PayPal spoof
Thread poster: John Fossey

John Fossey  Identity Verified
Canada
Local time: 03:17
Member (2008)
French to English
Mar 31, 2012

Today I received a message purporting to be from PayPal, in appearance exactly like the confirmation you get when you have sent a payment to someone via PayPal. It started off:

Dear PayPal User,
You sent a payment for $467.27 USD to Sebastian Warner.
Please note that it may take a little while for this payment to appear in the Recent Activity list on your Account Overview.
View the details of this transaction online

I couldn't remember right away making such a payment, but my suspicions were confirmed when I hovered over a link later down in the email. The text read:

Your monthly account statement is available anytime; just log in to your account at https://www.paypal.com/us/cgi-bin/webscr?cmd=_history. To correct any errors, please contact us through our Help Center at https://www.paypal.com/us/cgi-bin/webscr?cmd=_contact_us.

But hovering over the links showed they actually would have sent me to

http ://syra-arts (dot) com/XcLNkR7t/index.html

and

http ://4198.a.hostable (dot) me/BZBmikS1/index.html

No doubt these links would have tried to trap unsuspecting visitors further.

I sent the email, complete with headers, to spoof@paypal.com - hopefully they can do something about it.

Just a warning to others to stay alert.

[Edited at 2012-03-31 16:02 GMT]


Direct link Reply with quote
 

Thayenga  Identity Verified
Germany
Local time: 09:17
Member (2009)
English to German
+ ...
PayPal Mar 31, 2012

Hi John,

this is obviously a scam or pishing email.

Whenever PayPal contacts you in regard to your account with them, the will always address you by your name.

"Dear PayPal user" is something somone would use who doesn't know your name, let alone your account activities.

Did you check the IP address? It wouldn't surprise me if it would be located in e. g. Nigeria. - No offense intended to any legit Nigerian companies.

Good thing you didn't follow those links.

[Edited at 2012-03-31 16:12 GMT]


Direct link Reply with quote
 

John Fossey  Identity Verified
Canada
Local time: 03:17
Member (2008)
French to English
TOPIC STARTER
IP address Mar 31, 2012

Actually, the IP address indicates France, but with relaying, proxies, etc., that doesn't necessarily mean much.

Direct link Reply with quote
 

Anabel Canon
Local time: 09:17
English to Spanish
+ ...
spoof@paypal.com Apr 1, 2012

Hi, John! Thayenga is right; Paypal always addresses you by your name. Though it has not happened to me in a while, I remember sending suspicious mails like this one to the address spoof@paypal.com. They always answered back confirming it was indeed phishing...

Happy Sunday!


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 09:17
Member (2006)
English to Afrikaans
+ ...
Any domain can be hacked Apr 1, 2012

Thayenga wrote:
Did you check the IP address? It wouldn't surprise me if it would be located in e. g. Nigeria. - No offense intended to any legit Nigerian companies.


Do you mean the IP address of the site on which the spoof page is hosted? Or the original of the e-mail? Remember, phishers don't use their own domains and their own hosting, or their own SMTP servers. They hack legitimate web sites and place their fake pages in a hard-to-find subdirectory of it. They don't let the owner of the web site know that they have hacked their site (they want to avoid detection, after all). Even if the site's owner sees it quickly and deletes the fake page, that still gives the phisher a window of several hours in which to catch victims using that hacked domain.

One of my own sites were recently hacked in this way, not because of any mistake I have made, but because one of the upstream hosts were compromised. The fake pages resided in a subdirectory so obscure that I would never have discovered it if the admins of the spoofed sites didn't warn me about it and sent me the direct URLs to the fake pages. And I'm not Nigerian.

See for yourself if this is likely the site of a phisher:
http://www.syra-arts.com/site/default.aspx

As for hostable.me, it is a web host, and the person whose domain name starts with "a" and whose account number is "4198" is the victim here. But then, surely God would not have allowed any other person than a Nigerian to get stuck with account number "4198", right?

In fact, I find such guesses offensive and I think they should be removed from the forum. You can stereotype the Nigerians if you have evidence of a Nigerian, but simply saying "I bet it is Nigerian" simply because it is a phishing attempt is the type of racism that does not belong on these forums.


Direct link Reply with quote
 

John Fossey  Identity Verified
Canada
Local time: 03:17
Member (2008)
French to English
TOPIC STARTER
Phishing Site Blocked Apr 1, 2012

Samuel Murray wrote:

See for yourself if this is likely the site of a phisher:
http://www.syra-arts.com/site/default.aspx




I tried to go to this site and my ISP blocked it with the message:

Phishing Site Blocked
Phishing is a fraudulent attempt to get you to provide
personal information under false pretenses.

[Edited at 2012-04-01 11:20 GMT]


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 09:17
Member (2006)
English to Afrikaans
+ ...
False positive Apr 1, 2012

John Fossey wrote:
Samuel Murray wrote:
See for yourself if this is likely the site of a phisher:
http://www.syra-arts.com/site/default.aspx


I tried to go to this site and my ISP blocked it with the message...


What that means is that someone had already reported the domain name to a spam blacklist that does not discriminate between roots and subdirectories, and your ISP uses that blacklist. I have no problem getting to the site. Some ISPs' mail servers also does spam filtering on their users' behalf, potentially removing mails from legitimate clients that simply look like spam.


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:

Moderator(s) of this forum
Alejandro Cavalitto[Call to this topic]

You can also contact site staff by submitting a support request »

PayPal spoof

Advanced search







SDL MultiTerm 2017
Guarantee a unified, consistent and high-quality translation with terminology software by the industry leaders.

SDL MultiTerm 2017 allows translators to create one central location to store and manage multilingual terminology, and with SDL MultiTerm Extract 2017 you can automatically create term lists from your existing documentation to save time.

More info »
SDL Trados Studio 2017 Freelance
The leading translation software used by over 250,000 translators.

SDL Trados Studio 2017 helps translators increase translation productivity whilst ensuring quality. Combining translation memory, terminology management and machine translation in one simple and easy-to-use environment.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search