OK got a quite strange & unusual PayPal phishing scam arrive today. The scammers either don’t like Microsoft users or can’t work out how to get the scam to work in Internet explorer or Outlook properly. Neither the email or the website work in a Microsoft Email client or a Microsoft Browser.
This is the first time I have seen Phishers & scammers using conditional css display tricks to send or attempt to send different email client users to different sites. It is also the first time I have seen a captcha on a phishing or scam site, which I suppose they are using to make sure the automatic phishing analysis services like Netcraft toolbar, Phishtank etc. can’t use the automatic tools to check the links.
Lets just go through it step by step.
First the email looks nothing special, especially with all the spelling mistakes especially ” costumer ” instead of customer, which gave me a bit of a laugh. However it is quite interesting in the view source code, where you get a different link appear if you use different email clients. So anybody using Microsoft Outlook or any other Microsoft email client will get one link https://cinemarascals.com/wordpress/wp-content/upgrade/go.php ( currently giving me a 404 where it looks like the hosting company has cleaned it up) and other recipients get the proper phishing link https://lotechnoe.com/wp-content/upgrade/
<div align=”center” class=”button-container center ” style=”padding-right: 30px; padding-left: 30px; padding-top:25px; padding-bottom:50px;”>
<!–[if mso]><table width=”100%” cellpadding=”0″ cellspacing=”0″ border=”0″ style=”border-spacing: 0; border-collapse: collapse; mso-table-lspace:0pt; mso-table-rspace:0pt;”><tr><td style=”padding-right: 30px; padding-left: 30px; padding-top:25px; padding-bottom:50px;” align=”center”><v:roundrect xmlns:v=”urn:schemas-microsoft-com:vml” xmlns:w=”urn:schemas-microsoft-com:office:word” href=”https://cinemarascals.com/wordpress/wp-content/upgrade/go.php” style=”height:25pt; v-text-anchor:middle; width:90pt;” arcsize=”12%” strokecolor=”#4F63A1″ fillcolor=”#4F63A1″><w:anchorlock></w:anchorlock><v:textbox inset=”0,0,0,0″><center style=”color:#ffffff; font-family:Arial, ‘Helvetica Neue’, Helvetica, sans-serif; font-size:14px;”><![endif]–>
<a href=”https://lotechnoe.com/wp-content/upgrade/” target=”_blank” style=”display: block;text-decoration: none;-webkit-text-size-adjust: none;text-align: center;color: #ffffff; background-color: #4F63A1; border-radius: 4px; -webkit-border-radius: 4px; -moz-border-radius: 4px; max-width: 120px; width: 80px;width: auto; border-top: 0px solid transparent; border-right: 0px solid transparent; border-bottom: 0px solid transparent; border-left: 0px solid transparent; padding-top: 5px; padding-right: 20px; padding-bottom: 5px; padding-left: 20px; font-family: Arial, ‘Helvetica Neue’, Helvetica, sans-serif;mso-border-alt: none”>
<span style=”font-size:12px;line-height:24px;”><strong>Verify Your Account</strong></span>
The plain text version shows up as
We’ve noticed that your account that is out of compliance with our regulatory requirements. You might be facing account limitation and losing its important services such as withdrawing, sending, or receiving money. (including balance)
To resolve this, please take a moment to review your account’s informations and confirm your identity by presssing the button below and login to complete the verification proccess.
Verify Your Account <https://lotechnoe.com/wp-content/upgrade/>
+ This request will be available for 48 hours.
Please do not reply this email. We are unable to respond to inquiries sent to this address.
For immediate answers to your questions, reach our Help Center.
PayPal, Inc 2018. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
Now this is also interesting because if you open https://lotechnoe.com/wp-content/upgrade/ in Internet Explorer you get this message
Check that you are not a robot
please complete the captcha to continue
HELLOOOOO BITCHES | I FUCKING LOVE YOU HAHAHAHAHAHAHA <3 | TRY BYPASS ME NEXT TIME BB <3.
Whereas if you open it in any other browser you get a proper captcha and if you are unwise enough or inquisitive enough to fill in the captcha you get diverted to the real phishing site