slick phishing

Sep. 21st, 2004 11:37 pm
cellio: (B5)
[personal profile] cellio
I just received phishing email that's a little more sophisticated than the norm. It didn't fool me, but I know people (who are not dumb) who might have fallen for it.

It claimed to be from PayPal, and "all" it asked me to do was to go to their web site to verify my billing information -- new verification regulations from the PATRIOT act, don't'cha know.

It used PayPal boilerplate text about being careful about phishing, complete with a PayPal email address to report problems to. Too bad fraud@paypal.com isn't the address PayPal publishes. (That would be spoof@paypal.com.)

The URL it provided looks perfectly reasonable, because instead of saying "click here" they actually put a real PayPal URL in the text, complete with "https". Pity that that's not where the anchor really goes. Never trust HTML-formatted mail; read the source.

There weren't a lot of bogus headers like there often are; it would be easy to miss the originating site, which isn't PayPal, amidst all the legitimate headers.

Actually, the first suspicious thing I noticed was a simple grammar error (in an otherwise-well-written message). The second thing I noticed was the absence of my name in the greeting, which PayPal always uses. I had to go to the (real) PayPal site to spot the bogus fraud address.

PayPal's tips for detecting fraudulent email are here.

Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2004-09-22 06:07 am (UTC)
From: [identity profile] ichur72.livejournal.com
I used to get a lot of these on AOL (pre-Patriot Act). The first time I saw one, I was distracted and didn't see immediately that it wasn't on the level. But once I did take a closer look -- well, let's just say that the spelling and grammar errors are always a dead giveaway.

(no subject)

Date: 2004-09-22 06:44 am (UTC)
cellio: (B5)
From: [personal profile] cellio
The spelling and grammar errors are usually a dead giveaway, yes. This one was much better written; it had one obvious grammar error (the "it's vs its" problem), but wasn't close to illiterate the way they often are. So the phishers are getting smarter about presentation.

(no subject)

Date: 2004-09-22 09:52 am (UTC)
jducoeur: (Default)
From: [personal profile] jducoeur
I've actually been hit by a couple of real beauts here at work in the past month. They claimed to be from different banks, although both were clearly from the same originating source (their text was very close). Graphics were right; text was plausible; they even used the banks' real security-page URLs to click on.

The dead giveaway, though, was that the entire text was an image overlay, and that has mouse-cursor effects. I've been sensitized so that I immediately notice when I have an image cursor over apparent text. Had a very interesting dig through the source code for the emails, and forwarded them on to the banks in question. (And told the second to co-ordinate with the first.)

(no subject)

Date: 2004-09-22 05:30 pm (UTC)
cellio: (B5)
From: [personal profile] cellio
I sometimes get mail (often spam, sometimes not) that just plain doesn't render; that happens with mail that is entirely or mostly images. (I read mail using pine, not a browser.) It's entirely possible that people have done that to me and I just haven't noticed.
Flat | Top-Level Comments Only

Expand Cut Tags

No cut tags
Top of page