ISSP

Jan 6, 20192 min

Phishing under PayPal cover

Updated: Oct 18, 2022

Phishing is an attempt to acquire personal information such as usernames, passwords, financial information etc. To have a better understanding of phishing e-mails and how it works lets take a look at a real-life phishing attempt happened to the PayPal user.

PayPal user phishing case study

Lets analyze a simple case of phishing and take a look at the following e-mail:

Phishing e-mail

What information do we seem to get from this e-mail?

  1. This e-mail was allegedly sent by PayPal.

  2. It says that your PayPal account has been blocked, but you may restore it by opening an html-file following the “instructions”.

  3. The html-file is attached.

To start with, let’s look at the headers:

Return-Path: <Ѓg>

Received: from smtp.dentalcremer.com.br ([189.16.55.211]) by mx.unitymail.biz

(8.14.7/8.14.7) with ESMTP id u52FCIcl007805 for <user@target.ua>; Thu, 2

Jun 2016 18:12:19 +0300

Date: Thu, 2 Jun 2016 18:12:18 +0300

Received: from 125.111.65.140 ([189.16.55.211]) by smtp.dentalcremer.com.br

with Microsoft SMTPSVC(8.5.9600.16384); Thu, 2 Jun 2016 11:55:06 -0300

From: PayPal <accounts@locked.com>

Subject: Your Account Has Been Limited

Message-ID: <d0db17bebc199e2d1030d28d415bfcd7accounts@locked.com>

Content-Type: multipart/mixed; boundary="9b53dcd6f3cb7f23731e8f4a851ac1a1"

To: undisclosed-recipients:;

MIME-Version: 1.0

Even this superficial inspection shows that the e-mail was not sent by PayPal:

Sender's location

Sender's IP address and name

If we had been more careless and run the attached file, we would have seen the following:

Page for restoring PayPal account

We see an alleged page for restoring our PayPal account, where we have to complete a form by entering our personal details (including our password!).

Let’s take a look at the file on the inside. We can see that part of the html-code is encrypted. In this way, the intruder is concealing the malicious code. Also, the file contains a JavaScript-code which, if you run the file, decrypts the malicious part of the code.

On the screenshot below, we can see the part of the encrypted html-page:

Part of the encrypted html-page

The next screenshot demonstrates the decrypting mechanism written in JavaScript:

JavaScript decrypting mechanism

In the html-page decrypting mechanism, we can find the line responsible for running the decrypted html-page:

Line that runs the decrypted html-page

Let’s change part of the JavaScript-code by depriving it of the possibility to run:

JavaScript code deprived of running

As a result, we will get a safe way to study the decrypted html-page code.

In the decrypted code, we will see that all the information from the fields to be completed is sent to the official PayPal website:

Information is submitted to PayPal

However, if we further look at the JavaScript-code, we will see that all the information from the field to be completed is also sent to www.demograph2.net/...php, which certainly is not related to PayPal in any way:

Information is submitted to PayPal-not-related source

Next, let’s find the IP-address this domain was assigned to in the past. To do this, we may use the following resource, for example: (http://www.tcpiputils.com/)

IP -address with number of domains

We also can see what domains were assigned to this IP-address before. As you can see, most of them had stories with improper activities, including Hacking, Port Scanning, Brute-Force, dDos, Forum Spam, Ping of Death:

List of domains and it's improper activities

Stay alert when you check your e-mails, especially when it’s about credit cards or bank accounts. Pay special attention to the link in the address line which is used to request your personal data.

Find out more how ISSP helps its customers to protect their assets - contact us via the from below.

    0
    1