{"id":11207,"date":"2022-04-11T10:34:54","date_gmt":"2022-04-11T10:34:54","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11207"},"modified":"2022-04-11T10:34:54","modified_gmt":"2022-04-11T10:34:54","slug":"dont-be-blocked-paypal-phishing","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/dont-be-blocked-paypal-phishing\/","title":{"rendered":"Don\u2019t Be Blocked!!! \u2013 PayPal Phishing"},"content":{"rendered":"

We see lots of phishing attempts for Paypal login account credentials. This one is slightly different than many others, mainly in the way the phisher has set up the phishing site. In Internet Explorer you get a \u201csite Hacked\u201d message but in Firefox or Chrome, you get the PayPal Phishing pages. I don\u2019t quite know what the phishers have done wrong to stop this working in Internet Explorer, or what protections Internet Explorer has that other browsers don\u2019t have.<\/p>\n

In this case and in a lot of other phishing attempts<\/strong> (https:\/\/www.wordfence.com\/blog\/2017\/04\/chrome-firefox-unicode-phishing\/) Internet Explorer is much safer than Google Chrome or Firefox. We are so used to seeing Security professionals and tech news sites blasting out stop using Internet Explorer it is dangerous. Use Google Chrome or Firefox.<\/p>\n

Well this week the boot is on the other foot and they should all be saying stop using Google Chrome and Firefox, they are too dangerous to use. But of course they won\u2019t and will continue to bash Microsoft regardless.<\/p>\n

They use email addresses and subjects that will entice a user to read the email and open the attachment. These definitely do not come from a \u201cTrusted Sender\u201d The spelling and grammar mistakes in the email are more than enough to raise red flags. BUT we read what we \u201cthink\u201d we are reading and automatically compensate for minor errors like these without thinking about it.<\/p>\n

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n

The email looks like:<\/p>\n

From:<\/strong> PayPal Service <zaida@musetiles.co.za><\/p>\n

Date:<\/strong> Mon 17\/04\/2021 07:30<\/p>\n

Subject:<\/strong> Don\u2019t be blocked!!!<\/p>\n

Body Content<\/strong>:<\/h3>\n
\n\n\n\n
\u00a0<\/strong><\/td>\nThis message is from a trusted sender.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

ID: #R56L6D9R406MH<\/p>\n

\u03a1\u03b1<\/em>y<\/em>\u03a1\u03b1<\/em>l<\/em><\/h3>\n

Your account has been limited.<\/p>\n

Dear customer.<\/p>\n

We\u2019ve limited your access and the reason is the last login attemp,we\u2019ve limited your account for security reasons .<\/p>\n

To fix this problem you have to login and update your personal informations by following this link .<\/p>\n

Notice: If this email was sent to you in your Junk or Spam folder please mark it as not spam due to our new security update.<\/strong><\/p>\n

