There’s a new phishing approach in town!
- Published July 5th, 2008 in Web
Impressive how phisers have been constantly evolving the tools and approaches to scam people over.
Usually, they resort to replicating a page of a bank, PayPal, whatever, and put it on a different URL. People are lead to believe that they’re actually logging in to the target website and they capture your authentication information.
This can be easily overcome with a little bit of precaution — make sure you’re buying the milk from the milkman, i.e., reassure you’re logging on the right website.
The newest approach, that I’ve just witnessed through the means of an email inbox assault, goes a little bit further in order to outcome this smartness one might use to unveil the scam. They exploit the original website to their benefit.
On this case, I received an email proclaiming to be from Paypal that said my account had limited access and I had to login. I wondered about it being a scam attempt but, nonetheless, checked the URL. Guess what? It started with https://www.paypal.com. It was even on an SSL encrypted HTTP channel. What could it be?
Now, if you’ve used Paypal before, you’d notice that many redirects occur between sign in and landing pages and also from external websites. They could have taken two approaches to pass the landing page around: by the means of a cookie or passing in directly on the URI. They took the second option. What happened was that the attacker simply replaced the redirect parameter with his own target website, misleading people into believing that everything should be fine.
The URL looks like this (if you haven’t read the whole post, please realize this URL is a phishing attempt! Be careful).
https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssr&return=http%3A%2F%2Fpaypal-us.6s.pl/?cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.CaseIDNumberPP-046-631-789
As one can see, Paypal will freely redirect to the attacker’s website.
Be careful.
Update - Phishing, of course. Typo fixed.
phishing?
Never click inside an email, type it in your self.
wow! screw paypal for their design!!
that is some serious sloppyness from paypal. i mean, it’s not exactly the first time their clients have been targeted by phishers…
rather cynic is that when you do a search for a part of the redirect url, the 2nd + 3rd result are pages from paypal about identity theft, credit card fraud, etc B)
http://www.google.com/search?num=100&hl=en&safe=off&rls=GGGL%2CGGGL%3A2006-19%2CGGGL%3Aen&q=inurl%3A%2Fcgi-bin%2Fwebscr&btnG=Search
I wonder how PayPal can get around this. Perhaps by authenticating the URL? Matching a registered PayPal user with the returning website?
White the phisher moved on and that page no longer redirects to their site, the fact that paypal does not check return variable is not only scary but extremely amateur. But from a company that leaves entire non-us population out cold for 10+ days, it is not surprising.
Wow! To think of PayPal not having proper security measures in place to handle such redirects is quite surprising.
I recently got this exact phishing attempt. 2 things you should always do:
(1) CHECK THE EMAIL HEADERS! If thing seem fishy there…… it’s a good clue, eh?
(2) Login to the site in question *directly* on your own (don’t click the link) to see if there is any of the stuff mentioned in the email.
That particular attempt was quite convincing and had me checking my paypal account to be sure. Seems to me that Paypal needs to fix it’s redirecting a bit, eh?
PayPal’s attraction for scammers and phishers has always been a reason I avoid it. And ebay. And escrow (to this day, “you can put it in escrow” is used as a joke response to somebody asking for a solution to a cumbersome problem of no consequence to anybody).
This is nothing new. I’ve seen this ages ago. I also did url redirection like paypal did and learned quikly the flaw in not checking the url that the site should redirect to. So to all developers ALWAYS check your input!!
It is called “phishing”, not “phising”
That’s a pretty serious oversight on PayPal’s part. A lot of sites are vulnerable like this, but the fact that it is PayPal is pretty astonishing. It cannot be overstated how disastrous an oversight this is on their part.
This is why I have NEVER followed links from emails unless I am sure it’s from the intended sender. 99% I will just go to the main url, in this example paypal.com and login.
Granted, some sites that use verification emails when you sign up for them will have you click on a link to verify, but they will also have a manual way for you to enter that info as well.
People just need to use some common sense. Scams are everywhere, not just the guy on the street corner selling “rolex” watches out of his trenchoat.
Good eye! Those are the tiny little things that are hard to spot.
Thanks for the post
It’s easy to see how someone could be fooled by this. Fortunately, it’s already blacklisted so Firefox 3 will render a warning.
Well, Firefox 3 reports the link as a Web Forgery…
Have you reported this to paypal (if possible) ?
I receive emails like this alot, but the one thing that I spot before even checking the url is the greeting of the email.
An official Paypal email will always be addressed to the name on your Paypal account. The spam emails usually say “Dear Paypal User” or something similar.
Reported to PayPal. Fixed.