From start to finish, inside a PayPal Phishing scam

paypal logo
Credit: PayPal
One of the world's most targeted brands...

PayPal is one of the most commonly targeted brands for Phishing, nearly equal to banks when it comes to potential financial gain for criminals.

Today, we're revisiting the concept of how to spot a Phishing email by focusing on a recent Phishing campaign that's targeting PayPal customers. We'll start by pointing out visual cues that will help you avoid becoming a victim, but we'll also go thorough the scam completely so you can see what it looks like.

paypal phishing opening email
It starts with an email

This is what the Phishing email looks like once opened. 

Phishing remains one of the fastest and easiest methods of personal compromise. With this type of attack, criminals play a numbers game. The more messages they send, the more likely someone is going to fall for the scam.

Even if the victim count is low, the cost of a Phishing campaign is next to nothing on the criminal's end – a single victim often covers all costs.

Sadly, dozens of people are likely to be scammed in a given campaign, so Phishing has become a turnkey business for most criminals. Each campaign is different, often targeting personal information, financial information, or in this case - both.

Moving on, let's examine some of the visual cues that will debunk this alleged warning.

paypal phishing main 2
Email addresses

Notice that the support address isn't a PayPal address. That's important.

But after that, the "via" marking in the "From:" field is Google's way of telling you that the email you're reading was sent from an account other than the one listed. If this were an actual email from PayPal, Google wouldn't offer this visual cue.

"Gmail displays this information because many of the services that send emails on behalf of others don’t verify that the name that the sender gives matches that email address. We want to protect you against misleading messages from people pretending to be someone you know," Google explains.

In this case, the criminal compromised a website and used the webhost's server to send the message. If this message arrives outside of Gmail, the fact that the sender doesn't use a PayPal address is the first clue that something isn't right.

Other than that, the email's subject is all wrong too. It's attempting to stress a point and relay a false sense of urgency, but the fact that it doesn't name "account" in question increases the odds that curiosity will get the better of you and you'll open the message.

paypal phishing main 3
Message Body: Where the Phishing scam will either live or die

To the untrained eye, the message is letting you know that your PayPal account is limited, and that there is a time limit for resolution. Again, this is injecting a false sense of urgency – and if you rely on PayPal, the fact you might lose access to your account is a serious issue.

The message explains itself as a security measure, and warns that your PayPal account might be in danger of compromise, resulting in theft. Ironic really, because theft is the name of the game here. Once more, the criminals are pressing fear as the main motivator. The fix is simple; just confirm your information by following the link.

To the trained eye, the message is a false as can be. First, PayPal will always use the registered account name when addressing messages, so they'll never address a security email simply as "PayPal Customer."

Second, the message itself is just an image. The criminal created a link to their domain, and used an image instead of the text link that most everyone is used to on the Web.

Using the image helps the message bypass many basic spam filters. The fact that the message was relayed through a compromised account that had never sent spam before also helped it avoid detection.

But what happens if you follow the link?

paypal phishing main 4
Turn back now...

If for some reason a person were to click the link, the URL displayed would be the final torpedo needed to sink this Phishing scam. There is no HTTPS and the domain clearly IS NOT a domain controlled by PayPal.

Please note, that the URL shown in this image was live at the time this article was written, do not visit itThe webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

The following images are what the Phishing scam will look like in action. Each slide will explain what's happening on screen.

paypal phishing main 5
Usernames and passwords

Entering your username and password into the field from the previous slide triggers a number of checks by the Phishing script that created this domain. However, at this stage your PayPal username and password have been stolen.

But the scammer isn't done.

This screen should be familiar to anyone who uses PayPal. If so, there's a reason for that. The color in the images, the way the website is designed, and the URL bar that's full of letters and numbers are all there to fool you into thinking you're on PayPal's website.

But remember, you're not, and the missing HTTPS is proof that PayPal isn't involved here.

Again, the URL shown in this image was live at the time this article was written, do not visit it. The webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

paypal phishing main 6
Confirmation required

Once the loading screen goes away, the second part of the scam starts. Remember, at this stage your PayPal username and password have been compromised. However, in the criminal's opinion, why stop there?

If you fell for the first part, the crook running this scam feels that you'll fall for the second part too, which focuses on personal and financial information.

This might get old, but it's important. The URL shown in this image was live at the time this article was written, do not visit it. The webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

paypal phishing main 7
Tell us a little about yourself

After the loading screen, you'll be asked to confirm information. If you agree, you'll see this screen. Here the criminal is able to build a profile on your information. The data collected here can be sold, or used to further additional scams – including identity theft.

Given that the scam needed information, CSO provided a false name, the address for Hoboken City Hall in New Jersey, and a phone number to book a room at the Holiday Inn.

But the criminal isn't done.

This might get old, but it's important. The URL shown in this image was live at the time this article was written, do not visit it. The webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

paypal phishing main 8
Credit cards

Now that the criminal has your personal information, this form will look for some financial data – namely your credit card details.

This page, as well as all the others, has been designed to look exactly like PayPal. For those that are trained to look for a padlock, but forget where it is, the message at the bottom of the page is there for reassurance. But nothing on this page is secure.

Again, the URL shown in this image was live at the time this article was written, do not visit it. The webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

paypal phishing main 9
Banking data

The last bit of information the criminal will ask about is banking data. This form serves two functions; first it collects the login data and account number for your bank. The second is that it enables the crook to see if you're recycling passwords.

Assuming the PayPal password is the same as the bank; it's a good indicator that you're using the same password everywhere. If not, the crook can use this information to run a number of additional scams and leverage the collected details to compromise other accounts under your control.

The URL shown in this image was live at the time this article was written, do not visit it. The webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

paypal phishing main 010
End of the line

This is the end of the scam. The entire thing was designed to make you feel as if you were dealing with PayPal the entire time. However, at this stage your banking information, personal information, credit card details, and PayPal account have all been compromised. There's no going back.

The keep things moving, this page will remain for a few seconds before you're forwarded to the final stop.

The URL shown in this image was live at the time this article was written, do not visit it. The webhost has taken the domain offline, but this URL could be pointed to a new location in the future.

paypal phishing main 011
It's as if nothing happened

The final stop in the scam is the actual PayPal website. If you look at the address bar the URL has an HTTPS and the area where the padlock exists has both the company name and is green.

Again, the previous slides you've seen were all part of the scam. So the fact that the legitimate PayPal website is on the screen now means nothing; the forms were all submitted and somewhere a criminal is abusing your information in a number of creative ways.

When it comes to Phishing, avoiding them 100 percent of the time can be tricky. However, it isn't an impossible task. When in doubt, don't click anything in the email and visit the website in question (e.g. PayPal) directly.

Remember, email is the last method banks or financial firms will use to contact you in a majority of cases. Online, pay attention to the address bar and look for HTTPS when you're about to enter personal or financial information into a form.

Stay safe!