« 419—United Nations Style | Main | Spotting an eBay Phish [Updated] »

June 13, 2008

Every once in awhile, something comes in over the transom that causes me to get a cardio workout even though I'm still sitting on my butt. It gets my blood flowing and puts all my sensors on high alert.

Such was the case today when I received what looked like a typical PayPal phishing message. This one was of the oft-used variety that claimed someone had just sent me a couple hundred bucks, and I could click the image link to view the details of the transaction. The usual deal here is that the link is to some other site, either a freshly-minted one or one hijacked from an established domain and server. They're after my login ID and password. Plus, it's Phriday, so that's what I expected.

As is my usual modus operandi, I checked the URL of the actual link in the message's source code before doing anything. To my amazement, the linked URL was to the real PayPal domain, complete with SSL protocol (https). The only thing that differed from the plain https://www.paypal.com address was the addition of a forward slash and a two-character subdirectory name—which I won't mention here. There were none of the URL spoofing tricks that I've seen in the past, such as the one whereby the URL is intentionally malformed so that the URL that gets linked to is hidden further down to the right of a long URL.

The message was definitely a phishing message. It did not originate from a PayPal server; the text began "Dear Member;" it was addressed to an address that is different from my PayPal login address; and there was no reason for some fellow in Canada I didn't recognize by name or email address to be sending me two hundred dollars. For the record, here's the body text of the message:

You've got new funds! Dear Member,

Robert Cooper just sent you money with PayPal.
Robert Cooper is a Verified buyer.

----------------------------------------------

Payment Details
Amount:       $200.00 USD
Transaction ID:  2XC29017VB4724053

As I recommend to anyone receiving an unexpected message about a financial-related account, I logged into my PayPal account via the bookmark I've used for years—just to see what the account says about the matter. Needless to say, there was no payment to me for $200.00. Simply confirming my assumption.

I was, however, curious about that link. Would it, ultimately, take me to PayPal?

I clicked it. (gasp)

To my amazement, the link not only took me to a real PayPal SSL URL, but the page even read my PayPal cookie to insert my actual PayPal login email address into the login form, just like the main PayPal page does. The Address bar showed the same URL I had seen in the email message—the real PayPal domain plus the two-character subdirectory.

At this point, I thought of those scary movies where the terrified heroine has the cops trace phone calls that have frightened her all night...and they tell her, "The calls are coming from inside the house!" Had someone inside or outside of PayPal embedded a phishing page within the PayPal servers? If so, had I just revealed my login email address to a crook (via the cookie), who could then try brute force password attacks to attempt to access my account?

I thought I should at least bring these possibilities to PayPal's attention as quickly as possible. I've ranted before about trying to convey what might be vital security information to a large company, and this effort was no less satisfactory. The frustration of dealing with customer support reps from the other side of the planet who are schooled in appeasing customers with insincere sympathy and supplying stock answers to questions I didn't ask only infuriated me even more. A supervisor did more of the same, but with less of an accent. I really don't need to hear the basics of Phishing 101. All I wanted was for this information to get to the right security people within the company as quickly as possible. If their systems had been compromised, you'd think they'd want to know about it pronto. The only thing I know for sure as the result of my phone call is that my suspicions were marked on my account record. B.F.D.

It has been about five hours since my report (and forward to PayPal's Spoof Department). Using a non-cookie-propagating way to check the URL, the page is still active. I find it hard to believe that PayPal—assuming the security folks have heard about it by now—would let an alleged compromise of this scale go unabated. Perhaps that URL is to a genuine PayPal login page—some kind of alternate page with a specific, legitimate purpose in mind. This would mean that the phisher screwed up by not entering a URL of a crooked site (it is unlucky Friday the 13th, after all). But then, again, why would the URL placeholder have the alternate PayPal URL in it, and not the regular plain URL? And how did the phisher know about this alternate login page?

Or was this message a one-off, instigated by my doctor to get my heart a-pumpin'?

Too many questions. Not enough answers.

UPDATE (14June2008, 0900PDT): Overnight I received another "Robert Cooper" PayPal phishing message. The link on this one was to a hijacked web site in the UK, which, in turn, redirected to the actual phishing page in a hijacked Spanish physician's web site. This is pointing more and more to a case of a malformed phishing message for the one that rang alarm bells here yesterday. I'd still like to know what that alternate PayPal login page is all about, just to settle my curiosity. In the meantime, I feel better about the integrity of that PayPal page.