PayPal Your Account Has Been Temporarily Limited Phishing Emails
Phishing is still one of the common threats on today's Internet. Criminals try to get account information and other personal information from users by faking emails and websites of trusted services, websites and authorities.
Phishing is very common in the financial sector and PayPal is by far the service with the largest amount of phishing related attacks.
We have seen an increase of phishing emails with the subject "Your account has been temporarily limited" that target PayPal users. The from email address is [email protected]. The email body contains no links or clickable contents. It reads like this.
Dear PayPal account holder,
PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.
Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Download and fill out the form to resolve
the problem and then log into your account.
A html file with the name Restore_your_account_PayPal.html is attached to the email which mimics the official PayPal page but is executed on the local system.
It consists of a simple form asking users to fill out personal information which includes name, address, social security number and credit card. The form does not ask for PayPal login information.
The email is obviously fake and not from PayPal. Here are some clues why that is the case:
- It does not mention the name of the customer, nor a PayPal representative or contact information.
- The return address is set to [email protected] and not a PayPal address
- Thunderbird mentions that "sender is open HTTP proxy server".
- The attached file is a local form that is executed on the user's system and not on the official PayPal website.
- PayPal does not use PayPal.net, it redirects the domain to PayPal.com. It is therefor unlikely that PayPal.net email addresses are used to communicate with customers. We personally have only received emails from PayPal.com and country domains like PayPal.de
A look at the HTML source code reveals further inconsistencies. The document embeds elements from unofficial sites like Megabyet, the form action (which is where the form data is submitted and processed is also on Megabyet and not on PayPal.com.
What should you do with the fake email? You can forward it to [email protected] the way it is, or delete it right away if you do not want to forward it to PayPal's spoofing department.Advertisement