Once a week or so I receive an email from the payment processing service PayPal that notifies me that my PayPal account has been temporarily limited. When I received such a message for the first time, I went all panic for a moment thinking that PayPal - once again - would have screwed me over.
It quickly turned out however that the message was a scam, a phishing attack to steal my PayPal login credentials. Why would attackers want those information? To transfer all the money from the account, and maybe even more if a Credit Card is linked to the account.
They may use PayPal to make purchases on the Internet, or use the account as a temporary haven for illegal transactions.
Whatever it is, it is certainly not in the interest of the account owner. Lets take a closer look at one of the emails to see what it is all about, and learn how to identify if it is a phishing email.
The email reads:
Dear PayPal account holder,
PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.
Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Download and fill out the form to resolve
the problem and then log into your account.
The sender is PayPal email@example.com, the subject: Your account has been temporarily limited. There is an attachment, a HTML page with the name Restore_your_account_PayPal.html.
When you look at the email you will notice several indicators that it is a phishing email. You do not really need to look at email headers for that.
When you look at email headers you notice that the return-path and received headers do not mention PayPal but another domain (powerski.net), which more or less proves that the email at hand is a phishing email.
But what about the HTML email attachment? The easiest way to find out is to save it locally to open it in a text editor.
I do not really need to see the site in action, analyzing the code is all that is needed to get the information that I want.
If you double-click the HTML file in the email you will load it in your default browser locally. You will see a form and a page that resembles the PayPal site.
If you look at the source, you notice that the form action points to http://networkpp.comlu.com/tmp/w.php and not a PayPal domain. Form action means that your input is send to that address when you click the submit button.
The form asks for all kinds of personal and security related information, including your social security number, credit card or debit card number, expiration date, security code, mother's maiden name and email.
What can you do if you receive an email that you suspect to be a phishing email?
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.