Just got a very authentic looking phish claiming to be from PayPal. Maybe it is, but the content is suspicious, and it was not addressed to a specific e-mail address.

Just a reminder - Users beware - Don't respond to these! Change your passwords often.

 

I've got a few of these over the past few weeks also.

 

If any email is asking you to update and account, username or password....BEWARE! They are all cons trying to gather your user information...never ever ever will ebay or paypal ask for your password or personal information!

 

I've been getting these every couple of months for the past two years. If you actually read the whole email you will find a ton of spelling and grammer errors.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Chris N &raquo;</TD></TR><TR><TD CLASS="quote">I've got a few of these over the past few weeks also.</TD></TR></TABLE>

as i have also...

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by spids5 &raquo;</TD></TR><TR><TD CLASS="quote">grammer errors.</TD></TR></TABLE>

how ironic

 

This was a new one, without the usual giveaways. Paypal logo, links to the papal TOS, etc, and even came from the paypal domain. Just not addressed to a specific e-mail address (and contained another suspicious item).

If one were not cynical and web/business savvy, it would be very easy to be fooled. Furthermore, it appears you could get hit with spyware (e.g. keystroke logger) prior, and then just logging into paypal would doom you.

I also visited http://www.paypalsucks.com. What an eye opener! Once my current deal is done, my paypal account will be permanently closed. This will be discussed in another thread.

 

I've been getting a ton of these lately - for my Paypal account, my eBay account, my ISP account, and for accounts at lots of financial institutions, most of which I don't have accounts with.

Most big internet companies have e-mail addresses to which you can forward the fraud e-mail (preferably with the header information), including:

Paypal: spoof@paypal.com
eBay: spoof@ebay.com

Most of these "phish" e-mails include a link that LOOKS LIKE it's from the company, but when you look closely, the domain it takes you to is not the one for the company. It's something phony like paypalaccount.com or ebayverify.com or something hokey like that.

If you EVER need to do anything with your account at any internet company, don't go to their website from a link in an e-mail. Type in their website address and go from there.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by nsxtasy &raquo;</TD></TR><TR><TD CLASS="quote">

If you EVER need to do anything with your account at any internet company, don't go to their website from a link in an e-mail. Type in their website address and go from there.
</TD></TR></TABLE>

Yes Yes Yes....glad you stated that

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Ill &raquo;</TD></TR><TR><TD CLASS="quote">This was a new one, without the usual giveaways. Paypal logo, links to the papal TOS, etc, and even came from the paypal domain. Just not addressed to a specific e-mail address (and contained another suspicious item).

If one were not cynical and web/business savvy, it would be very easy to be fooled. Furthermore, it appears you could get hit with spyware (e.g. keystroke logger) prior, and then just logging into paypal would doom you.

I also visited http://www.paypalsucks.com. What an eye opener! Once my current deal is done, my paypal account will be permanently closed. This will be discussed in another thread.</TD></TR></TABLE>

Yep thats the same ones I've been getting for two years. They always ask for me to update my credit card information and has a direct link to the paypal login. If you click on it the address will even still say paypal in it. They do exactly what you said to get the your credit card info. The first time I got it I clicked the link but didn't login because I figured it was a scam. It said I had to update my credit card info or they were going to cancel my account. After I deleted the email and ran spy doctor I logged in to my account and all my info was current. Ever since then I knew it was a scam.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Ill &raquo;</TD></TR><TR><TD CLASS="quote">
I also visited http://www.paypalsucks.com. What an eye opener! Once my current deal is done, my paypal account will be permanently closed. This will be discussed in another thread.</TD></TR></TABLE>

That's what made me close my account...it's a non-safe way of doing business.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by spids5 &raquo;</TD></TR><TR><TD CLASS="quote">If you click on it the address will even still say paypal in it.</TD></TR></TABLE>

Not exactly. The address will say paypal in it somewhere, but if you look closely, it will not end in .paypal.com which is your tip-off that you're not looking at Paypal's website.

Paypal has two helpful websites regarding fraudulent e-mails:

Protect Yourself from Fraudulent Emails

and

10 ways to recognize fake (spoof) emails

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Ill &raquo;</TD></TR><TR><TD CLASS="quote">Just got a very authentic looking phish claiming to be from PayPal. Maybe it is, but the content is suspicious, and it was not addressed to a specific e-mail address.

Just a reminder - Users beware - Don't respond to these! Change your passwords often.</TD></TR></TABLE>

As per the agreement with AOL, Pay Pal emails will not contain any HTML code, they will be addressed to a single person, and REPLY will go to service@paypal.com.

