Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Money Mule Recruitment | Main | Fake Amazon Email as Malware Delivery Vehicle »

February 18, 2010

(In)Credible PayPal Phishing Attempt [Updated]

I'm glad to say that the destination to which the bogus PayPal payment notice leads was quickly taken down. But that doesn't mean that the message won't surface again soon with a different link to a different hijacked web site serving as a PayPal login credentials ripper offer.

The message's Subject: line,

You sent a payment of $40.00 USD to cleverbridge, Inc

looks like it could be from PayPal. In my experience, however, PayPal's notifications of having sent a payment do not include the payment amount in the Subject: line. Such notifications are more typically sent as receipts for your payments.

In any case, the message has a fair amount of HTML/CSS design behind it, adding to its perceived credibility:

Phony PayPal payment notice

There really is a company called Cleverbridge, but it appears to be more involved with back-end e-commerce computing, and not selling to consumers — certainly nothing for $40, whether it be virtual food or otherwise.

This type of message is exactly the kind that gets unsuspecting individuals — infuriated at having been charged for something they didn't buy — to follow the link to cancel the transaction. The link, however, leads to a phony PayPal login page, where the victim will feverishly enter user ID and password to cancel the transaction (a transaction which doesn't exist).

However, a smart potential victim will know to use a previously saved bookmark to log into PayPal manually, and inspect his or her account. Of course, there will be no record of this $40 payment because it doesn't exist. And the login credentials will be kept out of crooks' hands.

Update (19 Feb 2010): The same message arrived today, with the URL going to a freshly minted .org domain whose name includes "paypal". Right on schedule.

Posted on February 18, 2010 at 03:47 PM