Yet another Paypal phishing scam
Wednesday July 2, 2008 at 12:02 pm CST
Posted by Elodie Grandjean
We often read that scam and phishing attacks are more and more complex. I agree… if we deliberately omit the various phishing kits available from the internet, which are usually not very sophisticated! This weekend I got yet another phishing email scam on my personal email address. This one targets Paypal users and specifically Paypal France since it is written in French. I thought that could be a perfect example to dissect in order to highlight the suspicious parts of its content.
So here is the email body:
First thing to notice: the use of “Cher client Paypal”, which means about the same as “Dear Paypal member” and is a formal way, but also a very non-specific way, to start a mail. Paypal always uses our real name in the beginning of its mails, so any email that appears to be sent from Paypal that starts with such common sentence is suspicious. Moreover we use accents in French, and although it is written in French, there is no accent at all. Worse, there are many grammatical errors. Paypal is a big company, and I find it highly unlikely that they don’t have people who can write French properly! So, just the reading of the email body should be sufficient to encourage us to drop it in the trash bin.
But let’s see the subtler parts now.
The email asks us to click on the button “Activer” in order to re-activate our Paypal account (which has never been deactivated obviously). But as you can see in the following screenshot, the button does not point to the Paypal.fr website but it is linked to the domain falomensdepeyy.com, although “www.paypal.fr” appears in the URL in an attempt to confuse people. A Very typical tactic!
And last, but not least, let’s look at the email header:
The content of the entry called “X-WEBC-Mail-From-Script” is the proof that this email was sent with a script located at http://www.alkasterdesese.com/mailer1.php, which has nothing to do with Paypal’s website! Although the “From” field contains the correct sender “service@paypal.fr”, we are now sure that this email did not come from Paypal.
At the time of writing, both sites located at alkasterdesese.com and falomensdepeyy.com are shut down.
Additionally, Michael Barrett from PayPal has posted an excellent blog on how to spot scams.
July 2nd, 2008 at 12:59
The X-WEBC-Mail-From-Script isn’t even the *real* giveway. That would be the line that shows which Internet host gave it to your SMTP server:
Received: from 213.193.2.228 (EHLO mcorep06.live.webc.lyceu.net) (213.193.2.228) by mta324.mail.re4.yahoo.com with SMTP; Fri, 27 Jun … 17:51:25 -0700
This line says the mail came from a machine in the lyceu.net domain. THIS is the dead giveaway because all mail from Paypal comes from a host in the paypal.com domain.
That X-WEBC header might or might not be real. The spammer might have put it in to make something look legit if they’ve noticed that filters tend to pass messages containing those headers. You can’t believe any header line after the one added by YOUR SMTP server, since any other header line could have been faked by the spammer.
July 9th, 2008 at 06:45
Nice post, well I recieved an email yesterday itself asking me to update my card information as it has been deactivated and finally realized its a phishing site.
Read more and see the screen shots of the same here:
http://abhinavsingh.com/blog/2008/07/fake-email-from-paypal-cloned-sites/