Phishing under PayPal cover

We would like to analyze a simple case of phishing and will look at the following e-mail:

What information do we seem to get from this e-mail?

1. This e-mail was allegedly sent by PayPal.

2. It says that your PayPal account has been blocked, but you may restore it by opening an html-file following the “instructions”.

3. The html-file is attached.

To start with, let’s look at the headers:

Return-Path: <Ѓg>

Received: from smtp.dentalcremer.com.br ([]) by mx.unitymail.biz

(8.14.7/8.14.7) with ESMTP id u52FCIcl007805 for <user@target.ua>; Thu, 2

Jun 2016 18:12:19 +0300

Date: Thu, 2 Jun 2016 18:12:18 +0300

Received: from ([]) by smtp.dentalcremer.com.br

with Microsoft SMTPSVC(8.5.9600.16384); Thu, 2 Jun 2016 11:55:06 -0300

From: PayPal <accounts@locked.com>

Subject: Your Account Has Been Limited

Message-ID: <d0db17bebc199e2d1030d28d415bfcd7accounts@locked.com>

Content-Type: multipart/mixed; boundary="9b53dcd6f3cb7f23731e8f4a851ac1a1"

To: undisclosed-recipients:;

MIME-Version: 1.0

Even this superficial inspection shows that the e-mail was not sent by PayPal:

If we had been more careless and run the attached file, we would have seen the following:

We see an alleged page for restoring our PayPal account, where we have to complete a form by entering our personal details (including our password!).

Let’s look at the file on the inside. We can see that part of the html-code is encrypted. In this way, the intruder is concealing the malicious code. Also, the file contains a JavaScript-code which, if you run the file, decrypts the malicious part of the code.

On the screenshot below, we can see the part of the encrypted html-page:

The next screenshot demonstrates the decrypting mechanism written in JavaScript:

In the html-page decrypting mechanism, we can find the line responsible for running the decrypted html-page:

Let’s change part of the JavaScript-code by depriving it of the possibility to run:

As a result, we will get a safe way to study the decrypted html-page code.

In the decrypted code, we will see that all the information from the fields to be completed is sent to the official PayPal website:

However, if we further look at the JavaScript-code, we will see that all the information from the field to be completed is also sent to www.demograph2.net/...php, which certainly is not related to PayPal in any way:

Next, let’s find the IP-address this domain was assigned to in the past. To do this, we may use the following resource, for example: (http://www.tcpiputils.com/)

We also can see what domains were assigned to this IP-address before. As you can see, most of them had stories with improper activities, including Hacking, Port Scanning, Brute-Force, dDos, Forum Spam, Ping of Death:

Stay alert when you check your e-mails, especially when it’s about credit cards or bank accounts. Pay special attention to the link in the address line which is used to request your personal data.

Hopefully this article was helpful.

28 views0 comments

Recent Posts

See All



Please get in touch by completing the form or calling one of our offices listed below.  


Washington DC

1300 I Street NW

Suite 400E, Washington

District of Columbia, 20005

+1 202 749 8432


10/14 Radyscheva St., Kyiv

Ukraine, 03124

+380 44 594 8018


33b Ilia Chavchavadze ave,

0179, Tbilisi, Georgia
+995 32 224 0366


1 Grabarska st., 50-079  Wrocław,


+48 71 747 8705


808V, 165B Shevchenko St, 050009, Almaty,


+7 727 341 0024

k z @ i s s p . c o m


Suite 2600, Three Bentall Centre 
595 Burrard st., PO Box 49314 
Vancouver BC V7X 1L3 Canada

+1 289 968 4454


Suite 2201, 250 Yonge St. 
Toronto, ON M5B 2L7 Canada
+1 647 361 5221        +1 800 573 0922 (toll-free)

i n f o @ i s s p . c o m

Copyright © 2020 ISSP. All rights reserved.