Phishing email to steal PayPal account

Phishing email - original image is iStockphoto.com/Dave Pilibosian

Phishing email

Checking email today morning I got warning about my PayPal personal information change. 1st thought which I should have: “Oh, my God! Someone compromised my PayPal account. I should go there and check, as fast as possible. Oh, I see paypal link right here in email text. Click it, input login credentials to check my account…”. Can you have such thoughts in similar situation? I think you can. Do not hurry. This is very important at such moment – do not make stupid things. Scammer wait you will go this way and act by his scenario. Do not become a victim.
First of all remember, on what email you PayPal account is registered and look, on what email you got this message. Other one? Do not worry about it. Investigate it together with me, just for pleasure, and delete. 2nd, thing we should always check from what email such message was sent. My email client shows ‘PayPal <support@pula.net>’. Is it from paypal.com domain? No. Delete this message.
Some more advanced scammers could put valid email into visible part of email header – “From” field, but we always can check real email from which this message was sent, look into “Received” field value. In ‘Thunderbird’ I click ‘View->Message Source’ and see real information about it:

Return-Path: <support@pula.net>
Delivery-Date: Fri, 02 Dec 2011 17:20:39 -0500
Received: from vps.switchandsave.com (vps.switchandsave.com [72.29.93.108])
by mx.perfora.net (node=mxus2) with ESMTP (Nemesis)
id 0LgZuH-1R2oXy08N3-00oXs3 for …@shinephp.com; Fri, 02 Dec 2011 17:20:39 -0500
Received: from 187-28-24-111.poolip.sdr.embratel.net.br ([187.28.24.111] helo=User)
by vps.switchandsave.com with esmtpa (Exim 4.69)
(envelope-from )
id 1RWbRn-0006tW-Pf; Fri, 02 Dec 2011 14:19:12 -0800
From: “PayPal”<support@pula.net>
Subject: Notification of limited account access
Date: Fri, 2 Dec 2011 19:23:42 -0300

Again, if e-mail address from there you got the message is not valid email address of your trusted service provider, PayPal in this case (PayPal always send email from paypal.com domain), this is a phishing message, move it to the spam box.

Let’s return to this phishing message itself.

Phishing e-mail content

Phishing e-mail content


1st, this email is scam as it isn’t started from your name – PayPal begin all its messages from your first and sure name in greetings row.
2nd, and really dangerous for trusting and not experienced in Internet security newbies the following link to PayPal site
http://www.paypal.co.uk/billing-update/address.html
which really leads to http://hosthost.biz/wm with automatic redirection to http://www.tiamopizza.ru/css/update/webscr.htm. This page is bad imitation of PayPal page.
TiamoPizza PayPal phishing page

TiamoPizza PayPal phishing page


I repeat, this scammer is a very lazy scammer. Only small left part with login and password input field works as web form, the largest part of page is just an image copy of real PayPal page. Compare two images (top – fake and below – real) and you will find critical differences easily. Quant and placing of links, etc.
Real PayPal page image

Real PayPal page image copy


So we see that 1st image is the image of dangerous phishing page for PayPal service. It’s purpose to catch victim’s PayPal login and password. After that scammer will take off his/her money in seconds.

Do not click on the links inside untrusted e-mail messages. Always check where such link lead before really go there. It is not necessary for you in the most cases, and more rarely could be really dangerous as you your computer could be infected by virus from such site. Browsers got information about dangerous sites show warning, like this

Phishing site warning in Google Chrome

Phishing site warning in Google Chrome


and like this
FireFox web forgery report

FireFox web forgery report


Internet Explorer shows warning from “Microsoft Smart Screen” service about dangerous sites too. But in case such site is not included into security databases yet it is better to be careful and do not rely much on smart browser software.

Very bad news is that owner of tiamopizza.ru site most probably doesn’t know about this issue, while open his page in Google Chrome or get message from some site visitor. Site was hacked.
Conclusion, dear Internet citizens, be careful, look where you input your critical data, where you send it. Do not eat dangerous Internet pizza from hacked sites as this one

hacked site tiamopizza.ru

hacked site tiamopizza.ru

If you are site owner, think about your site security today in order do not become victim of phishing scammer as tiamopizza.ru mentioned higher. It will be needed a lot of time before this site could restore its reputation, lost traffic and clients base.

If you wish to know more about Internet phishing and how defend yourself form it, visit this links:

Tags: ,