Paypal Users–Very Well Executed Phishing Attempt: China

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

05/29/15

This spoof/phishing attempt showed up in my spam folder today. WATCH FOR IT. I have sent it along with the Header Analysis Quick Report and this copy of the headers to Paypal.

It's very well executed, and has absolutely NO SPELLING or GRAMMATICAL ERRORS.

There are some errors in format, but the average to above average English speaker with reasonable to very good writing skills would not notice them.

Quote:

Header Analysis Quick Report
Originating IP: 111.140.45.138
Originating ISP: North Star Information Hi.tech Ltd. Co.
City: Wuyi
Country of Origin: China

Quote:

Latest Account Notification
Paypal

Dear Valued Member,
Your account has been limited. We would appreciate your immediate attention to this matter.

Below, we will also show you the necessary steps to restore your access to its regular state.

What is Account Limitation?
Account Limitations prevent you from completing certain actions with your account, such as withdrawing, sending, or receiving money. These limitations are implemented when we see unusual or suspicious activity to help protect both PayPal buyers and sellers.

Reasons for Account Limitation?
There are a number of reasons why your account could be limited. For instance, if we suspect someone could be using your account without your knowledge, we'll limit it for your protection and look into the fraudulent activity.

We'll also limit your account if your debit or credit card issuer alerts us that someone has used your card without your permission.
How do I restore my account so it is no longer limited?

Simple. Just follow these 3 easy steps:
Download the attachment provided in this email
Open it in your web browser (Option: Internet Explorer)
Fill in the required details in the form

We regret any inconvenience, and we would like to restore your access as soon as possible.
Sincerely,
PayPal Account Review Team

Quote:

