PayPal phishing attacks
We seem to get one or two of these emails a week, possibly more.
They are usually very well crafted and unless you actually read (and understand) mail headers it is easy to see how someone could be duped by them.
The one we got this morning is below:
It looks and feels like a genuine Paypal email, until you look at the headers or the HTML source.
The scammers have, of course, gone to great lengths to make sure that a cursory glance will not reveal anything "strange", so they use a mouseover link in the email to display what looks like a genuine link to the paypal site.
So what happens if you are duped into visiting this site?
In this instance the site was called paypol.biz
After you get past the front page you are asked to agree to a number of legal statements and then passed onto this page:
where they ask you not only for your credit card details, but also your bank details, social security number and more. With this kind of detail the scammer would have little difficulty in gaining access to your credit card and other sources of funds.
It looks and feels like a genuine Paypal email, until you look at the headers or the HTML source.
The scammers have, of course, gone to great lengths to make sure that a cursory glance will not reveal anything "strange", so they use a mouseover link in the email to display what looks like a genuine link to the paypal site.
So what happens if you are duped into visiting this site?
In this instance the site was called paypol.biz
After you get past the front page you are asked to agree to a number of legal statements and then passed onto this page:
where they ask you not only for your credit card details, but also your bank details, social security number and more. With this kind of detail the scammer would have little difficulty in gaining access to your credit card and other sources of funds.
| 
I imagine this could potentially be made all the worse by exploits such as the firefox IDN issue (http://secunia.com/advisories/14163/)
I also recieve emails like this fairly regularly, and Microsoft Outlook does not make it easy to check headers (you have to select View/Options to see them). Even then they appear in an insignificant little box on the screen that pops up.
Which is not going to be obvious to the average user.
Perhaps MUAs need to display the mail hosts the mail has passed through a little more clearly? Maybe just showing the first mail host the mail came from, then at least if that shows xyz.paypal.com a user will have more confidence the email came from paypal than customer5446-22.home-dsl.verizon.com.
David
It's probably better to do the blocking on the server-side where you can use DNSBLs to check the URIs referenced in the email body. This is possible using MailScanner although I am yet to enable it on any of our installs
M
That's scary - 'cos 1) it looks genuine so it will fool a lot of people and 2) if they give that amount of info - it is easy to change your credit card no. but you can't change your mother's maiden name, for instance and that is a pretty standard security question.
Bruce Schneier has an article on the folly of secret questions here