Paypal phishing: Alleged monthly financial reports lure victims

Current Paypal phishing manages to bypass some spam filters. The subject is an alleged monthly report. The aim is to entice mail recipients to click on the links in the scam mail.

The subject line of the emails is "Monthly financial overview available". They are not particularly well presented, among other things the salutation with just "Hello" without a name can make recipients sit up and take notice. However, as these emails bypass some spam filters, they potentially reach more unsuspecting victims.

Clear indications of phishing

Mail clients such as Outlook Web Access, which clearly display sender addresses, make it easy to recognize the sender that does not match Paypal: "service <admin@exper-search.com>" is not an address belonging to Paypal, it is fake (and usually has nothing to do with the exper-search.com domain). However, many mail programs only show the "service" part of the mail address, making it more difficult to identify the forged sender.

The link for the "Download now" call to action is "oildeparfum[.]de" when the mouse is moved over it. This has obviously been taken over by cyber criminals. After clicking, however, you land on a Cloudflare-protected page that perfectly imitates the PayPal log-in. However, the URL at the end is "ceed-trust[.]org". This is an attempt by the masterminds to obtain access data for PayPal accounts. In the background, an attempt is apparently made to initiate a transaction with the access data, as two-factor authentication is requested, among other things.

If there is any doubt about the authenticity of such emails, recipients should not click on the links in them. It is better to send the email to the spam folder, where it can be used to train the spam filters. If in doubt, users should enter the address of the specified service manually and check whether the corresponding notifications actually exist.

(dmk)