Several days ago, I got an email from PayPal Support with the title: “We noticed unusual activity on your account”. The body of the email contained details of a suspicious transaction that allegedly occurred in my account and it invited me to click on the hyperlink “I Didn’t Authorize This Purchase” to dispute the transaction. At first blush, the email seemed well formatted and looked possibly legit.
I took a closer look at the embedded URL and noticed that it had the following shortened alias: http://bit.ly/1ml6nhf which resolved to: http://account-service-costumer.com/us/webapps/mpp/home. Taken together with the obvious Chinglish in the body of the email, it became apparent that this was not an actual PayPal address but rather a phishing site.
I must say, I was taken back by the quality of the site. Whoever was responsible for setting it up invested a lot of time and effort into it. In a departure from typical phishing site design where most of the links either don’t work or are eliminated, this one had multiple layers of linkage designed to make the site appear real. For example, when I clicked on the “Send Money” link, I was prompted to enter a transfer amount and my recipient’s e-mail address. Impressive functionality.
Structure and Functionality
In terms of navigational structure and content, the phishing site was almost an identical copy of the actual PayPal website. It had identical layout, images, and link names. It even had all of the streaming media. One note of interest is that even though the link names were verbatim, most of them just reloaded the phishing site landing page with the exception of “Investor Relations” and “Feedback Links” at the bottom which loaded external pages. This is a departure from the previous phishing practice of simply eliminating such links from the site altogether.
As far as the actual phishing exploit is concerned, the “Login” and “Sign Up” links are the core components. If you click on them they redirect to a fake PayPal login page where you are prompted to enter your user ID and password after which you land on a form intended to verify your identify which collects all of your personal information including DOB, SS number, phone number, and address. Double whammy!
Site Hosting and Publication
The site was registered in the US just two weeks ago via the Name.com web register and its IP is hosted on a dedicated server in the New Jersey/New York area.
This is somewhat unusual because most of the phishers tend to host abroad on repurposed or hacked servers that also contain other legitimate content.
This was probably done in an effort to survive a cursory URL Whois check that would confirm that the hosting is in the US (which would be the case for the real PayPal servers).
Heads up! It appears that we are witnessing a revolution in phishing affairs through the escalation in quality and detail of these sites. Considering this, it may behoove payment industry providers such as PayPal to utilize image match search capability to detect and block the appearance of such sites in near real-time instead of passively waiting to receive fraud alert messages from their customers weeks after the phishing campaign has wrought its havoc.
© Copyright 2016 Yaacov Apelbaum, All Rights Reserved.