We have seen an increase of phishing emails with the subject “Your account has been temporarily limited” that target PayPal users. The from email address is updates-int@paypal.net. The email body contains no links or clickable contents. It reads like this.

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

A html file with the name Restore_your_account_PayPal.html is attached to the email which mimics the official PayPal page but is executed from the local system. It consists of a simple form asking users to fill out personal information which includes name, address, social security number and credit card. The form does not ask for PayPal login information.

The email is obviously fake and not from PayPal. Here are some clues why that is the case:

• It does not mention the name of the customer, nor a PayPal representative or contact information.
• The return address is set to nobody@ne07.tt.co.kr and not a PayPal address
• Thunderbird mentions that the “sender is open HTTP proxy server”
• The attached file is a local form that is executed on the user’s system and not on the official PayPal website.
• PayPal does not use PayPal.net, it redirects the domain to PayPal.com. It is therefor unlikely that PayPal.net email addresses are used to communicate with customers. We personally have only received emails from PayPal.com and country domains like PayPal.de

A look at the HTML source code reveals further inconsistencies. The document embeds elements from unofficial sites like Megabyet, the form action (which is where the form data is submitted and processed is also on Megabyet and not on PayPal.com.

What should you do with the fake email? You can forward it to spoof@paypal.com the way it is, or delete it right away if you do not want to forward it to PayPal’s spoofing department.

The key is an electronic device that generates a six digit key every 30 seconds. That key is needed to login into PayPal. The device can be ordered from within the PayPal interface or from VeriSign directly. It works at all websites that make use of the key including eBay and PayPal.

PayPal has introduced the mobile security key recently. It makes use of the same principle with the difference that the security key is generated by an official server and send to the user’s cell phone instead.

This offers a few advantages like increased mobility and no waiting time till the device arrives. It does however mean that the user is charged for every SMS send by his cell phone provider. Merchants who log into PayPal several times a day might want to use the hardware solution primarily to save costs.

Users who want to order a mobile security key can do that once they are logged into PayPal. The option becomes available after the PayPal login. A click on the Security link in the top right corner of the website will load a new page with a link named Security Key.

A click on that link will display two options: To order a security key device or a SMS security key.