Local PayPal Phishing – and why we need a CERT

This just came in the mail: (twice – at two different mailboxes – I must be a high value target for these guys)

A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah – I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:


  1. The phishing site (the one led to by the obvious “CANCEL TRANSACTION” link) is hosted on al3abnt.com.
  2. al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
  3. The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something… been around there a couple of times :-)).

  5. The blog (see screenshot below) seems pretty anti-Israeli (note the “we are with the third intifada” button on the top-left corner) – thus explaining the interest in local Israeli PayPal accounts.
  6. Obviously – there’s no-one to send the notification to… no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature…

I’m guessing that a CERT would have done the following:

  1. Publish a warning notification on the offending site, and the email template.
  2. Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information – feel free to try it out 馃檪 ).

Be safe out there!

7 thoughts on “Local PayPal Phishing – and why we need a CERT

    1. Got to love it how the spammers are posting comments on posts that cover their wrong-doings.
      I must be doing _something_ right 馃檪

    2. And yes – my last comment was in relation to the fact that our little spammer changed his domain to redirect to 4chan. Classy.

  1. 诇讗 讛讘谞转讬, 讛讜讚注转 诇诪砖讟专讛 讜讛诐 诇讗 注砖讜 讻诇讜诐?

    1. 讘讚讬讜拽. 讗谞讬 诇讗 讘讟讜讞 砖讛诐 讘讻诇诇 讛讘讬谞讜 诪讛 讗谞讬 专讜爪讛 诪讛诐. 讘讟讞 讞讝专讜 诇讟驻诇 讘驻砖注讬诐 讞诪讜专讬诐 讬讜转专 讻诪讜 谞讛讙讬诐 砖注讘专讜 讗转 讛-90 拽诪”砖 讘讻讘讬砖 2…

  2. The first thing is to always report phishing sites to the party (in this case paypal) that is being spoofed. Most large financial institutions have relationships with companies like RSA/Cyota, a competitor, or some branch of law enforcement that helps them take this down. I can tell you from personal experience that Cyota is very good and very fast.

    Paypal website to report phishing sites:

Leave a Reply