Phishing under PayPal cover
We would like to analyze a simple case of phishing and will look at the following e-mail:
What information do we seem to get from this e-mail?
1. This e-mail was allegedly sent by PayPal.
2. It says that your PayPal account has been blocked, but you may restore it by opening an html-file following the “instructions”.
3. The html-file is attached.
To start with, let’s look at the headers:
(8.14.7/8.14.7) with ESMTP id u52FCIcl007805 for <email@example.com>; Thu, 2
Jun 2016 18:12:19 +0300
Date: Thu, 2 Jun 2016 18:12:18 +0300
Received: from 220.127.116.11 ([18.104.22.168]) by smtp.dentalcremer.com.br
with Microsoft SMTPSVC(8.5.9600.16384); Thu, 2 Jun 2016 11:55:06 -0300
From: PayPal <firstname.lastname@example.org>
Subject: Your Account Has Been Limited
Content-Type: multipart/mixed; boundary="9b53dcd6f3cb7f23731e8f4a851ac1a1"
Even this superficial inspection shows that the e-mail was not sent by PayPal:
If we had been more careless and run the attached file, we would have seen the following:
We see an alleged page for restoring our PayPal account, where we have to complete a form by entering our personal details (including our password!).
On the screenshot below, we can see the part of the encrypted html-page:
In the html-page decrypting mechanism, we can find the line responsible for running the decrypted html-page:
As a result, we will get a safe way to study the decrypted html-page code.
In the decrypted code, we will see that all the information from the fields to be completed is sent to the official PayPal website:
Next, let’s find the IP-address this domain was assigned to in the past. To do this, we may use the following resource, for example: (http://www.tcpiputils.com/)
We also can see what domains were assigned to this IP-address before. As you can see, most of them had stories with improper activities, including Hacking, Port Scanning, Brute-Force, dDos, Forum Spam, Ping of Death:
Stay alert when you check your e-mails, especially when it’s about credit cards or bank accounts. Pay special attention to the link in the address line which is used to request your personal data.
Hopefully this article was helpful.