find them and stop them.
A guy sitting at home using his laptop can uncover all this information, but the corporate folks at Paypal do nothing.
Shame.
[…] Standard Deviations. Parand Tony Darugar’s Babblings. Anatomy of a Paypal Phishing Scamhttp://www.parand.com/say/index.php/2006/07/06/anatomy-of-a-paypal-phishing-scam/ […]