work and IT @ 31 Jul 2008 07:31 pm by ayoi
Currently I am using Mozilla Thunderbird 2.0.0.16 as my email client. I have this habit of prefering my emails to be stored in my laptop as easier for me to refer to any particular emails while offline. Oh yes, Thunderbird also has the calender where I can monitor my appointments, my immediate tasks and future tasks and also I can check whether these tasks completed or not (this sentence dedicated to wifey and her outlook ;P) Usually I never or seldom look at those emails filtered as Junk or Spam by Thunderbird, but out of the blue, I just decided to look into one that managed to bypass the filters.
It seems that the email was sent by PayPal with a subject : PayPal Security Department and the sender email is support@intl.paypal.com. Initially I thought PayPal is offering me a security job at their company ;P. So I continue reading the email content which said,
Dear PayPal ® customer,
We recently reviewed your account, and we suspect an unauthorized transaction on your account.
Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information.
Paypal features.To ensure that your account is not compromised, simply hit “Resolution Center” to confirm your identity as member of Paypal.
- Login to your Paypal with your Paypal username and password.
- Confirm your identity as a card member of Paypal.
| Please confirm account information by clicking here Resolution Center and complete the “Steps to Remove Limitations.” |
*Please do not reply to this message. Mail sent to this address cannot be answered.
Copyright © 1999-2008 PayPal. All rights reserved.
Now..now. The email itself is strange.
1). Why the subject must be “PayPal Security Department” but not “Unauthorized transaction” or anything similar. I guess because the sender wanted me to pay my attention on the “PayPal SECURITY Department” which will make me turn into “this-is-important-email” mode and trust everthing stated in it and do what ever the instructions given in that email regardless where those Security Deparment phrases placed.
2). Why it didn’t address me by the name I use during registration and where are the details of my accounts? What are the suspicious transactions? This is supposed to be an email specifically addressing my account’s problem. Unless the email was meant for general announcement then it might be acceptable.
So let say if you click the link provided in that email (Resolution Center), you’ll be pointed to http://www.paypal-account91347.com/login/login.php
And to know where this domain registered, I just use the whois tool for windows created by Mark Russinovich of sysinternals and the result is that the domain was registered in China.
Domain Name………. PAYPAL-ACCOUNT91347.COM
Creation Date…….. 2008-07-25 09:34:14
Registration Date…. 2008-07-25 09:34:14
Expiry Date………. 2009-07-25 09:34:14
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN
Using suspicious looking nameserver,
Name Server………. ns3.visa-globalgateway.eu
Name Server………. ns4.visa-globalgateway.eu
Well I googled both the visa-globalgateway and paypal-account91347.com and presented with wonderful result especially the ones from phishtank.com and blockalert.com. It is a phising attempt all right.
IF you proceed to click on the given link (Resolution Center / paypal-account91347.com), you’ll be presented with paypal.com login page. If you are not careful, your paypal account will be hijacked as both of these phising site and the actual site are very similar.
On the left is the actual and legitimate paypal.com site while on the right site is not.
And the reason why I use Mozilla Firefox 3 with the netcraft toolbar and wot plugins because the moment I click the link, Netcraft toolbar popped one window box with some warning
And if you click YES (Dumb action actually but for the sake of science -Famous Mythbusters quote), another type of warning appears courtesy of Firefox
And again for the sake of curiosity, I choose to click “Ignore This Warning” at the bottom right side of the page.
WOT plugins give me another warning. And I guess with these kind of warnings and filters presented the moment you clicked on the phising link, only the super dumbass will be phished.
So another attempt of phising /spam
Gunned down.
Horay…
BTW, how do I know this is a spam or phising attempt at first place? because of this:
That’s why it stated in the email ” *Please do not reply to this message. Mail sent to this address cannot be answered.”
:))
So for you guys, use Thunderbird and Firefox eh 
better be save than sorry. hehehe, i’ve few friends who fell to the paypal email phishing trick although its almost as old as paypal itself.