Today, I got another fake paypal email, by which I mean that it claimed to be from Paypal, but wasn't.
I get a lot of these, which means two things. 1) A lot get sent out and 2) there must be some people who fall for it.
From: PayPal <PayPal@inte.com>
They aren't even trying very hard. They say that the email came from Paypal, but the from-address is at inte.com.
They want me to click on "Confirm my account now", but when I look at where that goes, it goes to http://is.gd/cVCDtF. I visited that address, it invites me to login. I logged in using some made-up information - username and password, and that took me to http://keypad-infosecure.com/login-secursecureserver.nete/websc-limited.php. That got me to a log out screen.
I checked out that domain using "whois keypad-infosecure.com" and it gives a name and address in the USA. My guess is that it's a fake name and address, or maybe a real name and address, but not that of the Bad Person. It was registered yesterday.
So some Bad Person now has a username and password that they hope is my Paypal details - if I'd given my actual details, you can imagine what they'd do with that!
Here's the thing. When I used my mail reader, next to "Confirm My Account Now" it told me that the link actually went to [is.gd], and that's a clear indication that something fishy is going on. When I checked that out, it's a URL shortener site that is (probably without realising it) redirecting for lots of malware, based at Cloudflare in Arizona, USA. The Bad People use URL shorteners to hide the domain name that's actually hosting the malware.
I've reported the abuse to the URL shortener people. And they have already reacted! Now when I visit that URL, I get:
WARNING: A user has reported this shortened URL to us as being in violation
of our terms.
We haven't had chance to check it out yet, but we automatically show a
preview page for shortened URLs awaiting our investigation. Please
proceed with caution, especially if the original URL looks suspicious
or if you received it from a suspicious source.
I've also reported the keypad-infosecure.com domain to godaddy.com (who are the registrar).
But given the volume of this sort of thing, whack-a-mole isn't the answer.
My mail reader always tells me where a link really goes.