Just got myself one of these PayPal phishing emails this morning. It was a very well made email sent to an email address for my partner company in the Netherlands Doede.net . In the email I was told I had to re-enter details of my PayPal account to keep my unlimited verified status. This I could do by updating my details online.
Here is the entire email text (click to enlarge screenshot):
Site behind the email
The site leads to a site faking PayPal and asking for password. After entering these details, you are asked to enter all your personal details as well.
Here a curl report using Google Chrome as user agent:
curl -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" http://paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cvdf.alejadur.cl/wp-account.php <META http-equiv="refresh" content="1;URL=http://paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27b7fr.trisupport.cl/pay/pay/reboot.php"> <html dir="rtl"> <head> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <base href="http://aol.com"> </head> </body>
That page has a meta refresh:
which leads to an url with the same domain trysupport.cl . A whois for that domain runs into an error:
whois -h geektools.com trisupport.cl GeekTools Whois Proxy v5.0.5 Ready. Checking access for 126.96.36.199... ok. Checking server [nic.cl] The GeekTools Whois Proxy has encountered an error: Unable to connect to the specified registry nic.cl. Please try your query again later.
The same goes for alejadur.cl . When I curled this domain I did get data. I found out it was a WordPress website. The file – wp-account.php – redirecting to trisupport.cl must be on his site.
Google Research on site
Google is your friend and after a brief research I found more details. Trisupport.cl (Chilean site) – the site the fake PayPal resides with – seems to have been hacked beginning this year by hackers. Not sure if they added this phishing page as well. The phishing has already been reported to PayPal by us and PayPal has replied:
Thanks for forwarding that suspicious-looking email. You’re right – it
was a phishing attempt, and we’re working on stopping the fraud. By
reporting the problem, you’ve made a difference!
Identity thieves try to trick you into revealing your password or other
personal information through phishing emails and fake websites. To learn
more about online safety, click “Security Center” on any PayPal webpage.
Every email counts. When you forward suspicious-looking emails to
firstname.lastname@example.org, you help keep yourself and others safe from identity
Your account security is very important to us, so we appreciate your
The site is mentioned here at Phishtank. Phishtank is a site that keeps track of sites hacked for phishing purposes. It did get whois data of the phishing site:
Network 188.8.131.52/16 (AS32613 iWeb Technologies Inc.) Whois trisupport.cl: ACE: trisupport.cl (RFC-3490, RFC-3491, RFC-3492) CRISTIAN ALONSO SMITH SANDOVAL Contacto Administrativo (Administrative Contact): Nombre : CRISTIAN ALONSO SMITH SANDOVAL Organizacion: Particular Contacto Tecnico (Technical Contact): Nombre : CRISTIAN ALONSO SMITH SANDOVAL Organizacion: Particular Servidores de nombre (Domain servers): ns1.tuhostingdns.com (184.108.40.206) ns2.tuhostingdns.com (220.127.116.11) Altima modificacion al formulario (Database last updated on): 06 de diciembre de 2011 (18:19:13 GMT) Mas informacion (More information): http://www.nic.cl/cgi-bin/dom-CL?q=trisupport Este mensajes esta impreso en ISO-8859-1 (This message is printed in ISO-8859-1)
Hackers try to hack into websites on a daily basis. Not only to add spam, but also to use your site as a phishing website. That is why it is important to always keep your website updated and use the best server security possible. Never ever reply to email like these and if you did and realized it, report it as soon as possible and change your password immediately.