We see lots of phishing attempts for Paypal login account credentials. This one is slightly different than many others, mainly in the way the phisher has set up the phishing site. In Internet Explorer you get a “site Hacked” message but in Firefox or Chrome, you get the PayPal Phishing pages. I don’t quite know what the phishers have done wrong to stop this working in Internet Explorer, or what protections Internet Explorer has that other browsers don’t have.
In this case and in a lot of other phishing attempts Internet Explorer is much safer than Google Chrome or Firefox. We are so used to seeing Security professionals and tech news sites blasting out stop using Internet Explorer it is dangerous. Use Google Chrome or Firefox.
Well this week the boot is on the other foot and they should all be saying stop using Google Chrome and Firefox, they are too dangerous to use. But of course they won’t and will continue to bash Microsoft regardless.
They use email addresses and subjects that will entice a user to read the email and open the attachment. These definitely do not come from a “Trusted Sender” The spelling and grammar mistakes in the email are more than enough to raise red flags. BUT we read what we “think” we are reading and automatically compensate for minor errors like these without thinking about it.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: PayPal Service <firstname.lastname@example.org>
Date: Mon 17/04/2017 07:30
Subject: Don’t be blocked!!!
This message is from a trusted sender.
Your account has been limited.
We’ve limited your access and the reason is the last login attemp,we’ve limited your account for security reasons .
To fix this problem you have to login and update your personal informations by following this link .
Notice: If this email was sent to you in your Junk or Spam folder please mark it as not spam due to our new security update.
Cοpyrights Reserved 1999 -2017
|18.104.22.168||outgoing2.jnb.host-h.net||ZA||AS37153 HETZNER (Pty) Ltd|
|22.214.171.124||www24.jnb1.host-h.net||ZA||AS37153 HETZNER (Pty) Ltd|
|126.96.36.199||188.8.131.52.rev.sfr.net||Boulogne-Billancourt||�le-de-France||FR||AS15557 Societe Francaise du Radiotelephone S.A.|
Received: from outgoing2.jnb.host-h.net ([184.108.40.206]:60747)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
for richard@[redacted]; Mon, 17 Apr 2017 07:30:07 +0100
Received: from www24.jnb1.host-h.net ([220.127.116.11])
by antispam2-jnb1.host-h.net with esmtpsa (TLSv1.2:AES128-SHA:128)
for richard@[redacted]; Mon, 17 Apr 2017 08:30:05 +0200
Received: from 18.104.22.168.rev.sfr.net ([22.214.171.124] helo=SERVEURICAR)
by www24.jnb1.host-h.net with esmtpa (Exim 4.80)
for richard@[redacted]; Mon, 17 Apr 2017 08:30:03 +0200
From: “=?utf-8?Q?PayPal=20Service?=” <email@example.com>
To: “=?utf-8?Q?richard=[redacted]=2Eco=2Euk?=” <richard@[redacted];>
Date: Mon, 17 Apr 2017 09:30:03 +0300
X-Virus-Scanned: Clear (ClamAV 0.99.2/23303/Sun Apr 16 22:56:55 2017)
Authentication-Results: host-h.net; auth=pass (login) firstname.lastname@example.org
X-SpamExperts-Outgoing-Evidence: Combined (0.78)
If you follow the link when you use Internet Explorer you start with http://www.asclepiade.ch/sites/default/files/languages/red.html which redirects you to https://indimedia.co.uk/kasfolio/iceage3overlay/english/pp/
you see a webpage looking like this:
BUT if you use Firefox or Google Chrome, then you get http://www.asclepiade.ch/sites/default/files/languages/red.html which redirects you to https://indimedia.co.uk/kasfolio/iceage3overlay/english/pp/ which redirects to https://indimedia.co.uk/kasfolio/iceage3overlay/english/pp/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page ( you get a different random dispatch= number each time)
Enter an email address and password and you get
Where pressing continue takes you to the usual give me your credit card, bank account, address, phone number and any other information they can think of, to be able to totally steal your identity and all financial accounts.
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.