First Paypal Spoof Ever

Today, my very first PayPal spoof/phishing mail arrived. So finally, my e-mail address has been recorded in your average cyberpunk database. Note, that the (Dutch) grammar and spelling in the e-mail is appalling. Just what you expect from a default translation program like Google Translate or Babelfish.

Below is the entire e-mail (incl. headers), where I removed the my legitimate mail address.

Return-Path: <www@silverfishlongboarding.com>
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
     by sloti13d1p3 (Cyrus git2.5.0+0-git-fastmail-6319) with LMTPA;
     Sat, 20 Nov 2010 09:55:17 -0500
X-Sieve: CMU Sieve 2.4
X-Spam-score: 2.8
X-Spam-hits: BAYES_05 -0.5, HTML_MESSAGE 0.001, HTML_TAG_BALANCE_BODY 1.157,
  MIME_HTML_ONLY 0.723, RCVD_IN_BRBL_LASTEXT 1.449, SPF_HELO_PASS -0.001,
  SPF_PASS -0.001, T_RP_MATCHES_RCVD -0.01, BAYES_USED global,
  SA_VERSION 3.3.1
X-Spam-source: IP='216.105.40.40', Host='www.silverfishlongboarding.com', Country='US',
  FromHeader='n', MailFrom='com'
X-Spam-charsets:
X-Resolved-to: *****@**********.com
X-Delivered-to: *****@**********.com
X-Mail-from: www@silverfishlongboarding.com
Received: from mx1.messagingengine.com ([10.202.2.200])
  by compute3.internal (LMTPProxy); Sat, 20 Nov 2010 09:55:17 -0500
Received: from silverfishlongboarding.com (www.silverfishlongboarding.com [216.105.40.40])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mx1.messagingengine.com (Postfix) with ESMTPS id 62FDA9600DD
    for <*****@**********.com>; Sat, 20 Nov 2010 09:55:16 -0500 (EST)
Received: from silverfishlongboarding.com (localhost.silverfishlongboarding.com [127.0.0.1])
    by silverfishlongboarding.com (8.14.3/8.14.2) with ESMTP id oAKEtED3010323
    for <*****@**********.com>; Sat, 20 Nov 2010 06:55:14 -0800 (PST)
    (envelope-from www@silverfishlongboarding.com)
Received: (from www@localhost)
    by silverfishlongboarding.com (8.14.3/8.14.2/Submit) id oAKEtEPh010322;
    Sat, 20 Nov 2010 06:55:14 -0800 (PST)
    (envelope-from www)
Date: Sat, 20 Nov 2010 06:55:14 -0800 (PST)
Message-Id: <201011201455.oAKEtEPh010322@silverfishlongboarding.com>
To: *****@**********.com
Subject: Aanmelding ID: 902312
From: "account opgeschort." <dienstverlening@account.n>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Truedomain-Domain: account.n
X-Truedomain-SPF: Pass
X-Truedomain-DKIM: No Signature
X-Truedomain: Neutral

<html>
<body>
<P>Geachte PayPal-lid,</P>
Het spijt ons u te informeren dat de toegang tot uw account is tijdelijk
beperkt.<BR><BR>Dit is gedaan door een aantal mislukte
inlogpogingen.<BR><BR>Zaak ID: AX-309-05-66<BR><BR>Om te herstellen van uw
account <A href="http://olanci.ic.cz/" rel=nofollow target=_blank><SPAN
id=lw_1288707703_2 class="yshortcuts">kunt u hier
klikken.</SPAN></A>.<BR><BR>Als u niet om in te loggen correct uw account
wordt geschorst voor de preventie van fraude.<BR><BR>U staat zullen zijn
om opnieuw te registreren bij PayPal alleen nadat u uw profiel
authenticeren.<BR><BR>Onze excuses voor het ongemak, werd deze maatregel
genomen voor uw bescherming.<BR><BR><p>PayPal veiligheid Team.<p>
<body>
<html>

 Curious as I am, I followed the supplied link, and accessed the so-called paypal website (so don't try this at home). The funny thing that they accept non-email addresses as a login. As far as I know, the default login is your registered email address.... Anyway, the page itself looks oke. Only the URL is a dead givaway that you're not where you're supposed to be (olani.ic.cz instead of a legit PayPal URL).

Fake PayPal login screenAfter login in with a complete bogus username and password I arrived on a page where the real phishing is done. Here they 'require' you to enter credit card details and your social security details. Again, I entered bogus data. Just to see what happens next.

More details to provide to these cybercriminals.You don't wnat to know what will happen to you when you enter your real details. Somebody can relatively easy pretend to be you (on the other side of the world), and all you will have is an empty bank account (if you're lucky), or a criminal reputation.

So, never enter these credentials on a website without making sure that you're on the correct website.

Posted on November 20, 2010 and filed under Annoying, Personal, Security.