Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]

Search this site powered by FreeFind

Page Title:

Spoof/Phishing Scam  - 10/20/2007 Example (PayPal)

Please be sure to read my Spoof/Phishing Scams Home Page

NOTE: All external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. Since the email headers could be included, I did not "forward" the email to get the brief headers. The following was received (and looks) like I received it, with the following exceptions:

  • Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
  • Actual links in the email message have been changed to null (allowing them to still appear as links), have arrows pointing to them ("<=="), have been "named", and appear as one of "my notes" (bold, red in color, and highlighted). They are listed below the email example using the "names".
  • All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.) This email started with the HTML from the email I received. Most of the HTML and the look is original to the email (making this page non-standard HTML 4.01!)

Scam Example
Received 10/20/2007

PLEASE NOTE: PayPal and other online services and banks should NEVER require you to "click a link" in an email to go to their site. They may provide a text link (one you must cut-and-paste), but even these should ALWAYS go to the business' site, and to NO OTHERS. For your own safety, if you are a member of the business (or have an account there):

  1. Go directly to the site itself (enter the business link - in this case: http:// www. paypal.com (type or cut-and-paste and remove the spaces))
  2. Log in to your account
  3. If what the email says is true, there should be some type of notification at either the main page, or on your account's login page.

BE SURE TO CHECK OUT ANY EMAILS LIKE THIS YOU GET!

[Please note: This whole page will not validate HTML 4.01, though it says it will at the bottom. The reason is because I cut-and-pasted the HTML from the email. -wds]

PayPal [<==See image source and link behind logo, below]
PayPal Security Information


Dear PayPal Member,

Please update your records within 72 hours our Account Review Team identified some unusual activity in your account, one or more attempts to log in to your PayPal account form a foreign IP address.
In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to yor account was limited. Your account access will remain limited until this issue has been resolved. To Secure your account and quickly restore full access, we may require some additional information from you.

To securely confirm your PayPal information please go directly to https:// www. paypal.com/ [<==See link behind link, below] log in to your PayPal account and perform the steps necessary to restore your account access as soon as possible or click on the link bellow:

Click here to update your account [<==See links behind link, below]



You can also confirm your Billing Information by logging into your PayPal account at https:// www. paypal.com. [<==See link behind link, below]

Thank you for using PayPal!
The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in [<==See link behind link, below] to your PayPal account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here [<==See link behind link, below].


PayPal Email ID PP468
 
Protect Your Account Info
Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (https:// www.paypal .com/us/) to be sure you are on the real PayPal site.

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at https:// www.paypal. com/us/securitytips
 
Protect Your Password
You should never give your PayPal password to anyone, including PayPal employees.

 

[NOTE: I left any names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! I'm SURE you will be ripped off! -LE]

Email Headers

[DO NOT send email to any of the following email addresses]

X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
X-Message-Status: s3:0
X-SID-PRA: Service PayPal <security @ paypal.com>
X-SID-Result: SoftFail
X-Message-Info: pVXvxc2+mLdRMgEetc2UDZIUbo43oIM3135YGZn+lf4JYk0V8CFumw9bRdG/
sVFY64VO2aIfq9DYdtwI1ZDGlQ==
Received: from smtp-vbr12.xs4all.nl ([194.109.24.32]) by bay0-mc4-f13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Sat, 20 Oct 2007 11:41:26 -0700
Received: from User (a80-127-123-20.adsl.xs4all.nl [80.127.123.20])
by smtp-vbr12.xs4all.nl (8.13.8/8.13.8) with SMTP id l9KIfLmn008283;
Sat, 20 Oct 2007 20:41:21 +0200 (CEST)
(envelope-from security @ paypal.com)
Message-Id: <200710201841.l9KIfLmn008283 @ smtp-vbr12.xs4all.nl>
From: "Service PayPal"<security @ paypal.com>
Subject: Please update your records within 72 hours our Account Review Team identified some unusual activity in your account
Date: Sat, 20 Oct 2007 20:41:25 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Virus-Scanned: by XS4ALL Virus Scanner
Bcc:
Return-Path: security @ paypal.com
X-OriginalArrivalTime: 20 Oct 2007 18:41:26.0446 (UTC) FILETIME=[D227DCE0:01C81348]

Notes

Links from email, above: (This information is from the SOURCE of the email.)