From PayPal Sat Nov 22 09:08:16 2014
X-Apparently-To: <snipped>; Sat, 22 Nov 2014 09:08:16 +0000
Return-Path: <[email protected]>
X-YahooFilteredBulk: 74.208.171.156
Received-SPF: none (domain of payreview.com does not designate permitted sender hosts)
X-YMailISG: x51yuMAWLDs7jNVT5z3NbM9ATWse.HpoC6lk.Tmc9juuDTJ3
x5h5p.TI7n3TOpgtZ_rVySLkdW4D5DMgyECgLvXaNaJYZrsiIKxnrVEN_Eqa
5uAxjBmqD.qpdqZPfJG_Onomhv2isJaz_0018FeSmTQ0MGZ15l9Ca.gqRvaU
6HMYE7xFDhzpAaP86NctlZdbleYI6Izq14gNMmc3i9ardS9Hgqa108MUHK0E
02UGKCRQMePmn.m8e9IlpQ6JNhCN5T6nboSa7ex_aS8Ie3ppFYdipp0TQs33
4YF3lMnpSSGylnLqUGMyqEuO7D4..tfhhbXEbvb5uL8RmEYm3YdBcc5GX4Cv
46733EUXlFE2mSbf00Oet8C7BM7qH9rNEwehXN_zoEPfid1LnRp8UU5bErvi
iKqk58g41kcaxuu6kjiWSSxHo3q4DvewCPLB_UKL1OhTu8tncEKEcCkIl_hp
hXhFgPfoOGKbkSeXQ__gGnBSP8O.sNKzdbiXguhpwdbty7Iz7CbYPtEkWYql
xreAcm.hW5JvhLA7sQ3GoNt59S8aYld5RWFbn2iLF_iAvBISTMJevlkys9F8
VmGHIjwy7XjMN91yZmVIhhyAiocmBV0VcOwJj3bfiV_2ZzcAfXhTtEr0FLXR
9nwA33EVi46oliWovzLnt49h4xasfXObiHl6wN6JEG6GG2msd8sj.xKUeMc4
gVhK1Sx4bdO5bpAv5XsUYFzsY79xkeHDbsNflK0t.UoJLpV0XlPtctxrKx1h
oeg8F1cjdQKPe5unO7vGS_lrLQPNEneTmLEQQ4thjaHi3bbd.9k3JS3D1VtX
eONTCw3V6rf.a0b1o94opWGaU6LmcjurryyEG298hNY_BWYcU6cEfpU5DD_Y
5d8gE5N4HFhEMl9ooO0h.pYOxjX_m0zGLgXBUXb2XeWS0cuRF.985a_xHGbh
LMsL9OrjLjGqQNN6zJNljv_DS4ayvsxXBY5SGvqb916gj9sWnpxG6yz.jxXJ
kTcZseYkKXJ1.VMzYS8s9RcojeoW1TwDcO3DWGLlJ2QVYvjJoh6lxAyFJ_Ie
2vnSPlL3kEWSkNNuR5.7aSFg0NO_WuMVslGyhOtHt7EDCRA_4PGxQn8vFZn_
NeNi6eVG34kwCkOwkUkyidEmsh3HPNZNtjoD4PQE6m7elOLkOFzDBbJauUua
s0OyMllkPYoU0jwQsMIKX_.mddOSY4Ifw.zL9zL9ovajaZKPadR1djOOx5tf
EeVJrkCMCqonzS1RBXm5f8hHlbqOQkrrwd04GQVjPY350XagCBszVhVR0ztH
f3327seQtz.ykQk3QToQAVlzAlR8wWWjtIAmGJtD6_XTIx8mY7FxN9QS4iIJ
vi2lQso.QEbSm0l3_bGJfHkRJzCqhE7JwcB2BMJ2.jIyKzleqdVV2o2OIiMN
bZFg05CDSgyrbSiVGan6dKTufFKsAqaF6Qs8mkupBZjs1WCfCWrbXSkC2blq
sM_FFfI4mBFo6Iv3XAS63fnTzZ3sg6hFaT5xH3mkmJQiHZcih5u8L_sYvwKO
3QIdwq0NisO2K_ly2mCLTWiDU5gy9XMj7Xul.RaoecqaIUsknFkw6hZOeL7j
eDAMFgWFnePMOHedGPUmyNwdq6_FP1hzQQgg3GBOx0qRjWJiJV6pgNSqOj8.
G61FNJbDFRBGV.3_VNVO1TW1VNGf512ZIBqNl0XFiP7zC3TbAbUtt5JQeZqU
LCKvljDsSvl2x9a.0Yr9hxNyFOA_DNZIhit6izX.SvdmEYlrewCt43oAaBlU
CuvjyUFlnx1FfitFpRLgT4X3h6Ji7aEz.52b9NgaZmQKTyMnyxJHIpswDK65
ZSr1aGyvIqCeiW9FcrWUtPmnbJwte4bP8ZLLR8EsrzZlD10G.Lg2_iBWNe71
0FoFGPmnprrxDzJBybY62kBWEvv72tYDzDUSqeOFtuLS7ZcRcKTF3cir9t2R
LSFjmmdJeVRxLPuI8wHI83qEXLudIgLke2N1MQ3eiFv..CJd0w--
X-Originating-IP: [74.208.171.156]
Authentication-Results: mta1630.mail.gq1.yahoo.com from=payreview.com;
domainkeys=neutral (no sig); from=payreview.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO projects.thebitcrew.com) (74.208.171.156)
by mta1630.mail.gq1.yahoo.com with SMTP; Sat, 22 Nov 2014 09:08:09 +0000
Received: from 74.208.171.156 ([111.140.45.138]) by projects.thebitcrew.com with
MailEnable ESMTP; Sat, 22 Nov 2014 03:35:06 -0500
Message-ID: <[email protected]>
From: PayPal <[email protected]>
Subject: Latest Account Notification
X-Mailer: Courier 4.0.91295
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--60990"
Content-Length: 37208

This automated response arrived immediately after I send the above to Paypal. I receive scam Paypal emails regularly, so I know what to expect. Soon I will receive a personal response from them regarding the matter.

Meanwhile, why not use this as an opportunity to review what we already know to expect in communications from Paypal Smile

Quote:

