Paypal Update Account Information – Phishing With A Difference

Phishing Scam

We see lots of phishing attempts for PayPal details. This one is slightly different than many others and much more involved and complicated.

This one has a html attachment that contains the phishing acts. There is nothing strange in that. They ask you to give all the usual details. What is strange is that I cannot find the location of the phish. That is, I cannot determine the website that the phished credentials are being sent to. The whole HTML file is encrypted. Normally sending these emails  to gets a reply with the phishing url. All that comes back is the genuine PayPal address. None of my usual tools can decode this to find a url to add to block lists.

Update: after a lot of hard work and head scratching by numerous contacts on Twitter, eventually it has been discovered that is the phishing drop site. Thanks to them all for their hard work.

The criminals behind these phishing scams get ever more creative with their methods. Any victim would genuinely think that their data was being sent directly to PayPal. There is absolutely no indication of it being sent anywhere else. Even the common networking tools built into browsers aren’t showing any connections or data being sent anywhere except PayPal.

Hopefully the majority of recipients wouldn’t fall victim to this. We always tell everybody: “Don’t open html attachments and don’t fill in the forms. They are always bogus”. But just imagine if the criminals had put this scam on a website with a plausible URL like or something similar that a very high proportion of recipients would enter details without a second thought. using the heavily encoded javascript in this example, where even Wireshark & Fiddler don’t appear to show the connection to the phishing site, just legitimate connections to PayPal would cause all sorts of problems for security.

This appears to be an updated version of  This earlier PayPal phish using javascript to mask the phishing drop site

Attached is the html file in a zip P/W “infected”  ViewAttachment  It is using some sort of JavaScript with windows.location replace instructions to mask the phishing url. It looks like base64 encoded but then does something different and standard decoders don’t work. I am hoping some of my contacts can work their magic on it.

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in < >. That is why these scams and phishes work so well.

The email looks like:

From: PayPal <>

Date: Sat 08/04/2017 14:36

Subject: Update account information

Attachment: ViewAttachment.html

Body content:

Dear Customer,

We need you to update your account information.

Since we are updating all our users account records into a more secure database,

we need to ensure that your account information is updated.

If you’ve received this email, it means that some records are missing

or out of date. However, we have written a simple guide on how you can update your info.

In order to get rid of this issue, you may download and open the

attachment that we have provided. Inside the attached file, you may find a

form to fill in.

After completing the form and submitting it back to us, we will review your

information and notify you if it’s insufficient.

Notified by PayPal Security Team



The html form looks like this ( reduced in size to fit on one screenshot)

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.