Our Friday Phish: Unauthorized PayPal Logon Attempts

The holiday shopping and shipping season is upon us. We’re seeing more phish tailored not to your UD email account, but to the likelihood that you’re shopping on line this year. We’ve talked about package scams before. Here’s another holiday classic: your account at our company has been hacked, and, therefore your PayPal account may have been hijacked!

If you see a message like the one below, delete it. Commentary follows.

Subject:	Security notification regarding your Online Access!
Date:	Fri, 18 Nov 2011 02:43:22 -0500
From:	Customers Service <Veryfiacc2011@account.com>
Reply-To:	Veryfiacc@pay.com
To:	__________@UDel.Edu

Identifying Unauthorized Logon Attempts on 18/11/2011: (Error Message No.
FE0LAPWMLWWQ9) Your account access has been limited for the following reason(s):
1. We would like to ensure that your account was not accessed by an unauthorized
third party. Because protecting the security of your account is our primary concern, 
we have limited access to sensitive Pay`Pal account features.
2. Unusual account activity has made it necessary to limit account access until
additional verification information can be collected.
3. If your account was hijacked, the PayPal account attached is vulnerable too. 
Please respond as soon as possible!

Pay`Pal Confirmation link: http://www.rpaonline.com/catalog/images/admin/index.php

Once you complete all of the checklist items, your case will be reviewed by one of 
our Account Specialists. We will send you an email with the outcome of the review.
If, after reviewing your Pay`Pa| account information, you seek further clarification
regarding your account access, please contact Pay`Pal Online Banking by visiting
the Help Center and clicking "ContactUs".

Thank you.
Pay`Pal Team.

Copyright 1999-2011 Pay`Pal. All rights reserved
Copyright Sandstone Technology Pty Ltd [ 2.0.63 7CFD 2144 FBEE ]
This email has been scanned by the MessageLabs Email Security System.

The scammer’s feigned concern for your security, copyright notice, fake “must be important codes” (error message number and some alleged code at the end) make it seem credible at first glance.

But can you spot the phishy signs?

  • Who is this from? What catalog company? PayPal itself? Ha.
  • Nice spelling: PayPal, Pay`Pal, and Pay`Pa| (with a vertical line instead of an “L”) — uh, huh, right.
  • What the heck are the sender’s alleged address and alleged reply-to addresses? account.com and pay.com?
  • That link in the middle–PayPal or the unnamed catalog company will probably not include a link for you to click to verify your information. Besides, look where this one goes. That’s not a PayPal site! And it’s not a catalog any of us have ever ordered from!
  • A little bit of badly-translated English has crept in: “Customers [sic] Service”; “sensitive” account features; European date format at the beginning.

We’re thrilled that so many of you are starting to send us phish like this one. Keep up your vigilance.

Richard Gordon