Clever phish

Today I got an email from account@paypal.com that says:

PayPal is constantly working to ensure security by regularly screening the accounts in our system.
We recently reviewed your account, and we need more information about your business to allow us to provide uninterrupted service.

It goes on to tell me that I need to veryify a few details on their website before they will reinstate the account and gives me a web link to http://paypal.com-wsr.info/webscr?cmd=_login-sub=me@domain.com

Of course the email is in the correct paypal colours and style. And it is also clever because it instantly got me indignant. I recently bought a second hand Powerbook on ebay and suspending my account due to a change in ‘useage profiling’ is just the sort of thing I would expect. So in a rush of annoyance at having my account suspended I very nearly put in my details

The url is convincing at first glance. But take a close look at it and we see that the actual domain is com-wsr.info, and paypal is just a subdomain (anyone can add any subdomain they want to their domain, so I can easily create a url like paypal.thesheep.co.uk for this site). The subdomain creates the illusion of the proper paypal.com domain.

Finally, they have done an exceptionally good job of replicating the real paypal site The linked site is so complete that you can even go through the entire registration process to register a new account. I did this, putting in fictitious details and a hotmail email address. Then I went to the real paypal site and tried to log in – and it let me!. Presumably they use some sort of forwarding to relay all the HTTP requests directly to the real site, and hijack the password details along the way. Pretty sophisticated.

Tags: , ,

Posted on Tuesday, March 7th, 2006 at 1:18 pm and filed under Miscellaneous. You can follow any responses to this post through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Comments

  1. Wow. You really do need to be on my toes don’t you.

    I have a blanket policy not to respond to any of these types of mail until such time as an account becomes unusable.

    I had a whole load of mail come through from ebay threatening to cancel my account if I did not update my details after a credit card passed its expiry. They didn’t cancel my account and I will update it when I am ready.

    I look forward to hearing what PayPal have to say.

    Speak to you soon,

    Steve

    Steve Carter at 6:20 pm on 8 Mar 06

  2. Paypal have said it was a phishing attack. I think it’s pretty worrying that someone can build a site this sophisticated that actually lets you interact with the database behind the real paypal site. I would have thought it was possible to use those ‘human-check’ images (those images with numbers and letters that machines can’t read) to stop this happening. There was one of these presented to me during the registration process. But perhaps they just forwarded the image on from the real Paypal site, cleverly getting the unsuspecting registrant to pass the human test for them.

    Ben Hayes at 1:21 pm on 10 Mar 06

Leave a comment