The other day, a PayPal phish made it into the inbox of my personal email. It is not normal for phishing emails to make their way past my cloud email provider’s spam filter, so I decided to spin up a sandbox just in case any malware was involved and dive in.
The phishing hook in the message body wasn’t anything special. The phish masqueraded as an email from PayPal notifying me that my account access has been limited for suspicious activity. A few things about the wording of this message were obvious giveaways that the source of this message was not legitimate. First, PayPal has always included my full name in their messages sent to me. The generic “Dear client” was a change from the norm and signaled a red flag. Next up, the first sentence flat out didn’t make sense. “Our technical support and customer department has recently suspected activities in your account.” A more accurate opening line might be “…has recently identified suspicious activity on your account” or something along those lines.
Beyond the message body, there were some overt red flags in the message headers. For example, the “From” header was spoofed to appear to be from a paypal email domain though the actual sender address was phonedisney[.]com, a domain name registered just days before the email.
Even more interesting, the message was blasted out to 180 different email addresses in the “To” header all alphabetically close to my own email address. How the attacker hasn’t discovered the use of BCC is beyond me.
The link within the email used a URL shortening service hosted on the domain meansfat[.]com. The site itself appears to be built on cPanel and using a URL shortener plugin or service that I’m not familiar with. Visiting a few modified versions of the original link path brings up an error indicating the shortener is communicating with an API of some sort. Searching a few of these strings on Google shows several other sites apparently using the same service.
The original link from the phish redirects to service-account[.]genuinelysmash[.]com with the URL path containing a randomly-generated and apparently unique key tied to the visitor and saved in a session cookie. The web server hosting the phish checks to see if the user tied to that key has already gone through every form in the phish and if they have, redirects them to the actual paypal.com website. This functionality can prevent a suspicious victim (or an analyst) from going back through the input forms a second time without clearing local session storage.
The first page for the phish is simple, designed to look like a PayPal login form. Both the “having trouble logging in” and “sign up” links go directly to legitimate PayPal addresses while the “login” link submits the entered credentials to the attacker-controlled server.
After submitting credentials, whether valid or invalid, the next page displays a notice that the victim’s account has been limited and provides a link to “Secure My Account.”
The next page requests information you might expect to unlock a PayPal account, or more accurately to take over someone’s identity, including name, address, phone number, social security number, and mother’s maiden name.”
The next page asks for credit card information. Interestingly, the page actually validates the credit card number using the Luhn algorithm and prevents entering in obviously fake numbers.
After entering in a “valid” credit card number (that is, one that passes the validity check), the page finally redirects the user to paypal.com/signin. Because of the cookies and session data, the victim cannot go back through the form without resetting their stored data for the site.
Overall, the phish used convincing looking assets to mimic a legitimate PayPal form. If the victim failed to notice the URL or any of the red flags in the email message itself, they could have fallen for this attack. Hopefully this shows the importance of treating every unsolicited email with suspicion. If you receive a call-to-action email from a sensitive service like PayPal, it’s always worth the extra effort to manually browse to the site itself instead of clicking on email links and, if in doubt, simply pick up the phone and call them.
The good news is, if you’re a WatchGuard customer, the DNSWatch service blocks all of the domains associated with this phish. With DNSWatch enabled, would-be victims of this phish are instead redirected to a short phishing-awareness training video or game to teach them how to spot the red flags.
Proving once again that the intricacies of English grammar are Phishing’s Achilles heel.
Derek, right you are!
Hi! I just fell victim of the scam…unfortunately. I did click on the initial link on the email and I did give them the log in info (I did change my username and password immediately after) However, after filling out the initial info page,I realized it was a phishing scam and closed the page without clearing the fields. Could they have stored my personal information even thought I never clicked the continue button to the credit card page?
Thank you in advance!
Marc Laliberte says
Good job catching it before you got too far in the process! Paypal scams are pretty common and differ slightly from instance to instance so without investigating the specific site you went to, its hard to tell for certain. I will say, in every instance I’ve investigated, the data you enter into the forms is only sent after you hit ‘continue’ on to the next section. Your data most likely didn’t make it to the attacker but if you entered anything like a username or password, its probably best if you reset your password.
Thank you for responding, Marc! This puts my mind at rest!
Joan C Banda says
I got one of these. I contacted spoofpaypal.com and they opened an investigation.
I too fell for this scam. I entered username & pass. AND even continued through the personal information section (ugh). When I got to the credit card section, the website did not allow me to continue for it was not a credit card but a debit card (I don’t own a credit card). I closed the website and browser and just thought I’ll get back to it later. I then started putting 2and2 together and realized it was spam. So. I’m only majorly panicking right now. From what I understand, the attackers probably have all my information to commit identity theft. Please reassure me!
Marc Laliberte says
You should assume anything you entered into the form is now in the hands of a cybercriminal. The “good news” is, as long as you didn’t enter any really critical information like a social security number, you’re likely fine. Names, addresses and phone numbers are already freely available on the internet and underground forums so they’re of little value to attackers.