Their header information will also always be transparent:

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote &raquo;</TD></TR><TR><TD CLASS="quote">
Return-Path: &lt;service@paypal.com&gt;
Received: from rly-yb06.mx.SECURE.aol.com (rly-yb06.mail.aol.com [172.18.205.138]) by air-yb01.mail.aol.com (v106.2) with ESMTP id MAILINYB14-69642b9e61d6e; Wed, 22 Jun 2005 18:29:01 -0400
Received: from smtp-outbound.nix.paypal.com (smtp-outbound.nix.paypal.com [64.4.240.67]) by rly-yb06.mx.aol.com (v106.2) with ESMTP id MAILRELAYINYB64-69642b9e61d6e; Wed, 22 Jun 2005 18:28:45 -0400
Received: from dentmail1.den.paypal.com (dentmail1.den.paypal.com [10.191.28.242])
by smtp-outbound.nix.paypal.com (Postfix) with ESMTP id 34AA5820289
for &lt;georgeknighton@aol.com&gt;; Wed, 22 Jun 2005 15:28:45 -0700 (PDT)
Received: from denbatch2.den.paypal.com (denbatch2.den.paypal.com [10.191.20.41])
by dentmail1.den.paypal.com (Postfix) with SMTP id 1C2F727C04B
for &lt;georgeknighton@aol.com&gt;; Wed, 22 Jun 2005 15:28:45 -0700 (PDT)
Received: (qmail 6620 invoked by uid 999); 22 Jun 2005 22:28:45 -0000
Date: Wed, 22 Jun 2005 15:28:45 -0700
Message-Id: &lt;1119479325.6620@paypal.com&gt;
Subject: Credit Card Expiration Approaching
X-MaxCode-Template: email-cc-expire-warning
To: George Knighton &lt;georgeknighton@aol.com&gt;
From: "service@paypal.com" &lt;service@paypal.com&gt;
X-Email-Type-Id: PP031
X-XPT-XSL-Name: /en_US/account/creditcard/CreditCardExpireWarning.xsl
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=windows-1252
MIME-Version: 1.0
X-AOL-IP: 64.4.240.67
X-AOL-SCOLL-SCORE: 0:2:448178221:11327976
X-AOL-SCOLL-URL_COUNT: 0</TD></TR></TABLE>

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by nsxtasy &raquo;</TD></TR><TR><TD CLASS="quote">Not exactly. The address will say paypal in it somewhere, but if you look closely, it will not end in .paypal.com which is your tip-off that you're not looking at Paypal's website.</TD></TR></TABLE>

For example, if you see a website address like this one (DON'T CLICK IT):

http://signin-paypal-secure.com/cgi/webscr.html?cmd=_login-run

that is NOT a Paypal website. That is a scammer website that wants to steal your money.

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by George Knighton &raquo;</TD></TR><TR><TD CLASS="quote">As per the agreement with AOL, Pay Pal emails will not contain any HTML code, they will be addressed to a single person, and REPLY will go to service@paypal.com.

Their header information will also always be transparent:</TD></TR></TABLE>

George,

In just the past few minutes, I received a phish scam e-mail with a link to the scam web address shown above. The headers actually show the e-mail address billing@paypal.com which is a Paypal address, and that is the only e-mail address in the header information. So the header information and reply address are not necessarily sufficient to conclude that the e-mail is legitimate.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by George Knighton &raquo;</TD></TR><TR><TD CLASS="quote">

As per the agreement with AOL, Pay Pal emails will not contain any HTML code, they will be addressed to a single person, and REPLY will go to service@paypal.com.

Their header information will also always be transparent:

</TD></TR></TABLE>

Those were the giveaways this time: Embedded HTML, non-transparent headers (even though the header said it came from billing@paypal.com), no specific send-to addy, plus grammatically/spelling correct, but it didn't 'read' the way I would expect it to coming from paypal.

I've seen lots of these, but this is the most 'sophisticated' yet. Embedded html appeared to ref the .paypal.com domain, and they were asking for me to add my debit card to fight purchase fraud via stolen credit cards.

Good info, users beware.

I'm fighting fraud by having a low-limit, seperate credit card account that is only used for online. Plus a seperate checking account for the same thing. Even if I get hacked or something, they won't get much, and checking will be cleaned out regularly so paypal fraud is harder for crooks.

Man, all this internet fraud sucks.

:edit: There is apprently an ongoing concerted attack by hackers against all kinds of businesses in Europe "at a level 'we' [European authorities] have never seen before". It has been going on for several months. It must be going on here too, we just have not heard of it yet. I imagine it's enemies of the West doing what they can to disrupt our lifestyle however they can.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Jon D &raquo;</TD></TR><TR><TD CLASS="quote">how ironic </TD></TR></TABLE>

ot, but that was not an example of irony.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Ill &raquo;</TD></TR><TR><TD CLASS="quote">Those were the giveaways this time: Embedded HTML, non-transparent headers (even though the header said it came from billing@paypal.com), no specific send-to addy, plus grammatically/spelling correct, but it didn't 'read' the way I would expect it to coming from paypal.</TD></TR></TABLE>

Sounds like you received the same e-mail I just did.

