3 min read

Summer Phishing in the PayPal

Răzvan LIVINTZ

May 28, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Summer Phishing in the PayPal

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

st1:*{behavior:url(#ieooui) }

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

In the spam and phishing industry there are several brands
that never get old, outdated or out of profit. As we already shown in our
latest E-Threats
Landscape Report
and judging by the most recent phishing scheme, PayPalTM is
still one of the top ten most spoofed identities.

In the current case, the unsolicited message allegedly sent
on behalf of PayPalTM Team warns the possible customers about the alteration of
their data, due to unauthorized access. Hence, the e-crooks ask the on-line
payment users to log into their accounts and verify the possibly compromised
information by visiting the page provided in a hyperlink.

PayPal phishing

The link does not lead to the service portal, but to a Web
page that employs several visual identification components of the original Web
site, namely the logo, layout and general formatting elements.

Paypal phishing

This is the starting point of a cascade theft. First, the
scoundrels look for the login credentials – e-mail address and PayPalTM password
-, which they steal via the file.php
script.

Then, on a second page, they go for detailed personal
information, including complete name, address, birth date, mother’s maiden
name, SSN, but also e-mail address and phone number.

But the swindle doesn’t stop here. Scammers also want to get
complete card details, including number, expiration date, Card Verification
Code, issuing bank, card type, and even PIN. Most intriguing, the data is
pilfered – via file2.php script – not
just for a single, but for two cards, as you can see in the image below.

PayPal Phishing 3

Few interesting details: even though all other menu options
are available on both pages, clicking any of them will only reload the page.
Moreover, one can easily see that the Web page address mimicking the genuine
Web site loads from a domain registered in Lithuania (.lt instead of .com).

Also, there are no specific security elements, one could
expect to find on an e-payment site, namely SSL encryption (Secure Socket
Layer) or security authentication methods (no “https” prefix and locked
padlock).

The curiosity stirred me to click the “Why is ATM PIN
required?” link. The explanation displayed in the pop-up window is one of the
most hilarious I’ve ever read: “Requiring PIN Signatures is the latest security
measure against: identity theft, credit card fraud and unauthorized account
access”. See the whole thing below.

PayPal phishing 4

tags


Author


Răzvan LIVINTZ

I rediscovered "all that technical jazz" with the E-Threat Analysis Team at Bitdefender, the creator of one of the industry's most effective lines of internationally certified security software.

View all posts

You might also like

Bookmarks


loader