{"id":11207,"date":"2022-04-11T10:34:54","date_gmt":"2022-04-11T10:34:54","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11207"},"modified":"2022-04-11T10:34:54","modified_gmt":"2022-04-11T10:34:54","slug":"dont-be-blocked-paypal-phishing","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/dont-be-blocked-paypal-phishing\/","title":{"rendered":"Don\u2019t Be Blocked!!! \u2013 PayPal Phishing"},"content":{"rendered":"
We see lots of phishing attempts for Paypal login account credentials. This one is slightly different than many others, mainly in the way the phisher has set up the phishing site. In Internet Explorer you get a \u201csite Hacked\u201d message but in Firefox or Chrome, you get the PayPal Phishing pages. I don\u2019t quite know what the phishers have done wrong to stop this working in Internet Explorer, or what protections Internet Explorer has that other browsers don\u2019t have.<\/p>\n
In this case and in a lot of other phishing attempts<\/strong> (https:\/\/www.wordfence.com\/blog\/2017\/04\/chrome-firefox-unicode-phishing\/) Internet Explorer is much safer than Google Chrome or Firefox. We are so used to seeing Security professionals and tech news sites blasting out stop using Internet Explorer it is dangerous. Use Google Chrome or Firefox.<\/p>\n Well this week the boot is on the other foot and they should all be saying stop using Google Chrome and Firefox, they are too dangerous to use. But of course they won\u2019t and will continue to bash Microsoft regardless.<\/p>\n They use email addresses and subjects that will entice a user to read the email and open the attachment. These definitely do not come from a \u201cTrusted Sender\u201d The spelling and grammar mistakes in the email are more than enough to raise red flags. BUT we read what we \u201cthink\u201d we are reading and automatically compensate for minor errors like these without thinking about it.<\/p>\n Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n The email looks like:<\/p>\n From:<\/strong> PayPal Service <zaida@musetiles.co.za><\/p>\n Date:<\/strong> Mon 17\/04\/2021 07:30<\/p>\n Subject:<\/strong> Don\u2019t be blocked!!!<\/p>\n ID: #R56L6D9R406MH<\/p>\n Your account has been limited.<\/p>\n Dear customer.<\/p>\n We\u2019ve limited your access and the reason is the last login attemp,we\u2019ve limited your account for security reasons .<\/p>\n To fix this problem you have to login and update your personal informations by following this link .<\/p>\n Notice: If this email was sent to you in your Junk or Spam folder please mark it as not spam due to our new security update.<\/strong><\/p>\n Update<\/u><\/strong><\/p>\n C\u03bfpyrights Reserved 1999 -2021<\/p><\/blockquote>\n Received: from outgoing2.jnb.host-h.net ([129.232.250.56]:60747) Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed<\/p>\n If you follow the link when you use Internet Explorer you start with http:\/\/www.asclepiade.ch\/sites\/default\/files\/languages\/red.html which redirects you to https:\/\/indimedia.co.uk\/kasfolio\/iceage3overlay\/english\/pp\/<\/strong><\/p>\n you see a webpage looking like this:<\/p>\n <\/p>\n BUT if you use Firefox or Google Chrome, then you get http:\/\/www.asclepiade.ch\/sites\/default\/files\/languages\/red.html which redirects you to https:\/\/indimedia.co.uk\/kasfolio\/iceage3overlay\/english\/pp\/ which redirects to https:\/\/indimedia.co.uk\/kasfolio\/iceage3overlay\/english\/pp\/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page ( you get a different random dispatch= number each time)<\/p>\n <\/p>\n Enter an email address and password and you get<\/p>\n <\/p>\n Where pressing continue takes you to the usual give me your credit card, bank account, address, phone number and any other information they can think of, to be able to totally steal your identity and all financial accounts.<\/p>\n We all get very blas\u00e9 about phishing and think we know so much that we will never fall for a phishing attempt. Don\u2019t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says \u201cyou have won a prize\u201d or \u201csign up to this website for discounts, prizes and special offers\u201d<\/p>\nBody Content<\/strong>:<\/h3>\n