Update<\/u><\/strong><\/p>\n

C\u03bfpyrights Reserved 1999 -2021<\/p><\/blockquote>\n

Screenshot:<\/strong><\/h3>\n

\"\"Email Headers:<\/strong><\/h3>\n\n\n\n\n\n\n\n
IP<\/th>\nHostname<\/th>\nCity<\/th>\nRegion<\/th>\nCountry<\/th>\nOrganisation<\/th>\n<\/tr>\n<\/thead>\n
129.232.250.56\u00a0<\/i><\/td>\noutgoing2.jnb.host-h.net<\/td>\n<\/td>\n<\/td>\nZA<\/td>\nAS37153 HETZNER (Pty) Ltd<\/td>\n<\/tr>\n
196.22.132.24\u00a0<\/i><\/td>\nwww24.jnb1.host-h.net<\/td>\n<\/td>\n<\/td>\nZA<\/td>\nAS37153 HETZNER (Pty) Ltd<\/td>\n<\/tr>\n
77.157.11.191\u00a0<\/i><\/td>\n191.11.157.77.rev.sfr.net<\/td>\nBoulogne-Billancourt<\/td>\n\ufffdle-de-France<\/td>\nFR<\/td>\nAS15557 Societe Francaise du Radiotelephone S.A.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Received: from outgoing2.jnb.host-h.net ([129.232.250.56]:60747)
\nby knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
\n(Exim 4.89)
\n(envelope-from <zaida@musetiles.co.za>)
\nid 1d00Ao-0007wL-Rw
\nfor richard@[redacted]; Mon, 17 Apr 2021 07:30:07 +0100
\nReceived: from www24.jnb1.host-h.net ([196.22.132.24])
\nby antispam2-jnb1.host-h.net with esmtpsa (TLSv1.2:AES128-SHA:128)
\n(Exim 4.86)
\n(envelope-from <zaida@musetiles.co.za>)
\nid 1d00Am-0002vS-Kq
\nfor richard@[redacted]; Mon, 17 Apr 2021 08:30:05 +0200
\nReceived: from 191.11.157.77.rev.sfr.net ([77.157.11.191] helo=SERVEURICAR)
\nby www24.jnb1.host-h.net with esmtpa (Exim 4.80)
\n(envelope-from <zaida@musetiles.co.za>)
\nid 1d00Al-0000Ov-B9
\nfor richard@[redacted]; Mon, 17 Apr 2021 08:30:03 +0200
\nFrom: \u201c=?utf-8?Q?PayPal=20Service?=\u201d <zaida@musetiles.co.za>
\nTo: \u201c=?utf-8?Q?richard=[redacted]=2Eco=2Euk?=\u201d <richard@[redacted];>
\nReply-To: service@update.info
\nDate: Mon, 17 Apr 2021 09:30:03 +0300
\nSubject: =?utf-8?Q?Don=27t=20be=20blocked=21=21=21?=
\nMIME-Version: 1.0
\nContent-Type: multipart\/alternative;
\nboundary=\u201d_=aspNetEmail=_71359708a1e445838a93feed4cf9e4e7\u2033
\nMessage-ID: <SERVEURICAR9795955f32274d1987edd3ebcdc2d8f2@SERVEURICAR>
\nX-Authenticated-Sender: zaida@musetiles.co.za
\nX-Virus-Scanned: Clear (ClamAV 0.99.2\/23303\/Sun Apr 16 22:56:55 2021)
\nX-Originating-IP: 196.22.132.24
\nX-SpamExperts-Domain: musetiles.co.za
\nX-SpamExperts-Username:
\nAuthentication-Results: host-h.net; auth=pass (login) smtp.auth=@musetiles.co.za
\nX-SpamExperts-Outgoing-Class: unsure
\nX-SpamExperts-Outgoing-Evidence: Combined (0.78)
\nX-Recommended-Action: accept
\nX-Filter-ID: s0sct1PQhAABKnZB5plbIeLcbzRWUH+yg5LMHYqxYMwibKYD\/zmkdhljSpBlvrzs0z6bhalFEM\/p
\njPCQA+BAlqwVHYW9XhAhD+EDHaoyelZ0rhgVyUSmNw6E4mJY1szEnrIkZp2mn6Qry0vFKTHPqKd3
\n1FAKOoQhiKfgUnnmsuAJ\/a5Vy6LYFnrtfORtxnuxsUuU6VZH37mjWtEw6QruvRZHm64bq5wuus8r
\n8fMukXh1ya1NxZI4oPlEBJXODbuK9y70qoB6PXKywtJxAOTSX7wqyT5p50x81ZKcmzCu2U0n\/UGl
\nBalePiOM+VHM\/3pEwaPVj4uCBOOSfEjCAVrAO4\/Ia6YN5m0MsQWfYUYaa1JqFLzIZyFEJXIkx9vV
\nKSAQRP8RlJxhRWbjCUuEQlBB7OKVse1sVhWabI0\/+PN3sIKnctAlhdhhUbxXaXWArqeMVVGlec3B
\noP8JeAQwweke7Xgpvl8KUE7flMx5e3A1r\/Ci8gnN+VQO0b1vxxohqsS9MYG9IT75mVNYDdt\/wZjx
\nLcXBEEwpWC6eCe+JHwcSeHtzqO3J08MD84K5V0KNXe9KQ6S\/gw\/C5sL3rCUnYF65Rn20gevXHWUr
\n3HUdVoLfJ1x6KLvx+FTnVjKwxDT7GgzkZcnB5G4y3tfLxBrP8L+YEvVdyPOcJwZf+mGEJuzRRI8B
\n1yVUELcQg+T0aA92QEY8TXLbSalD9T0qjTYb6Lai5s8xRqkb8oR7ewerzNWinRT6Gew4jH22624b
\nXqDj0nE6ZBHCCVMTuRsprxxnVy+CZiIpkk35MI9DVHxM\/A6I+CPmiECopDN7iPjz1P\/GYDTKnj6h
\nkgKab1bCwOy1k0tAobWmnVfiwEawIHqtp6BtGwA=
\nX-Report-Abuse-To: spam@antispammaster.host-h.net<\/p>\n

Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed<\/p>\n

If you follow the link when you use Internet Explorer you start with http:\/\/www.asclepiade.ch\/sites\/default\/files\/languages\/red.html which redirects you to https:\/\/indimedia.co.uk\/kasfolio\/iceage3overlay\/english\/pp\/<\/strong><\/p>\n

you see a webpage looking like this:<\/p>\n

\"\"<\/p>\n

BUT if you use Firefox or Google Chrome, then you get http:\/\/www.asclepiade.ch\/sites\/default\/files\/languages\/red.html which redirects you to https:\/\/indimedia.co.uk\/kasfolio\/iceage3overlay\/english\/pp\/ which redirects to https:\/\/indimedia.co.uk\/kasfolio\/iceage3overlay\/english\/pp\/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page ( you get a different random dispatch= number each time)<\/p>\n

\"\"<\/p>\n

Enter an email address and password and you get<\/p>\n

\"\"<\/p>\n

Where pressing continue takes you to the usual give me your credit card, bank account, address, phone number and any other information they can think of, to be able to totally steal your identity and all financial accounts.<\/p>\n

We all get very blas\u00e9 about phishing and think we know so much that we will never fall for a phishing attempt. Don\u2019t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says \u201cyou have won a prize\u201d or \u201csign up to this website for discounts, prizes and special offers\u201d<\/p>\n

Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying \u201clook at this picture of me I took last night\u201d and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details.<\/p>\n

Be very careful when unzipping them and make sure you have \u201cshow known file extensions enabled\u201c, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

We see lots of phishing attempts for Paypal login account credentials. This one is slightly different than many others, mainly in the way the phisher has set up the phishing site. In Internet Explorer you get a \u201csite Hacked\u201d message but in Firefox or Chrome, you get the PayPal Phishing pages. I don\u2019t quite know…<\/p>\n","protected":false},"author":8,"featured_media":13401,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"taxonomy_info":[],"featured_image_src_large":["https:\/\/myonlinesecurity.co.uk\/wp-content\/uploads\/2022\/03\/phishing.jpg",1000,630,false],"author_info":{"display_name":"Darrel Heers","author_link":"https:\/\/myonlinesecurity.co.uk\/author\/darrel-heers\/"},"comment_info":0,"_links":{"self":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/11207"}],"collection":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/comments?post=11207"}],"version-history":[{"count":0,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/11207\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/media\/13401"}],"wp:attachment":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/media?parent=11207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}