Just another Paypal phishing attempt

by Ruchira on May 21, 2013

paypal-phishWhen I was browsing through my new email account, I have saw the above email from Paypal saying my account is limited because of an identity issue? This email account is new and I didn’t used it much at all, And surprisingly this email was on my inbox not on the spam folder. I thought my Paypal account is limited and to verify that I opened up paypal.com on a new tab and logged in. And there was no limitations or whatsoever like said on the email. It didn’t took me much time to recognize that, this is indeed a phishing attempt. So this is what I found,

Real sender of the email is hon@hon.com and he/she has masked the address to intel.service@paypal.com, And returning path is also hon@hon.com. I have opened up the attachment and its a html page which looks like this 

paypal-fakeInteresting right? :) So I have looked at the source code of the html file and its encoded with javascript unescape() string. Its really a large amount of code there which froze my web browser when I tried to decode it using a web service. With the help of this online decoder I was able to decode the encrypted code and here is the interesting part,


All the other content such as css files are pulled from the real paypal.com and this is the only suspicious part on the code. That IP address belongs to a digitalocean VPS customer. These script kiddies might be signing up on digitalocean using free credits provided by them all over the internet and just abuse the service. I have informed digitalocean but that IP address is offline since I found this.

So moral of the story is that, if you receive this kind of emails asking you to login or do something by clicking the provided link, don’t ever do that. Just open up the mentioned services web site on a new browser window and check it.

I'm Ruchira Sahan and all posts on this blog are completely my thoughts and writings. I love DIY and Technology. So feel free to contact me for anything about this blog and don't forget to add a comment if this blog helped you! Thanks
View all posts by Ruchira

Last 5 posts by Ruchira

  • https://www.digitalocean.com DigitalOcean

    We immediately flag and remove abusive and fraudulent customers from using our service (such as the one you’ve mentioned in the blog post). Thanks for bringing this to our attention. We hate to see anyone get scammed. :(

    • http://www.ruchirablog.com Ruchira

      Yeah its a pain to handle abuse when you offer free credits and trials. But nice to see that you people are actively working on handling it.

Previous post:

Next post: