• ISSP

Phishing under PayPal cover

Phishing is an attempt to acquire personal information such as usernames, passwords, financial information etc. To have a better understanding of phishing e-mails and how it works lets take a look at a real-life phishing attempt happened to the PayPal user.


PayPal user phishing case study


Lets analyze a simple case of phishing and take a look at the following e-mail:

Screenshot shows the phishing e-mail sent from a fake PayPal page
Phishing e-mail

What information do we seem to get from this e-mail?

  1. This e-mail was allegedly sent by PayPal.

  2. It says that your PayPal account has been blocked, but you may restore it by opening an html-file following the “instructions”.

  3. The html-file is attached.

To start with, let’s look at the headers:

Return-Path: <Ѓg>

Received: from smtp.dentalcremer.com.br ([189.16.55.211]) by mx.unitymail.biz

(8.14.7/8.14.7) with ESMTP id u52FCIcl007805 for <user@target.ua>; Thu, 2

Jun 2016 18:12:19 +0300

Date: Thu, 2 Jun 2016 18:12:18 +0300

Received: from 125.111.65.140 ([189.16.55.211]) by smtp.dentalcremer.com.br

with Microsoft SMTPSVC(8.5.9600.16384); Thu, 2 Jun 2016 11:55:06 -0300

From: PayPal <accounts@locked.com>

Subject: Your Account Has Been Limited

Message-ID: <d0db17bebc199e2d1030d28d415bfcd7accounts@locked.com>

Content-Type: multipart/mixed; boundary="9b53dcd6f3cb7f23731e8f4a851ac1a1"

To: undisclosed-recipients:;

MIME-Version: 1.0


Even this superficial inspection shows that the e-mail was not sent by PayPal:

Screen shot shows were sender is located
Sender's location










Screen shot shows sender's IP address and name
Sender's IP address and name

If we had been more careless and run the attached file, we would have seen the following:

Screenshot shows an alleged page for restoring user’s PayPal account
Page for restoring PayPal account

We see an alleged page for restoring our PayPal account, where we have to complete a form by entering our personal details (including our password!).


Let’s take a look at the file on the inside. We can see that part of the html-code is encrypted. In this way, the intruder is concealing the malicious code. Also, the file contains a JavaScript-code which, if you run the file, decrypts the malicious part of the code.

On the screenshot below, we can see the part of the encrypted html-page:

Screenshot shows the part of the encrypted html-page
Part of the encrypted html-page

The next screenshot demonstrates the decrypting mechanism written in JavaScript:

screenshot demonstrates the decrypting mechanism written in JavaScript
JavaScript decrypting mechanism

In the html-page decrypting mechanism, we can find the line responsible for running the decrypted html-page:

Screenshot shows the line responsible for running the decrypted html-page
Line that runs the decrypted html-page

Let’s change part of the JavaScript-code by depriving it of the possibility to run:

Screenshot shows the part of the JavaScript-code that is deprived of the possibility to run
JavaScript code deprived of running

As a result, we will get a safe way to study the decrypted html-page code.

In the decrypted code, we will see that all the information from the fields to be completed is sent to the official PayPal website:

Screenshot shows that information is submitted to PayPal
Information is submitted to PayPal

However, if we further look at the JavaScript-code, we will see that all the information from the field to be completed is also sent to www.demograph2.net/...php, which certainly is not related to PayPal in any way:

Screenshot shows that information is submitted to PayPal not related web-site
Information is submitted to PayPal-not-related source

Next, let’s find the IP-address this domain was assigned to in the past. To do this, we may use the following resource, for example: (http://www.tcpiputils.com/)

Screenshot shows what IP-address this domain was assigned to in the past
IP -address with number of domains

We also can see what domains were assigned to this IP-address before. As you can see, most of them had stories with improper activities, including Hacking, Port Scanning, Brute-Force, dDos, Forum Spam, Ping of Death:

Screen sot shows the list of domains and it's improper activities
List of domains and it's improper activities

Stay alert when you check your e-mails, especially when it’s about credit cards or bank accounts. Pay special attention to the link in the address line which is used to request your personal data.


Hopefully this article was helpful.

31 views0 comments

Recent Posts

See All