We've had several PayPal phishing emails recently, but they've been reasonably obvious, just looking at the links or by the language.
But a serious geek, on another forum, who is pretty clued up and wouldn't normally send out a warning, sent us the message below.
MG
There is a VERY convincing 'phishing' email that I personally received this morning (deactivated example is appended below) that purports to come from PayPal (it doesn't!) saying that a new address has been added to your PayPal account with a very convincing link to activate/de-activate it
BE WARNED - This email also carries an HTML Trojan load that your antivirus software should deal with OK but ONLY YOUR AV SOFTWARE IT IS UP TO DATE
If you receive this email in Outlook/Outlook Express do NOT open it before doing the following :-
1. Click on <Format> then select <Plain Text> if the email hasn't been opened this disables the HTML code Trojan)
2. Select and delete it immediately - both from your inbox and your deleted items folder
If this email opens in your email client automatically as you srat the program it is too late to do 1. above - in this case carry out 2. above
Then in BOTH cases run a FULL / DEEP antivirus scan IMMEDIATELY
This is the email text (please note that I have removed some details and disabled the link while leaving some idea of what it was)
This email confirms that you have added the following address to your
account:
##### Perimeter Road
Grass Valley, CA #####
United States
If you did not authorize this change please contact us using the link
below:
ht?ps://www.paypal.co.uk/webscreen=?cmdxxxxxxxxxxxxxxxxxxxxxxx
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the header of any page.
These are the general details of the HTML Trojan-Spy.HTML.Fraud.gen (variations also include : HTML/Phishbank.AYP and Phishbank.1kp!Trojan) which is embedded in the email which my system detected and immediately quarantined - the email attempts to load this trojan EACH time the email is opened in any email client
This trojan originally dates back to 2006 but there have been two new updated releases of it recently 25/04/2010 & 08/05/2010 it originally exploited the Frame Spoofing loophole in IE 6 which was closed by a MS security update (KB832894) in 2006 - this version is apparently a new exploit
PayPal phishing
-
Mountain Goat
- Posts: 6070
- Joined: Wed Apr 19, 2006 1:31 pm
- Location: Leysin, Alpes Vaudoises, Switzerland
- Contact:
Just had this reasonably convincing email phishing attempt regarding my Paypal acct. I have not seen one like this before, so just thought I'd post it for others to see. It has an attachment which takes you to a webpage - but obviously I haven't opened/clicked on it and will be deleting it immediately. 
It is addressed to undisclosed recipients.
Dear PayPal Customer,
You have added debra.m******8@btinternet.com as a new email address for your Paypal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.
NOTE: The form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9)
Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
Sincerely, PayPal Account Review Department.
It is addressed to undisclosed recipients.Dear PayPal Customer,
You have added debra.m******8@btinternet.com as a new email address for your Paypal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.
NOTE: The form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9)
Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
Sincerely, PayPal Account Review Department.
-
Hells Bells
- Posts: 13173
- Joined: Sat Apr 30, 2005 8:42 am
- Location: French Alps
- Contact: