It quickly turned out however that the message was a scam, a phishing attack to steal my PayPal login credentials. Why would attackers want those information? To transfer all the money from the account, and maybe even more if a Credit Card is linked to the account.

They may use PayPal to make purchases on the Internet, or use the account as a temporary haven for illegal transactions.

Whatever it is, it is certainly not in the interest of the account owner. Lets take a closer look at one of the emails to see what it is all about, and learn how to identify if it is a phishing email.

The email reads:

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

The sender is PayPal updates-int@paypal.net, the subject: Your account has been temporarily limited. There is an attachment, a HTML page with the name Restore_your_account_PayPal.html.

When you look at the email you will notice several indicators that it is a phishing email. You do not really need to look at email headers for that.

• 1. No customer name – Phishing emails usually do not have access to customer names, which means that they will address the recipient in general terms. Dear xxx.
• 2. No contact – Companies do usually include contact information in their emails. This can be a company’s street address, support phone numbers or links to web properties.
• Attachment – While it is possible that companies send attachments with their emails, it is unlikely that a company will do it in this case.

When you look at email headers you notice that the return-path and received headers do not mention PayPal but another domain (powerski.net), which more or less proves that the email at hand is a phishing email.

But what about the HTML email attachment? The easiest way to find out is to save it locally to open it in a text editor.

I do not really need to see the site in action, analyzing the code is all that is needed to get the information that I want.

If you double-click the HTML file in the email you will load it in your default browser locally. You will see a form and a page that resembles the PayPal site.

If you look at the source, you notice that the form action points to http://networkpp.comlu.com/tmp/w.php and not a PayPal domain. Form action means that your input is send to that address when you click the submit button.

The form asks for all kinds of personal and security related information, including your social security number, credit card or debit card number, expiration date, security code, mother’s maiden name and email.

What can you do if you receive an email that you suspect to be a phishing email?

• Ask a tech savvy user to look at it. You can forward the email to the user for instance if necessary.
• Go to the company website manually, look for contact information and call or email support there.
• Analyze the email the way I did. All information you need can be found in the email itself.
• When in doubt do not open. Move the email to a folder for safe-keeping, or delete it outright.

PayPal recently began to sell a so called PayPal Security Key to protect PayPal users from phishing attacks. The system works by protecting the login to the account not only with a username and password but also a security key that is generated on the fly on an external device. Attackers who are able to steal PayPal login information would need physical access to the security key to be able to log into the account at a later time.

It is not a 100% perfect solution as attackers are still able to circumvent the security key if they have additional information related to the PayPal user’s account. It still is a viable protection in most cases. PayPal is hosting a security center on their website that is informing and educating users about security risks and how to reduce them and prevent attacks.

Probably the best way of fighting most attacks and all phishing attacks is to always open the PayPal website directly instead of clicking on links that are supposed to lead there. Another security method is to use a password manager to store the PayPal login information. Many password managers, such as Last Pass, can fill out the login form and log in the user automatically in configured accounts. This can be a very effective method of detecting fake websites as the password manager will not fill out the login information automatically on these websites.