Dear <snipped for obvious reasons>,
Thank you for being a proactive contributor by reporting
suspicious-looking emails to PayPal's Abuse Department. Our security
team is working to identify if the email you forwarded to us is a
malicious email.
Paypal Will Always:
- Address our customers by their first and last name or business name of
their PayPal account
Paypal Will Never:
- Send an email to: "Undisclosed Recipients" or more than one email
address
- Ask you to download a form or file to resolve an issue
- Ask in an email to verify an account using Personal Information such
as Name, Date of Birth, Driver's License, or Address
- Ask in an email to verify an account using Bank Account Information
such as Bank Name, Routing Number, or Bank Account PIN Number
- Ask in an email to verify an account using Credit Card Information
such as Credit Card Number or Type, Expiration Date, ATM PIN Number, or
CVV2 Security Code
- Ask for your full credit card number without displaying the type of
card and the last two digits
- Ask you for your full bank account number without displaying your bank
name, type of account (Checking/Savings) and the last two digits
- Ask you for your security question answers without displaying each
security question you created
- Ask you to ship an item, pay a shipping fee, send a Western Union
Money Transfer, or provide a tracking number before the payment received
is available in your transaction history
READ!
Any time you receive an email about changes to your PayPal account, the
safest way to confirm the email's validity is to log in to your PayPal
account where any of the activity reported in the email will be
available to view. DO NOT USE THE LINKS IN THE EMAIL RECEIVED TO VISIT
THE PAYPAL WEBSITE. Instead, enter www.paypal.com into your browser to
log in to your account.
What is a phishing email?
You may have received an email falsely claiming to be from PayPal or
another known entity. This is called "phishing" because the sender is
"fishing" for your personal data. The goal is to trick you into clicking
through to a fake or "spoofed" website, or into calling a bogus customer
service number where they can collect and steal your sensitive personal
or financial information.
We will carefully review the content reported to us to certify that the
content is legitimate. We will contact you if we need any additional
information for investigating the matter. Please take note to the
security tips provided above as they may help to answer any questions
that you may have about the email you are reporting to us.
Help! I responded to a phishing email!
If you have responded to a phishing email and provided any personal
information, or if you think someone has used your account without
permission, you should immediately change your password and security
questions.
You should also report it to PayPal immediately and we'll help protect
you as much as possible.
1. Open a new browser and type in www.paypal.com.
2. Log in to your PayPal account.
3. Click "Security and Protection" near the top of the page.
4. Click "Identify a problem."
5. Click "I think someone may be using my account without permission."
6. Click "Unauthorized Account Activity."
Thank you for your help making a difference.
Every email counts. By forwarding a suspicious-looking email to
[email protected], you have helped keep yourself and others safe from
identity theft.
Thanks,
The PayPal Team
***********************************************************************
Please do not reply to this email. If you need to follow up, please
follow the steps above to access your account and utilize the Contact Us
resources from our site.
***********************************************************************

Baiting Guru Joined: 19 Sep 2013 Posts: 2205

Quote:

Paypal Will Always:
- Address our customers by their first and last name or business name of
their PayPal account

^^^That's the quickest way to sort them out. The "Dear Valued Customer" and "Dear Paypal Customer" are fakes. They will always include first and last name.

But its definitely a good refresher. I fell for one of these emails many, many years ago and was phished. They got about $1500 out of my account. Fortunately, it takes a couple days for a paypal to bank transfer to be completed, so I was lucky enough to realize what happened and get it stopped it in time, but it sure taught me a lesson about scams and phishing.

Posted: Sun Nov 23, 2014 5:44 pm

The website payreview.com brings back "503 web site temporarily not available.

Quote:

Domain Name:

PAYREVIEW.COM
Registry Domain ID: 1821895435_DOMAIN_COM-VRSN
Registrar WHOIS Server:

whois.annulet.com
Registrar URL: http://www.annulet.com
Updated Date: 2014-07-24
Creation Date:

2013-08-15
Registrar Registration Expiration Date: 2015-08-15
Registrar: Annulet, Inc.

(annulet.com)
Registrar IANA ID: 607
Registrar Abuse Contact Email: [email protected]
Registrar

Abuse Contact Phone: +1-781-373-6840
Registry Registrant ID:
Registrant Name: This Domain for Sale,

Toll Free: 866-822-9073 Worldwide: 339-222-5132
Registrant Organization: BuyDomains.com
Registrant

Street: 738 Main Street, #389
Registrant City: Waltham
Registrant State/Province: MA
Registrant

Postal Code: 02451
Registrant Country: USA
Registrant Phone: 866.822.9073
Registrant Phone

Ext:
Registrant Fax: +1.781.839.2801
Registrant Fax Ext:
Registrant Email:

The other one : bitcrew.com is a Godaddy website

Quote:

Domain Name: THEBITCREW.COM
Registry Domain ID: 1604602110_DOMAIN_COM-VRSN
Registrar WHOIS

Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-07-02

09:22:25
Creation Date: 2010-07-01 09:27:33
Registrar Registration Expiration Date: 2015-07-01

09:27:33
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:

[email protected]
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status:

clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status:

Are they killable? Second one seems legit, 5 year registry.

Paypal Users–Very Well Executed Phishing Attempt: China	View next topic View previous topic