« Money Mule Recruitment | Main | Fake Amazon Email as Malware Delivery Vehicle »

February 18, 2010

I'm glad to say that the destination to which the bogus PayPal payment notice leads was quickly taken down. But that doesn't mean that the message won't surface again soon with a different link to a different hijacked web site serving as a PayPal login credentials ripper offer.

The message's Subject: line,

You sent a payment of $40.00 USD to cleverbridge, Inc

looks like it could be from PayPal. In my experience, however, PayPal's notifications of having sent a payment do not include the payment amount in the Subject: line. Such notifications are more typically sent as receipts for your payments.

In any case, the message has a fair amount of HTML/CSS design behind it, adding to its perceived credibility:

There really is a company called Cleverbridge, but it appears to be more involved with back-end e-commerce computing, and not selling to consumers — certainly nothing for $40, whether it be virtual food or otherwise.

This type of message is exactly the kind that gets unsuspecting individuals — infuriated at having been charged for something they didn't buy — to follow the link to cancel the transaction. The link, however, leads to a phony PayPal login page, where the victim will feverishly enter user ID and password to cancel the transaction (a transaction which doesn't exist).

However, a smart potential victim will know to use a previously saved bookmark to log into PayPal manually, and inspect his or her account. Of course, there will be no record of this $40 payment because it doesn't exist. And the login credentials will be kept out of crooks' hands.

Update (19 Feb 2010): The same message arrived today, with the URL going to a freshly minted .org domain whose name includes "paypal". Right on schedule.