PayPal Your Account Has Been Temporarily Limited Phishing Emails

Martin Brinkmann
Dec 27, 2010
Updated • Dec 13, 2014
Security
|
2

Phishing is still one of the common threats on today's Internet. Criminals try to get account information and other personal information from users by faking emails and websites of trusted services, websites and authorities.

Phishing is very common in the financial sector and PayPal is by far the service with the largest amount of phishing related attacks.

We have seen an increase of phishing emails with the subject "Your account has been temporarily limited" that target PayPal users. The from email address is updates-int@paypal.net. The email body contains no links or clickable contents. It reads like this.

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

A html file with the name Restore_your_account_PayPal.html is attached to the email which mimics the official PayPal page but is executed on the local system.

It consists of a simple form asking users to fill out personal information which includes name, address, social security number and credit card. The form does not ask for PayPal login information.

paypal your account has been temporarily limited

The email is obviously fake and not from PayPal. Here are some clues why that is the case:

  • It does not mention the name of the customer, nor a PayPal representative or contact information.
  • The return address is set to nobody@ne07.tt.co.kr and not a PayPal address
  • Thunderbird mentions that "sender is open HTTP proxy server".
  • The attached file is a local form that is executed on the user's system and not on the official PayPal website.
  • PayPal does not use PayPal.net, it redirects the domain to PayPal.com. It is therefor unlikely that PayPal.net email addresses are used to communicate with customers. We personally have only received emails from PayPal.com and country domains like PayPal.de

paypal phishing

A look at the HTML source code reveals further inconsistencies. The document embeds elements from unofficial sites like Megabyet, the form action (which is where the form data is submitted and processed is also on Megabyet and not on PayPal.com.

What should you do with the fake email? You can forward it to spoof@paypal.com the way it is, or delete it right away if you do not want to forward it to PayPal's spoofing department.

Summary
PayPal Your Account Has Been Temporarily Limited Phishing Emails
Article Name
PayPal Your Account Has Been Temporarily Limited Phishing Emails
Description
Find out if PayPal's "Your account has been temporary limited" email is a phishing attack on real.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.