144). PayPal - HTML.Phishing.Pay-76

This email targets customers of PayPal.

Message Details

Malware Name:HTML.Phishing.Pay-76
Origin: Japan
Date first seen:16/07/2006 12:40:42
Number seen:84
Date last seen:04/05/2007 17:50:29
From:PayPal <service@paypal.com>
Subject:Receipt of payement to paypal@creative.com

Attacker's URLs

The following table shows the details of the URLs used by the attacker. These could either be the fake website of the attack, or a site which redirects to the attackers fake site. Sometimes the attacker will use an additional site for hosting resources such as images.

The table shows the current status of the site: if it is still reachable (), or if it has been shut down (). If the site has not been confirmed as a phishing site it is shown with the symbol . The time when the site was first observed is shown, together with the time that the site was shut down, if applicable. Do not visit the attackers site as it may contain malware. You can get more details on the site by clicking on the symbol.

StatusFirst observedShut DownInternet AddressURL
http://www.dctd.cerist.dz/us/paypal.com-redir/secure/ssl/webscr/sslsigninusing128bit.a541t125t541b1212.payapl.secureauthenticantion.userid1151354435sessionencrypt283bits/index.php
http://www.dctd.cerist.dz/us/paypal.com-redir/secure/ssl/webscr/sslsigninusing128bit.a541t125t541b1212.payapl.secureauthenticantion.userid1151354435sessionencrypt283bits/images/email_logo.gif
http://www.dctd.cerist.dz/us/paypal.com-redir/secure/ssl/webscr/sslsigninusing128bit.a541t125t541b1212.payapl.secureauthenticantion.userid1151354435sessionencrypt283bits/images/bg_clk.gif
http://www.dctd.cerist.dz/us/paypal.com-redir/secure/ssl/webscr/sslsigninusing128bit.a541t125t541b1212.payapl.secureauthenticantion.userid1151354435sessionencrypt283bits/images/pixel.gif
http://200.86.73.84:85/paypal/index.php

Message Text

The text below shows the message content, rendered in a safe way. It does not show images or HTML formatting, but the text is the same as that contained in the phishing email. Each clickable link is shown as a reference. You can see the way the URL is presented in the main body of the text, while the actual URL activated by the link is shown below the main body.

Message Display
Enlarge
How the message body looks in an email client.

                             [1]PayPal Header 

   Notice of Account Review Necessity

   Read this notice thoroughly and follow the instructions.
     _________________________________________________________________

   Why did I get the notice?
   You  have been sent this notice because the records of PayPal database
   indicate  you are a current or former PayPal account holder. PayPal is
   conducting  a  periodic  update of the database record. To ensure your
   account's  security,  it  is  important  that  you provide us accurate
   information. Please take a moment to verify the information we have on file.
   This notice provides instructions on how to confirm your PayPal account.
     _________________________________________________________________

   What should I do now?

   We sincerely ask you, as a PayPal account holder, to login to your account
   and give us the necessary information. Complete the necessary verification
   tasks  within 5 days, or your account might get temporarily suspended.
   Proceed with the link below.

                   [2]Click here to confirm your account
     _________________________________________________________________

   We apologize for your inconvenience.

   Thank you for your support,
   PayPal Accounts Department
     _________________________________________________________________

   Please do not reply to this email. Anything you send to this address cannot
   be answered. For assistance, [3]login to your PayPal account and choose the
   "Help" link in the footer of any page.
   To receive email notifications in plain text instead of HTML, update your
   preferences [4]here.
   PayPal Email ID PP571

   Protect Your Account Info
   Make sure you never provide your password to fraudulent websites.
   To safely and securely access the PayPal website or your account, open a new
   web browser and type in the PayPal URL to be sure you are on the real PayPal
   site.
   For more information on protecting yourself from fraud, please review our
   [5]Security Tips
   Protect Your Password
   You should never give your PayPal password to anyone, including PayPal
   employees.

References

   1. http://www.dctd.cerist.dz/us/paypal.com-redir/secure/ssl/webscr/sslsigninusing128bit.a541t125t541b1212.payapl.secureauthenticantion.userid1151354435sessionencrypt283bits/index.php
   2. http://200.86.73.84:85/paypal/index.php
   3. http://200.86.73.84:85/paypal/index.php
   4. http://200.86.73.84:85/paypal/index.php
   5. http://200.86.73.84:85/paypal/index.php

Additional Examples

Functions

Advice