\n
\n\n
\n \u00a0<\/strong><\/td>\n This message is from a trusted sender.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u03a1\u03b1<\/em>y<\/em>\u03a1\u03b1<\/em>l<\/em><\/h3>\n
Screenshot:<\/strong><\/h3>\n
Email Headers:<\/strong><\/h3>\n
\n\n
\n \nIP<\/th>\n Hostname<\/th>\n City<\/th>\n Region<\/th>\n Country<\/th>\n Organisation<\/th>\n<\/tr>\n<\/thead>\n \n 129.232.250.56\u00a0<\/i><\/td>\n outgoing2.jnb.host-h.net<\/td>\n <\/td>\n <\/td>\n ZA<\/td>\n AS37153 HETZNER (Pty) Ltd<\/td>\n<\/tr>\n \n 196.22.132.24\u00a0<\/i><\/td>\n www24.jnb1.host-h.net<\/td>\n <\/td>\n <\/td>\n ZA<\/td>\n AS37153 HETZNER (Pty) Ltd<\/td>\n<\/tr>\n \n 77.157.11.191\u00a0<\/i><\/td>\n 191.11.157.77.rev.sfr.net<\/td>\n Boulogne-Billancourt<\/td>\n \ufffdle-de-France<\/td>\n FR<\/td>\n AS15557 Societe Francaise du Radiotelephone S.A.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nby knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
\n(Exim 4.89)
\n(envelope-from <zaida@musetiles.co.za>)
\nid 1d00Ao-0007wL-Rw
\nfor richard@[redacted]; Mon, 17 Apr 2021 07:30:07 +0100
\nReceived: from www24.jnb1.host-h.net ([196.22.132.24])
\nby antispam2-jnb1.host-h.net with esmtpsa (TLSv1.2:AES128-SHA:128)
\n(Exim 4.86)
\n(envelope-from <zaida@musetiles.co.za>)
\nid 1d00Am-0002vS-Kq
\nfor richard@[redacted]; Mon, 17 Apr 2021 08:30:05 +0200
\nReceived: from 191.11.157.77.rev.sfr.net ([77.157.11.191] helo=SERVEURICAR)
\nby www24.jnb1.host-h.net with esmtpa (Exim 4.80)
\n(envelope-from <zaida@musetiles.co.za>)
\nid 1d00Al-0000Ov-B9
\nfor richard@[redacted]; Mon, 17 Apr 2021 08:30:03 +0200
\nFrom: \u201c=?utf-8?Q?PayPal=20Service?=\u201d <zaida@musetiles.co.za>
\nTo: \u201c=?utf-8?Q?richard=[redacted]=2Eco=2Euk?=\u201d <richard@[redacted];>
\nReply-To: service@update.info
\nDate: Mon, 17 Apr 2021 09:30:03 +0300
\nSubject: =?utf-8?Q?Don=27t=20be=20blocked=21=21=21?=
\nMIME-Version: 1.0
\nContent-Type: multipart\/alternative;
\nboundary=\u201d_=aspNetEmail=_71359708a1e445838a93feed4cf9e4e7\u2033
\nMessage-ID: <SERVEURICAR9795955f32274d1987edd3ebcdc2d8f2@SERVEURICAR>
\nX-Authenticated-Sender: zaida@musetiles.co.za
\nX-Virus-Scanned: Clear (ClamAV 0.99.2\/23303\/Sun Apr 16 22:56:55 2021)
\nX-Originating-IP: 196.22.132.24
\nX-SpamExperts-Domain: musetiles.co.za
\nX-SpamExperts-Username:
\nAuthentication-Results: host-h.net; auth=pass (login) smtp.auth=@musetiles.co.za
\nX-SpamExperts-Outgoing-Class: unsure
\nX-SpamExperts-Outgoing-Evidence: Combined (0.78)
\nX-Recommended-Action: accept
\nX-Filter-ID: s0sct1PQhAABKnZB5plbIeLcbzRWUH+yg5LMHYqxYMwibKYD\/zmkdhljSpBlvrzs0z6bhalFEM\/p
\njPCQA+BAlqwVHYW9XhAhD+EDHaoyelZ0rhgVyUSmNw6E4mJY1szEnrIkZp2mn6Qry0vFKTHPqKd3
\n1FAKOoQhiKfgUnnmsuAJ\/a5Vy6LYFnrtfORtxnuxsUuU6VZH37mjWtEw6QruvRZHm64bq5wuus8r
\n8fMukXh1ya1NxZI4oPlEBJXODbuK9y70qoB6PXKywtJxAOTSX7wqyT5p50x81ZKcmzCu2U0n\/UGl
\nBalePiOM+VHM\/3pEwaPVj4uCBOOSfEjCAVrAO4\/Ia6YN5m0MsQWfYUYaa1JqFLzIZyFEJXIkx9vV
\nKSAQRP8RlJxhRWbjCUuEQlBB7OKVse1sVhWabI0\/+PN3sIKnctAlhdhhUbxXaXWArqeMVVGlec3B
\noP8JeAQwweke7Xgpvl8KUE7flMx5e3A1r\/Ci8gnN+VQO0b1vxxohqsS9MYG9IT75mVNYDdt\/wZjx
\nLcXBEEwpWC6eCe+JHwcSeHtzqO3J08MD84K5V0KNXe9KQ6S\/gw\/C5sL3rCUnYF65Rn20gevXHWUr
\n3HUdVoLfJ1x6KLvx+FTnVjKwxDT7GgzkZcnB5G4y3tfLxBrP8L+YEvVdyPOcJwZf+mGEJuzRRI8B
\n1yVUELcQg+T0aA92QEY8TXLbSalD9T0qjTYb6Lai5s8xRqkb8oR7ewerzNWinRT6Gew4jH22624b
\nXqDj0nE6ZBHCCVMTuRsprxxnVy+CZiIpkk35MI9DVHxM\/A6I+CPmiECopDN7iPjz1P\/GYDTKnj6h
\nkgKab1bCwOy1k0tAobWmnVfiwEawIHqtp6BtGwA=
\nX-Report-Abuse-To: spam@antispammaster.host-h.net<\/p>\n