Tonight, I received an important email from PayPal. You know, those freindly folks who let you put lots of money in their trust - so you can pay for things online, such as eBay, without physically handling cash.

Anyway, I was a little sceptical - as I usually am, of this email. So, rather than following the link provided within the email, i opened my browser and typed in http://paypal.com.

The email claimed that on the 6th of June 2006, an unauthorized payment was made, and hence my account had been set to 'limited access'.

The short of it is this, someone sets up an email to look identical to a genuine paypal email. Using programming techniques, which I won't bore you with here, they can make it look like you're clicking a link to go to http://paypal.com, whereas - underneath - is a masked website that, again, looks identical to paypal's website.

Users unwittingly type in their username & password to access their account...

Low & behold, within hours, you will find that your real paypal account has been accessed and used to purchase lots of goodies for someone you have never met.

They've drained your paypal funds, you're left collecting the debt - and perhaps trying to convince paypal security that you did not order a stack of hotwings.

Anyhow, for those interested, this is how you confirm whether or not an email sent is genuine or not. Normally, I tend not to share my dirty secrets - but this is one I think most people need to learn in order to protect themselves from phishers (fake emails). Phishing comes in all shapes and sizes, from fake eBay emails to fake Bank account emails. Nine out of ten times, they claim to be updating their server and need you to confirm your account details by clicking this prominant link!

Just like this one, below:
(Click the images to see them full size)

As you can clearly see, the email seems to have really come from paypal, it even shows their real email address. How clever!


Once you've opened the email, you will be see what, by all accounts and purposes, is a genuine email from paypal. All the usual disclaimers, all the help pages, etc. In fact, truth be, 90% of the links inside these types of emails (such as changing your profile/address/etc) are genuine. They will take you to the real place. BUT the phishers are only after one click. That's all it needs. One single click. And that's where the next step comes in...
The main object of the email is to entice you, the not-so-gullable, into clicking their easy to follow links. There will be some realllllly good reasons to do this, of course, such as the threat of closing your account if you don't follow the instructions within x days, or claiming that you must follow the link in order to view an illegal transaction, things like that.


So, how did Karl realise this was fake? Simple. Three factors come into play. 1) Karl is not usually fooled by phishers (though I do admit I was taken in with the lottery win scam). I've seen loads of these, and credit due, they're getting more and more subvert in their mechanisms. Intuition plays a part in recognising a phishy email.


2) I checked the source code (the engineering behind the fancy stuff that is presented on screen). It takes a bit of getting used to, but look out for a piece of text close to where the 'all important' link is. For example, I looked out for "Click here to remove limitations". Once I'd found the code surrounding it, as you'll see from the image for yourself, I discovered the link would actually take me to a server holding zero resemblance to http://paypal.com.
This is the most important thing about the phishing attempt against you. You now know the REAL location of the fraudster/s. This enables you to copy it down (copy & paste function) when emailing the real paypal team who specialize in fraud efforts.


You can also check the 'headers' of the email. Select the email from your list, and right click. From the menu, select "OPTIONS". Inside a fresh window, you will see a whole load of weird characters and such. This, although it looks like junk, is very important information. It tells you where the email really came from, the real return addresses (instead of the faked/forged ones) and such like. Often, the information provides a special key that was stamped to the email by the ISP of the offending phisher. This is great if you forward the email (havign copied the 'header information into it) to the abuse@their-isp.com
As an example, here's what was listed on the headers in the email I received. (I edited my email and my smtp information out).

X-Symantec-TimeoutProtection: 0
Return-Path: <root@xserve1.fromthetop.org>
Delivered-To: karls@email.com
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (karls.smtp.info [123.123.123.123])
by karls.smtp.info (Postfix) with SMTP id 02B8F168025
for ; Thu, 8 Jun 2006 23:17:13 +0100 (BST)
Received: from xserve1.fromthetop.org (dsl092-085-106.bos1.dsl.speakeasy.net [66.92.85.106])
by karls.smtp.info (Postfix) with ESMTP id 8FDE216802D
for ; Thu, 8 Jun 2006 23:17:12 +0100 (BST)
Received: by xserve1.fromthetop.org (Postfix, from userid 0)
id 1033A52574F; Thu, 8 Jun 2006 18:17:08 -0400 (EDT)
From: Paypal Team
MIME-Version: 1.0 Content-Type: text/html\r\n
Content-Type: text/html
Content-Transfer-Encoding: 8bit\r\n
Subject: Security Center Advisory
Message-Id: <20060608221708.1033A52574F@xserve1.fromthetop.org>
Date: Thu, 8 Jun 2006 18:17:08 -0400 (EDT)
To: undisclosed-recipients: ;
X-Original-To: karls@email.com
X-NAS-Language: English
X-NAS-Bayes: #0: 1.89882E-254; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 1206
X-NAS-Validation: {5EE55431-103C-4422-9DFE-A193215F02A0}
To help you see clearly, I've made the phishers' "real" details in bold; the forgery attempts are in italic, and anything else is standard to any emails sent by their [the phisher]ISP (i.e. unformatted). Hopefully this will assist in ease of reading.


I checked out the URL as just a domain (ie. just the first part of the domain, not all of it) and it shows clearly, above, the server has no purpose aside from collecting genuine paypal account details from gullable people.

If anyone ever receives emails like this, do NOT follow ANY of the links from inside the email. Even if you're 99.9% certain it is not a fake, just spend the extra five-seconds to open a new browser window, and type in the bank/paypal/etc's real domain (e.g. http://paypal.com / http://your.bank.com) and then go to your account from there.

Following links from within an email is as good as handing someone your credit card & pin number. So - Don't Do It!


So, what can we do about this?

Two things.

#1 Because we looked at the headers, we now have the ISP who allows the phisher to connect to the Internet. This means we can email the ISP, with a copy of the email AND the header information (copy & paste it) to their 'abuse' department. In this case, the IP address and the ISP revealed (as above) that it is: "dsl092-085-106.bos1.dsl.speakeasy.net [66.92.85.106]" . Now we have an IP address, and an ISP. The vast majority of the time, it will be one of the following:

Personally, I tend to send the email (using cc) to all of them...just in case.

#2 Send the same email (using cc) to your bank, or paypal, or whatever.