Cybercriminals use a legitimate looking return address

Jun 27, 2014 17:41 GMT  ·  By

Some users have received emails claiming to deliver news of the latest modifications regarding the PayPal user agreement.

PayPal has not made any changes to the document, and the message is a phishing attempt used by cybercriminals to grab the login credentials for the account.

The message appears to be legitimate because the crooks managed to provide a return address that seems to be from PayPal; to avoid suspicions, they used [email protected], which for many users looks perfectly legitimate.

However, the domain name is totally wrong. Navigate to paypal-account.com, and the scam becomes evident. A check of the registration information, and the owner is even more revealing.

According to MillerSmiles, the email briefly informs that some terms in the agreement have changed, and it offers a link for the potential victim to access the new form.

The URL address leads to a phishing website that requires the user to log into the PayPal account in order to confirm, update or verify the account information. Should they do this, the credentials are automatically sent to the cybercriminals behind the campaign.

MillerSmiles pinpointed the location of the fake website in this case in Moscow, Russia. At the moment, the website can no longer be accessed, but cyber crooks can set up shop at a different address at any time and are not discouraged by the anti-phishing filters available in web browsers.

They know they have a short window to attract as many victims as possible, and they will take their chance.