Summer Phishing in the PayPal

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

st1:*{behavior:url(#ieooui) }

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

In the spam and phishing industry there are several brands
that never get old, outdated or out of profit. As we already shown in our
latest E-Threats
Landscape Report and judging by the most recent phishing scheme, PayPal^TM is
still one of the top ten most spoofed identities.

In the current case, the unsolicited message allegedly sent
on behalf of PayPal^TM Team warns the possible customers about the alteration of
their data, due to unauthorized access. Hence, the e-crooks ask the on-line
payment users to log into their accounts and verify the possibly compromised
information by visiting the page provided in a hyperlink.

The link does not lead to the service portal, but to a Web
page that employs several visual identification components of the original Web
site, namely the logo, layout and general formatting elements.

This is the starting point of a cascade theft. First, the
scoundrels look for the login credentials – e-mail address and PayPal^TM password
-, which they steal via the file.php
script.

Then, on a second page, they go for detailed personal
information, including complete name, address, birth date, mother’s maiden
name, SSN, but also e-mail address and phone number.

But the swindle doesn’t stop here. Scammers also want to get
complete card details, including number, expiration date, Card Verification
Code, issuing bank, card type, and even PIN. Most intriguing, the data is
pilfered – via file2.php script – not
just for a single, but for two cards, as you can see in the image below.

Few interesting details: even though all other menu options
are available on both pages, clicking any of them will only reload the page.
Moreover, one can easily see that the Web page address mimicking the genuine
Web site loads from a domain registered in Lithuania (.lt instead of .com).

Also, there are no specific security elements, one could
expect to find on an e-payment site, namely SSL encryption (Secure Socket
Layer) or security authentication methods (no “https” prefix and locked
padlock).

The curiosity stirred me to click the “Why is ATM PIN
required?” link. The explanation displayed in the pop-up window is one of the
most hilarious I’ve ever read: “Requiring PIN Signatures is the latest security
measure against: identity theft, credit card fraud and unauthorized account
access”. See the whole thing below.