We see lots of phishing attempts for PayPal details. This one is slightly different than many others and much more involved and complicated.
This one has a html attachment that contains the phishing acts. There is nothing strange in that. They ask you to give all the usual details. What is strange is that I cannot find the location of the phish. That is, I cannot determine the website that the phished credentials are being sent to. The whole HTML file is encrypted. Normally sending these emails to email@example.com gets a reply with the phishing url. All that comes back is the genuine PayPal address. None of my usual tools can decode this to find a url to add to block lists.
Update: after a lot of hard work and head scratching by numerous contacts on Twitter, eventually it has been discovered that http://www.accunetix.net/80f78664.php is the phishing drop site. Thanks to them all for their hard work.
The criminals behind these phishing scams get ever more creative with their methods. Any victim would genuinely think that their data was being sent directly to PayPal. There is absolutely no indication of it being sent anywhere else. Even the common networking tools built into browsers aren’t showing any connections or data being sent anywhere except PayPal.
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: PayPal <firstname.lastname@example.org>
Date: Sat 08/04/2017 14:36
Subject: Update account information
We need you to update your account information.
Since we are updating all our users account records into a more secure database,
we need to ensure that your account information is updated.
If you’ve received this email, it means that some records are missing
or out of date. However, we have written a simple guide on how you can update your info.
In order to get rid of this issue, you may download and open the
attachment that we have provided. Inside the attached file, you may find a
form to fill in.
After completing the form and submitting it back to us, we will review your
information and notify you if it’s insufficient.
Notified by PayPal Security Team
The html form looks like this ( reduced in size to fit on one screenshot)
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.