« Stormy Games | Main | Stormy Games, Part Deux »

September 22, 2007

Except for the complete idiots among them (recent example "Subject: PayPal Account® Posible Fraud - Notification"), most phishing social engineers try to present their email message with the same level of professionalism as one would expect in a genuine email message from the organization they're pretending to be. Thus, I was rather startled at the subject line of a message purporting to come from PayPal:

Subject: Your account was hijacked.

Perhaps I've been a PayPal customer for too long, but that language is so out of character as to be laughable. It also has no bearing on the content of the message.

The body of the message retrieves a PayPal logo image that had been lifted from PayPal's site and is now hosted at a Romanian server—information not normally investigated by recipients. Thus, the logo may fool some.

As for the message, itself, it's fairly standard "someone tried to access your account" stuff:

Dear PayPal valued account holder,

We recently noticed one or more attempts to log in your PayPal account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization.
If you recently accessed your account while traveling, the log in attempts may have initiated by you.

However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account.

Please click here to login into your PayPal account and then fill in the required informations. This is required for us to continue to offer you a safe and risk free environment.

The log in attempt was made from:

IP address: 128.232.xxx.xxx
ISP host: [subdomains removed].cl.cam.ac.uk

If you choose to ignore our request, you leave us no choice but to temporally suspend your account.
We ask that you allow at least 48hrs for the case to be investigated and we strongly recommend not making any changes to your account in that time.

* Please do not respond to this email as your reply will not be received.

Thank you for your patience as we work together to protect your account.

Copyright © 1999 - 2007 PayPal. All rights reserved.

I'll admit that this guy did some of his homework in that the IP address that supposedly tried to access my account is within a block assigned to the University of Cambridge Computer Laboratory. In so many other messages of this type, the IP address info is rather random.

Unfortunately for most other recipients of this message and others like it, they aren't aware of how PayPal actually deals with unauthorized attempts to log in to someone's account. I've been through it for real and reported it. Additionally, in every communication I've received from PayPal (the real PayPal), the message body is addressed to me by name, not "valued customer" or other generic greeting (this, of course, could be faked because a lot of spam email address lists also have real names associated with the email address). Of course, I also have a very private email address for my financial accounts, and this phishing message (like all the other phishing messages) was addressed to my highly spammed public address.

Everyday users continue to fall for phishing messages because the phishers still take the time to pursue the tactic. There are some days I'd like to sit the world's email users down in one room and show them a thing or three.