14 DAY TRIAL // “Your PayPal account has been limited” is the message received by a lot of users lately, in what turned out to be a well-thought-out phishing expedition.
Mxlabs informed us of the fact that the scam emails were very well designed and because what seems to be genuine address was spoofed they looked even more credible.
The body of the note reads “Unfortunately one of your recent transaction with PayPal is not successful because your PayPal account has been limited. It is a measure taken to protect your account and help ensure the safety of the PayPal platform. We want to help you remove this limitation as soon as possible so he can continue to take advantage of the benefits from PayPal.”
The whole layout of the email is very well conceived and all the graphics and content elements are a perfect match to what we'd normally see in a mail message coming from PayPal.
Once the Click Here button is hit, the user is transferred to a site hosted on a domain called mittemaedchen.de. The full address contains some fragments that refer to “pay pal” to make it look more realistic.
The next page, which is also well built, contains a form in which the customer is asked for information such as name, date of birth, country, address and credit card information. After the form is completed, the victim is redirected to the PayPal genuine site.
You can imagine that once you've handed out that much information, you can bet on the fact that your bank account will be shortly emptied.
In order to prevent such unfortunate events, let's take a look at a few signs that give this hoax away.
First of all, the “unsubscribe” button in the footer of the email is inactive. This is a bit hard to spot, but when you receive any alert that has something to do with your savings, you should be extra careful.
Another suspicious element is the text itself. If you check the quote written above, you'll see that it contains some errors that you probably wouldn't find in a genuine note coming from the transaction company.
Finally, after clicking the first link, the German domain should point out that something is fishy and in these cases you should never continue the operation.
At the time of this writing, the malicious location is blocked by Firefox and Internet Explorer.
