about the city contact us
search
 
 
 
 
 
 
Malware city / Blog / Summer Phishing in the PayPal™ Bay
Print | Send on Yahoo! | PDF version | Feed RSS | Filed Under: ALERTS

Summer Phishing in the PayPal™ Bay

Date: 05/28/2009
Author: Razvan Livintz

Aggressive predators seek naïve victims for card data (please read “money”) theft

In the spam and phishing industry there are several brands that never get old, outdated or out of profit. As we already shown in our latest E-Threats Landscape Report and judging by the most recent phishing scheme, PayPalTM is still one of the top ten most spoofed identities.

In the current case, the unsolicited message allegedly sent on behalf of PayPalTM Team warns the possible customers about the alteration of their data, due to unauthorized access. Hence, the e-crooks ask the on-line payment users to log into their accounts and verify the possibly compromised information by visiting the page provided in a hyperlink.

PayPal phishing

The link does not lead to the service portal, but to a Web page that employs several visual identification components of the original Web site, namely the logo, layout and general formatting elements.

Paypal phishing

This is the starting point of a cascade theft. First, the scoundrels look for the login credentials - e-mail address and PayPalTM password -, which they steal via the file.php script.

Then, on a second page, they go for detailed personal information, including complete name, address, birth date, mother's maiden name, SSN, but also e-mail address and phone number.

But the swindle doesn't stop here. Scammers also want to get complete card details, including number, expiration date, Card Verification Code, issuing bank, card type, and even PIN. Most intriguing, the data is pilfered - via file2.php script - not just for a single, but for two cards, as you can see in the image below.

PayPal Phishing 3

Few interesting details: even though all other menu options are available on both pages, clicking any of them will only reload the page. Moreover, one can easily see that the Web page address mimicking the genuine Web site loads from a domain registered in Lithuania (.lt instead of .com).

Also, there are no specific security elements, one could expect to find on an e-payment site, namely SSL encryption (Secure Socket Layer) or security authentication methods (no "https" prefix and locked padlock).

The curiosity stirred me to click the "Why is ATM PIN required?" link. The explanation displayed in the pop-up window is one of the most hilarious I've ever read: "Requiring PIN Signatures is the latest security measure against: identity theft, credit card fraud and unauthorized account access". See the whole thing below.

PayPal phishing 4

Share our story:
DiggStumbleUpondel.icio.usYahooMyWebFurlGoogle
RELATED:

user comments
I am so glad someone is looking out for me and other Internet users.
Thank you
Comment on this:
Name:
Email:
Your email address will not be published!

Please enter the code from the image below.
The code is not case sensitive
Verification Image
Reload image
 
 
Calendar
March 2010
MoTuWeThFrSaSu
1234567
891011121314
15161718192021
22232425262728
293031    
« Feb March Apr »
CategoriesMISCELLANEOUS
WEEKLY REVIEW
VIRUSES DESCRIPTIONS
CONTEST
MALWARE HISTORY
HOW TO....
BOTNETS
ALERTS
SPAM REVIEW
Tag Claud
windows omelette twitter microsoft pharmacy review exploit worm data files rogue virus message canadian spam computer malware online conficker file downadup security messages system infected software word antivirus trojan bitdefender
RSS Feeds
Blogs And Comments RSS News
Malware City Powered by BitDefender © 2010 |  privacy policy   |  city map