At first I thought this Paypal Your Account Access Is Limited email was just another typical phishing email but this one has some differences worth mentioning
There are a few major common subjects in a phishing attempt involving either PayPal or your Bank or Credit Card, with a message saying some thing like :
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your Account Access Is Limited
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order
The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links in it. Some versions of this phish will try to entice or persuade you to fill in the html ( webpage) form that comes attached to the email.
This particular phishing campaign starts with an email looking like this
From: PayPal [mailto:firstname.lastname@example.org]
Sent: 23 October 2015 02:26
Subject: Your Account Access Is Limited !
Your Account Access Is Limited.
Dear customer,Your Account Access Is Limited , Until We Hear From You . To Update Your Info . Simply click on the button below (or copy and paste the link into your browser):
Update Your Info
Update Your Account — Update Now
Help Center | Partner Directory | Logo Center | Security | Business Center
The interesting thing are the links to the phishing website behind the update your info button or the update now link.
The eventual site is the highlighted part of the very long url which goes via googleadservices. Now many phishers have been using google search links to persuade a recipient to click a link. Hovering over the link in an email will show google which most people would think was safe.
This one going via the googleadservices has a 2 fold effect of masking the link to a casual glance at the url in the email client and the phisher getting paid for clicks on the advert ( or so they think). It might well be that the googleadservices link is innocent and stolen from a legitimate advertiser and is being used as a joejob on the googleadservices account holder. Google do routinely penalise and disable accounts that use or are seen to constantly encourage invalid clicks. Google policies state clearly no google ads in emails. I have quite frequently seen reports of competitors using somebody’s genuine links in order to cause trouble for them and get their google account disabled. The joejob type attack on the googleadservices holder can also be used to increase drastically the cost to an advertiser. That is also another way that the competitor will attack the competition and run up a big bill for him with Google Adwords if the user hasn’t set an absolute financial limit.
if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. without looking at the url in the address bar. The only way is look at the address bar and in the Genuine PayPal site, when using Internet Explorer the entire address bar is in green. ( in Chrome or Firefox, only the padlock symbol on the left of the browser is green)
This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click the link in the email . Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.