  • Image Sources:
    • PayPal Logo (header): http:// images.paypal .com/en_US/i/logo/email_logo.gif
    • PayPal Blue Line (below header): http:// images.paypal.com /images/bg_clk.gif and http:// images.paypal.com /images/pixel.gif
    • Blank line below PayPal Blue Line: http:// images.paypal.com /images/pixel.gif
    • Blank line below "... update your preferences here" and below/by "... including PayPal employees.": http:// images.paypal.com /en_US/i/scr/pixel.gif
  • Links (behind the words):
    • Behind "https//: www. paypal.com" (2 places): http:// www. omegasante.com/logs/
    • Behind "Click here to update your account": http:// www. omegasante.com/logs/
    • Behind "log in": http:// www. omegasante.com/logs/
    • Behind "... update your links here": https:// www. paypal.com/us/PREFS-NOTI
  • Link Behind Image:
    • Behind PayPal Header logo: https://www. paypal.com/us

Things to note in the links:

  • Image Sources:
    NOTE: All of these images are located at "images.paypal.com", which is a subdomain of PayPal. I'm sure the spoofers copied an actual PayPal letter and changed the email and link addresses to fit their own needs... That what spoofers do, right?
    • PayPal Logo: Obvious what this is, huh?
    • PayPal Blue Line (below header): This is the banner across the top of the email, below the logo image. It is probably only large enough to hold the color involved (about 1px x 1px), and is used to fill in the space of the table cell. (Yes... These emails still use tables.)
    • Spacer: This is probably a single-pixel transparent GIF. All images can be expanded or shrunken online by defining the height and width. These are used throughout the letter, defined to the height needed at that point.
  • Links (behind the words) and Link Behind Image:
    NOTE: ALL the links they WANT you to click are to the same place - http:// www. omegasante.com/logs/, OBVIOUSLY not a PayPal site link. This is why you need to know to where the links ... link. PayPal and other companies and banks you would receive this type of email from, have plenty of servers and would NOT have you link to a domain that was not one of their own. You must also be careful about those links with the name of the site in them, as spoofers will try to obfuscate their own names with the names of the emails they are spoofing. (See other examples.)
  • Email link: The email link uses a Netherlands address. PayPal, while I'm sure they have locations and possibly websites in the Netherlands, would NOT be sending emails from there for people in the US.

Other "problems" and things I see:

  • PayPal would NOT send an email to ME (in the US) from an obscure Netherlands email address. It would always be directly from their site, and would NOT include clickable links, especailly to a site that is NOT one of theirs.
  • From the Email Headers:
    • All of the email addresses appear to be PayPal email addresses, except that in the Message ID field, to me, showng that the headers were spoofed.
    • There is no "TO" email address on this email, and the "BCC" is "showing" meaning it was probably sent to a mailing list. While there may or may not be a problem with my PayPal account (there isn't):
      • First, PayPal would include not only my email address, but my name, in the email to prove that it's from them.
      • Second, they would NOT use a mailing list (or, if they do, it only be used to send out individual/individualIZED emails).
  • Speaking of that last point, there's NO WHERE in the email that mentions MY NAME.

As you can see, the email "looks" very official, but with a little checking BEFORE YOU CLICK A LINK OR REPLY, you can find inconsistencies that can save you from a world of hurt! (and empty bank accounts!)

Send comments/questions about this page to Bill Sanders at:

Go to Scams - Spoof/Phishing Scams Home page
Go to Scams - Spoof/Phishing Scams Examples Links

| Home | Main | Owner | Scams, Shams & More Flim-Flams | Glossary | Sitemap | Contact |

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.
ctr