Wednesday, November 9, 2011

Fresh Phish disguised as a PayPal Urgent Account Review Notification



PayPal phish

It begins:- "As of the 3rd of November 2011, our security system has blocked unusual charges to a credit card linked to your account."
And concludes:-
"Sincerely, PayPal Account Review Team"
          I spoke earlier in the week with a security professional who sent 500 spear phishing attacks internally to his colleagues. Of the 500 emails sent, 25 people responded by completing the form and surrendering their information. While a 5% rate may seem small, he felt even 1% was too high. Education helped a lot, but not completely. Do you agree?

          When read, this fresh phish posing as PayPal immediately puts the recipient into an emotional state that their account was compromised and their funds are in jeopardy which then clouds their judgement. Since PayPal is a trusted name in the electronic payments industry, they of course have controls to prevent fraudulent transactions (but no one is perfect). This phish takes advantage of that trust by explaining that the breached account has been locked for your protection.

          Attached HTML phish fileNow to regain access to your funds it's imperative to download the attachment and complete the form. After downloading and opening the attachment it will open your web browser. As you can see, this web page looks very genuine and might lower your guard into believing it really came from PayPal.

          There are a few mistakes in this poorly executed phish which caused education to prevail over emotion. The most basic one is that there isn't a PayPal email address associated with the inbox which received this phish.
PayPal phishing siteAnother one to point out is that the (From: "PayPal") is really not from PayPal.

          The phisher used a domain name pp-redacted-.com which based on a whois look up doesn't have anything to do with PayPal. It belongs to an instrumentation company out of Massachusetts that happens to have similar initials as PayPal. While my wife isn't a security professional or an expert with computers, her education to not trust every email in her inbox (beyond spam) triggered a gut feeling to think more clearly.

          If it doesn't feel right, then it's not. Go with your gut!
Until next time, stay safe and secure online.

1 comments:

Electronic Payments have made it possible for me to pay all my bills with out leaving the house.

Post a Comment