Pages

Thursday 26 November 2015

Fake paypal email

Today, I got another fake paypal email, by which I mean that it claimed to be from Paypal, but wasn't.

I get a lot of these, which means two things. 1) A lot get sent out and 2) there must be some people who fall for it.

From: PayPal <PayPal@inte.com>
Subject: Your-Account-Has-Been-Limited-Case-ID-PP-033-821-136-967


They aren't even trying very hard. They say that the email came from Paypal, but the from-address is at inte.com.

They want me to click on "Confirm my account now", but when I look at where that goes, it goes to http://is.gd/cVCDtF. I visited that address, it invites me to login. I logged in using some made-up information - username and password, and that took me to http://keypad-infosecure.com/login-secursecureserver.nete/websc-limited.php. That got me to a log out screen.

I checked out that domain using "whois keypad-infosecure.com" and it gives a name and address  in the USA. My guess is that it's a fake name and address, or maybe a real name and address, but not that of the Bad Person. It was registered yesterday.

So some Bad Person now has a username and password that they hope is my Paypal details - if I'd given my actual details, you can imagine what they'd do with that!

Here's the thing. When I used my mail reader, next to "Confirm My Account Now" it told me that the link actually went to [is.gd], and that's a clear indication that something fishy is going on. When I checked that out, it's a URL shortener site that is (probably without realising it) redirecting for lots of malware, based at Cloudflare in Arizona, USA. The Bad People use URL shorteners to hide the domain name that's actually hosting the malware.
I've reported the abuse to the URL shortener people. And they have already reacted! Now when I visit that URL, I get:

WARNING: A user has reported this shortened URL to us as being in violation
of our terms.

   We haven't had chance to check it out yet, but we automatically show a
   preview page for shortened URLs awaiting our investigation. Please
   proceed with caution, especially if the original URL looks suspicious
   or if you received it from a suspicious source.





I've also reported the keypad-infosecure.com domain to godaddy.com (who are the registrar).

But given the volume of this sort of thing, whack-a-mole isn't the answer.

My mail reader always tells me where a link really goes.

Does yours?

1 comment:

  1. I get lots of these, claiming to be from PayPal. I forward them to spoof@paypal.com and get an auto response, sometimes I later get an update telling me the rogue site has been shut down. (Many seem to be hosted on hacked 3rd party websites).

    I did wonder about clicking on the link and filling in spurious info to annoy/thwart the hackers, but it occurred to me that if they're just compiling s list of PayPal accounts to sell on, then I'd be helping them as they wouldn't care if the accounts were valid or not.

    Ian

    ReplyDelete