Hot on the heals of the Posten package delivery phish, I received an e-mail from what appeared to be PayPal. Here is the e-mail:

In the previous post about the package delivery scam, I listed three of the most prominent indicators that an e-mail is not legitimate:

• Bad grammar, weird language and similar issues.
• The sender’s e-mail address doesn’t match what you’d expect.
• The links in the e-mail don’t take you to the sites you’d expect.

Looking at the e-mail from “PayPal”, we can see that it meets all three criteria. The Norwegian grammar and language is terrible, the sender’s e-mail address doesn’t make any sense at all, and it’s obvious that the link in the e-mail won’t take you to PayPal’s site.

Like the package delivery e-mail, this is also a credit card information phish, sprinkled with an attempt to collect the victim’s PayPal credentials.

Password, Please

Clicking on the link will take the victim to a webpage that appears to be the PayPal login form.

As fraudulent webpages go, this one isn’t half bad; it certainly looks like the PayPal login form. The scammers have even been so rude as to embed the PayPal logo from PayPal’s own site.

But there are some clear signs that this is not the actual PayPal login form. First of all, the URL in the address bar doesn’t even contain the word “PayPal”, which should make most people at least a bit suspicious. Secondly, the scammer forgot to translate the word “Or” in the form to Norwegian, and the “Melde deg på” label on the bottom most button sounds off¹. On the actual Norwegian language version of the PayPal site, the text is “Opprett konto”, which would translate to “Create account” in English. The third indicator that this is not the actual PayPal site, is that none of the links on the page work.

Credit Card and OTP

The next step for the scammers is to get the victim to provide their credit card information. After the victim has “logged in”, they are redirected to this webpage:

This part of the phish is pretty convincing. The visual representation of the credit card on the bottom of the form will update itself when the victim enters information, and will correctly identify the credit card brand, and change the look and feel accordingly.

When the victim has entered their credit card information - and their phone number for good measure - they are redirected to a webpage where they have to enter a one time password that has supposedly been sent to their mobile phone.

This webpage is less convincing, but at this point the scammers have what they were after anyway: The victim’s PayPal credentials and credit card information.

PayPal Has a Phishing Problem

It shouldn’t be that hard for a fairly experience citizen of the internet to reveal that the e-mail is a scam. There are also a number of clues on all the webpages the phish uses that something is, shall we say, fishy.

As a rule of thumb, companies shouldn’t send their users and customers e-mails that ask them to update information like credit card details. If they do, at least those e-mails shouldn’t contain links to any webpage, but instead tell the user how they should proceed.

But in PayPal’s case, they are constantly shooting themselves in the foot. PayPal regularly sends out an e-mail telling their users to verify their PayPal activity. This e-mail contains a link to PayPal. Recently, PayPal also sent out an e-mail to their users asking them to update their phone number. That e-mail contained a link to a login form that looks pretty much like the form used by the phish we’ve just dissected.

By doing this, PayPal is teaching their users that they will receive regular e-mails with links. This makes PayPal a very convenient target for phishing attacks since their users are used to getting e-mails from PayPal with links to a login form.

Stop it, PayPal. It’s dumb.