March 25, 2005This Weekend's New Phish Ploy
I just saw a new psychological tactic in a PayPal phishing message that (unfortunately) will probably become quite effective. The message (with all the graphic trappings of a PayPal mailing) is supposed to be a confirmation that you have just successfully changed the email address for your PayPal account. To "prove" it, the message includes this little tidbit:
Change of E-mail address request was made from:
IP Address: 188.8.131.52
ISP Host: cache-dtc-ae11.proxy.msn.com
You're supposed to think that someone with an MSN account is twiddling with your PayPal account. Spam Wars readers know not to be intimidated by this kind of technobabble.
Here are the clues that this message is all phoney baloney:
- A check of the IP address provided above reveals that it is part of an unallocated block. It does not yet exist on the Internet, and certainly not today at msn.com
- The message header reveals that the message originated from an unnamed server in the Philippines, not one of PayPal's servers.
- The real URL behind the bogus visible link is to a domain that contains the word "paypal" in it, but isn't the same as the link shown in the message.
- Upon visiting the real PayPal site (through a bookmark you had set after typing in the real URL some time ago), the site already knows your current email address login—and it still works.
I'm happy to report that the destination for this particular phishing message got shut down lickety-split (easy pickings at a U.S.-based ISP). But I'm sure the tactic will surface on other phishing messages whose servers will be more difficult to shut down.Posted on March 25, 2005 at 04:21 PM