Saturday, May 14, 2011

Paypal Phishing Scam Attempt

Like a lot of people who sometimes buy things on eBay, I have a Paypal account. I seldom use it for anything else, though such instances do come-up every so often.

I have received numerous phishing scam letters addressed to me, often sent to the Yahoo account I once used a long time ago, but seldom do anymore. The reason is that my eBay user name is the same as the Yahoo account name on that email address. So, a scammer attaches the eBay user name to and they send me a phish letter. I guess a lot of people use the same user name on both accounts, but I don't. I use my regular email address - which has a different user name entirely - for both accounts. The spare address is simply kept in the event that my primary one goes down or gets hacked and I need to send an email to everyone to inform them of this. If the primary goes down, I have all my contacts in the address book of the spare account and I'd simply send them an email telling them what happened and to call me on my cellphone to verify my identity. Most people I correspond with on the Internet don't have my cellphone number, only people who really know me have it.

Recently, I received an email in the spare account from what is obviously a phishing attempt and here it is:

PayPal Account Review Department

From: "PayPal"
To: undisclosed-recipients
Message contains attachments
1 File (19KB)

Dear Valued User,

Our system has detected unusual charges to a credit card linked to your PayPal account.

Access to your account was limited for the following reason:

We have established that someone tried to access your PayPal account without
your permission. To ensure greater security, we have limited access to your account. We have sent 
you an attachment which contains all the necessary steps in order to restore your account access.

Please download and open it in your browser.

(The locator for this reason is PP-244-692-109)

We thank you for your prompt attention to this matter. Please understand that this
is a security measure intended to protect you and your account. We apologise for any inconvenience.

Thank you,
PayPal Account Review Department
Most people might now notice the slight spelling error in the letter. In the USA we spell "apologize" with a "z", while in the United Kingdom, it's spelled "apologise", with an "s". It's a common enough spelling error that an American can make a mistake like that, but you'd think that a American company like Paypal would have caught something like that. This makes me think that whoever sent the email learned UK English, with its spelling differences, rather than USA English.

If you open the attachment, which is usually not a good idea, it's an html document that looks al the world like a real Paypal account and the page even shows that you are logged-in to your account. Rather well put-together, I must admit. However, since I was not logged-in to my Paypal account and I use an entirely different account for it, there is no way that opening the attachment could have logged me into Paypal when I opened the attachment.

The first thing they want is your personal information. This is the first step toward identity theft. I have removed the script code that was on the original file I received.

Personal Information Profile
Make sure you enter the information accurately, and according to the formats required.Fill in all the required fields. 

  • Card Holder Name
  • Date of Birth
Next, they want your credit card information

Credit/Debit Card Profile
Enter card information as accurately as possible.For card number, enter numbers only please, no dashes or spaces.

  • Card Number:
  • Expiration Date:
  • Card Verification Number:
  • PIN
In all the time I have had my account with Paypal, they have never asked for the PIN for my credit card. That's because they would never need it. The only reason some one would ask for it is if they planned to make a new card for themselves, so they can remove money from your account at an ATM machine closer to where they live. With daily limits on how much you can withdraw on a daily basis, it may take a few days for them to drain the account with cash withdrawals. But, they could make all kinds of store purchases in just a few hours and suck your account dry and even go over your account's limits. If they do that, you're stuck with having to fight overlimit fees, as well as all the cash withdrawals and purchases they made.

Even if you catch-on and realize that you've given your banking details to scammers and cancel your credit card, they still have your name and date of birth. Even with temporary access to your credit card information, they could acquire your Social Security Number, home address, telephone/fax numbers, etc. and go into full-scale identity theft and open new accounts in your name, which you could find yourself having to contest for a long time to come.

While attempting to see where the "Save Profile" link at the bottom goes, I was stymied. I entered all kinds of bogus card numbers - all 1s or all 9s - along with fake PINs, etc but the "Save Profile" button would let me go any further. Either it doesn't work or there's some sort of built-in software that prevents pranking. It may even be able to automatically verify if a card number is valid or not. I'm not an authority on this sort of thing, so I couldn't tell you.

Getting back to the email, I did an IP trace and discovered that the email had a Polish IP as its source. If this email had been sent from the USA, it would have traced to an American IP, since Paypal is an American company.

Once I figured that I had learned all that I could, I forwarded the email with headers to Paypal's abuse address - - and will leave the rest to them.

Here are a few tips:

1) One reason people get Paypal phishing letters is because a lot of people use the same user names for their primary email address and their eBay accounts. So, if you shop on eBay or any other online retailer, use a different name for each. I sometimes get Paypal or eBay phishing letters at my regular email address, but that's only because some one signed-up for eBay with that user name.

2) While this attachment was html, a lot of scammers send zip files, which can seriously hurt your computer. Don't open attachments, even an html attachment can cause problems. But, scammers realize that a lot of people won't download zip files to their computers, in fear of viruses or hacking attempts. But, more people will open and trust an html files, which can simply be opened in their browsers, so these are better for scammers to use, as they will have a larger number of victims trusting it.

3) If you get an email claiming to be from eBay, Paypal, any other online retailer, your bank or credit card company that tells you about "problems with your account": don't open any attachments or click on any link in the message. Simply open a new browser, log-in to your account and check it out for yourself. If everything seems okay in your account, forward the email to the appropriate company. Most banks, credit card companies and online retailers have contact information for people to report this sort of thing. Keep the address in you Address Book and bookmark any links to webpages where they tell you to report fraud attempts.

If you ever get an email claiming to be from one of the types of companies I mentioned above and want to see from where the email originated, do an IP trace. There are two websites I use for this:

  • is a pretty good one and is very easy to use. In the email you receive, click of whatever link allows you to view the full headers. In Yahoo Mail, it would be at the bottom of the message and says "Full Headers".  Click that and then the headers will appear at the top of the message. Look for the part that says "X-Originating-IP"and copy and paste the number in the search box at The search results will tell you from which country the message had originally been sent.
  • You can also try Geobytes, though I've had a few problems when I've compared results I've gotten from it and what I received at IP-address, when the results didn't match. With Geobytes, you copy and paste the complete headers in the search box. I used this one exclusively before I discovered and that's when I discovered the discrepency which doesn't happen all the time, but it happened enough that I made the switch.
  • Bear in mind that some scammers will send emails while using a proxy, which will make an IP trace much less reliable.

Duane Browning

Post a Comment