The practice of trying to trick someone into giving out their personal information, such as bank account, social security number, even your name and address, is called phishing. The goal of phishing is identity theft.

I received this e-mail last night. First lets, take a look at the e-mail itself and then I will point out some items of interest and common techniques used by phishers. And finally, what you can do to help in the fight against phishers.

Subject Notification from Billing Department
Sender Paypal
Date Fri 10:00

Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently
contacted you after noticing an issue on your account. We requested information from you for the
following reason:

We have reason to believe that your account was accessed by a third party. We have limited
access to sensitive PayPal account features in case your account has been accessed by an
unauthorized third party. We understand that having limited access can be an inconvenience, but
protecting your account is our primary concern.

Case ID Number: PP-308-080-099

This is a second reminder to log in as soon as possible, to your PayPal account at
https://www.paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 .

Be sure to log in securely by opening the provided PayPal link. Once you log in,
you will be provided with steps to restore your account access. We appreciate your
understanding as we work to ensure account safety.

In accordance with PayPal’s User Agreement, your account access will remain limited until the
issue has been resolved. Unfortunately, if access to your account remains limited for an extended
period of time, it may result in further limitations or eventual account closure. We encourage you
to log in to your PayPal account as soon as possible to help avoid this.

We thank you for your prompt attention to this matter. Please understand that this is a security
measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

—————————————————————-

PayPal Email ID PP638

// Limited Account – Please Restore Your Account Access

Let’s start at the top. First it says the sender is Paypal. On closer inspection you will find it claims to be from noreplay@sec.mail.com which is actually mail.com a place where anyone can set up a free e-mail account. This is your first clue, but don’t assume just because an e-mail says it is from, let’s say paypal.com, it really is. The sender e-mail is easily spoofed to say anything.

The second clue is the link they provide. What you see in my post is the way it looked in the e-mail. However, that is not where you would go if you clicked on the link in that e-mail. If you placed your mouse over the link, you would see paypal.com, however this was also spoofed. The actual link went to mail.empl.hu, BTW; I have already reported this site but when I checked the domain registration, this domain was registered back in Feb. 2010 and chances are it could remain active. Phishing sites registered in the U.S. are usually shut down fast, but when they are registered in other countries, it can be much harder or next to imposable to get the registrar to disable the domain name.

I don’t suggest try the following, but I went to the site to see how good of a fake it was. Many times the fake site will have errors like bad grammar. This site is a very good fake, or was. I reported it earlier and will tell you how to do the same at the end of this article, it appears to have been taken down already. Anyways, this site was an actual clone of the paypal site. When I inspected the source code of it, while it was still operating, all of the links except the login, were actually paypal’s. They copied the Paypal page and only modified the login page. So if you clicked on anything other than login, you would end up back at the real Paypal site. The site is down now so I don’t know what would happen if I tried the to login. One technique I have used in the past is to use a made up e-mail and password. Most likely, what would happen would be it would let me in, even though my user name and password was not real, they would not know this. The owner of this site would then have captured the account name and password. And more than likely I would have either been redirected to the real Paypal site or they would have set up another page with something like, we suspect fraudulent activity on your account and we need you to enter your account information. Then you would be asked to enter all your account information like full name, address, phone number, and social security number. Then you may get a message thanking you for the information and your account has been verified. At this point you have just had your identity stolen. You have just handed over all your account and identity information to the crooks.

However, just by “logging in” you have given them enough information to get into your account. Keep in mind that just visiting a site like this exposes you to fraud. When you visit a phishing site, they may try to attack your computer by installing software on to your computer with out your knowledge. This software, which I call malware but is also referred to as crimeware, can run on your computer without your knowledge and logs all you keystrokes. If you go to any website and type in your name and password, it has just been captured and uploaded some place that the crooks can access it.

Now I would also like to point out something in the content of this e-mail. One of the common tricks used by phishers is to tell you that you will lose access if you don’t respond immediately. They will either tell you to click on a link in the e-mail, or reply to the e-mail or call a phone number. If you receive an e-mail asking you to verify your account, unless you requested it by clicking on a I lost my password link at the site before hand, do not respond to it, do not click on any link it contains, do not open an attachment, do not call any phone number it contains. Banks will never send out an e-mail requesting this information. If you still think it may be a real request, contact them yourself directly. Do not use the information in the e-mail to contact them. Look up their phone number yourself, or get it from a directory assistance. Do not reply to the email, create a new e-mail and type in the e-mail address yourself if you already know it. Or open a new browser window and type in the address yourself if you know it and if you don’t, use a search engine. What you are trying to avoid is using any part of the email you received. That includes phone numbers, links, or replying to the e-mail.

And now you should report it. You can do some good and help other from falling victim to a phishing scam and it’s very easy. Just forward a copy of the suspected e-mail to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org You can also visit US-CERT & Anti-Phishing Working Group. You can also do a search for report phishing if you would like to find other places to report it to. I reported the example in this article to US-CERT and antiphishing.org before I started writing this and the site was down before I wrote half this article.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek