Phishing Example – Paypal

Hello all,

Be very careful as this email found its way through our HVCC spam filter.  If you want to have a fun learning experience paste the following link into both Internet Explorer and Mozilla Firefox as you will have an eye opening security learning experience. *At this point in time Firefox would tell you it was a fraudulent Web site whereas IE would let you proceed to get harmed.*

___________________________________________

From: Paypal Security Departament [mailto:dpt@ppl.srv.com]
Sent: Monday, September 24, 2007 6:07 PM
To: sarubjos@hvcc.edu
Subject: Confirms that you have paid for this product

We recorded a payment request from “Internet Safe-Shopping -ebay.com-” to enable the charge of $ 93.12 on your account.

Because the order was made from an european internet address, we put an Exception Payment on transaction id #PayPal-P2415 motivated by our Geographical Tracking System.

THE PAYMENT IS PENDING FOR THE MOMENT.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as “Internet Safe-Shopping -ebay.com-“.

If you didn’t make this payment and would like to decline the $ 93.12 billing to your card, please follow the link below to cancel the payment:

Email Hyperlink: Cancel this payment (transaction id #PayPal-P2415)

Real Source Hyperlink in source but see below: “http://www.stadtserver.de/cms/hp/id/127/content/index.html” 

NOTE: Because email is not a secure form of communication, please do not reply to this email.

© Copyright 1995-2007 PayPal Inc. All Rights Reserved.

____________________________________________

Analysis:

HYPERLINK “http://www.stadtserver.de/cms/hp/id/127/content/index.html” http://www.stadtserver.de/cms/hp/id/127/content/index.html  thus its somewhere in Denmark but you immediately get redirected to

HYPERLINK “http://mkhair.hostmarx.com/uploads/-/PayPal/updates/us/webscr.php?cmd=_login-run” http://mkhair.hostmarx.com/uploads/-/PayPal/updates/us/webscr.php?cmd=_login-run

You can view an email link’s properties by right clicking on the link and select Edit Link –  HYPERLINK “http://www.stadtserver.de/cms/hp/id/127/content/index.html” Cancel this payment (transaction id #PayPal-P2415)

 

 

Leave a Reply