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Ill &raquo;</TD></TR><TR><TD CLASS="quote">Embedded html appeared to ref the .paypal.com domain</TD></TR></TABLE>

I should have been more specific. Yes, the html made it LOOK LIKE you were going to the Paypal website (an address ending in .paypal.com) if you clicked the link. But when you actually click the link, it sends you to a website that does NOT end in .paypal.com

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by Ill &raquo;</TD></TR><TR><TD CLASS="quote">I imagine it's enemies of the West doing what they can to disrupt our lifestyle however they can.</TD></TR></TABLE>

I think you're reading more into it than actually applies. I think it's simply crooks who are after your money. Just my O...

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by nsxtasy &raquo;</TD></TR><TR><TD CLASS="quote">
George,

In just the past few minutes, I received a phish scam e-mail with a link to the scam web address shown above. The headers actually show the e-mail address billing@paypal.com which is a Paypal address, and that is the only e-mail address in the header information. So the header information and reply address are not necessarily sufficient to conclude that the e-mail is legitimate.
</TD></TR></TABLE>

If you can give us the header information from the email you're talking about, I'll show you what I mean by transparency.

If you look at the headers I gave, everything is logical and completely transparent. It goes straight from Pay Pal to my own email servers and everything is clear.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by George Knighton &raquo;</TD></TR><TR><TD CLASS="quote">If you can give us the header information from the email you're talking about, I'll show you what I mean by transparency.</TD></TR></TABLE>

Sure:

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote &raquo;</TD></TR><TR><TD CLASS="quote">Status: U
Return-Path: &lt;billing@paypal.com&gt;
Received: from 209.86.93.230 ([61.188.184.250])
by mx-pinchot.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1dLdLH1Yw3Nl34d0
Wed, 22 Jun 2005 18:32:15 -0400 (EDT)
From: "PayPal" &lt;billing@paypal.com&gt;
Reply-To: "PayPal" &lt;billing@paypal.com&gt;
Subject: New Security Requirements
Date: Wed, 22 Jun 2005 18:30:15 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--43237718463937162"
Message-Id: &lt;200506221832.1dLdLH1Yw3Nl34d0@mx-pinchot.atl.sa.earthlink.net&gt;
X-ELNK-AV: 0</TD></TR></TABLE>

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by George Knighton &raquo;</TD></TR><TR><TD CLASS="quote">If you look at the headers I gave, everything is logical and completely transparent. It goes straight from Pay Pal to my own email servers and everything is clear.</TD></TR></TABLE>

To my un-technical eye, the description you write here would seem to apply to the header information on the phish e-mail I received.

 

Sorry, let me clarify: I meant the concerted attacks on businesses to steal electronic financial info 'on a scale never seen before', not the phish, as being possibly connected with our enemies. They are purported to be coming from Asia, but I think any info the new reports on this may be off so they don't tip their hand while investigating.

Yes, the phish is just crooks trying to steal money from unsophisticated or unaware users.

 

The phish I recieved has exactly the same headers as nsxtasy posted.

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by nsxtasy &raquo;</TD></TR><TR><TD CLASS="quote">
To my un-technical eye, the description you write here would seem to apply to the header information on the phish e-mail I received.
</TD></TR></TABLE>

Ken, please, is that really all the header information you're given? It doesn't say from what server it comes, which for us over here at aol.com and knighton.com would be an instant giveaway if we got as far as looking at the headers.

EDIT: This is the kind of information I'm looking for. You'd want to know what server handed it to Eathlink. In my case, we find:

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote &raquo;</TD></TR><TR><TD CLASS="quote">Received: from dentmail1.den.paypal.com (dentmail1.den.paypal.com [10.191.28.242])</TD></TR></TABLE>

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by George Knighton &raquo;</TD></TR><TR><TD CLASS="quote">is that really all the header information you're given?</TD></TR></TABLE>

Yes.

 

George, see above, I got the same phish with the same bogus headers.

nsxtasy, are you using earthlink as your ISP?

 

<TABLE WIDTH="90%" CELLSPACING=0 CELLPADDING=0 ALIGN=CENTER><TR><TD>Quote, originally posted by nsxtasy &raquo;</TD></TR><TR><TD CLASS="quote">To my un-technical eye, the description you write here would seem to apply to the header information on the phish e-mail I received.
</TD></TR></TABLE>

A quick glance shows:
Received: from 209.86.93.230 ([61.188.184.250])

A server lying about it's own name/address, with just some random IP address. No good reason for it, unless you're somehow trying to lie about who/where you are, but the breadcrumb of your IP is still there. In parenths, is the IP address, and hostname if a reverse DNS lookup is successful.

That should have shown it traversing a tunnel of paypal addresses, to get from their intranet, to extranet, etc.

Received: from denbatch2.den.paypal.com (denbatch2.den.paypal.com [10.191.20.41])

I only know a wee bit about it, because in my college days, pretty much any UNIX server seemed to have the SMTP port open, and you could write an email from any server, from any address, to any other address, and let it look completely legitimate since it was coming from the right IP/host. Not anymore, you can't just poke people's port 25 anymore.