Local PayPal Phishing – and why we need a CERT

This just came in the mail: (twice – at two different mailboxes – I must be a high value target for these guys)

A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah – I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:

 

  1. The phishing site (the one led to by the obvious “CANCEL TRANSACTION” link) is hosted on al3abnt.com.
  2. al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
  3. The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something… been around there a couple of times :-)).
  4.  

  5. The blog (see screenshot below) seems pretty anti-Israeli (note the “we are with the third intifada” button on the top-left corner) – thus explaining the interest in local Israeli PayPal accounts.
  6. Obviously – there’s no-one to send the notification to… no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature…

I’m guessing that a CERT would have done the following:

  1. Publish a warning notification on the offending site, and the email template.
  2. Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information – feel free to try it out 🙂 ).

Be safe out there!

7 thoughts on “Local PayPal Phishing – and why we need a CERT

    1. Got to love it how the spammers are posting comments on posts that cover their wrong-doings.
      I must be doing _something_ right 🙂

    2. And yes – my last comment was in relation to the fact that our little spammer changed his domain to redirect to 4chan. Classy.

    1. בדיוק. אני לא בטוח שהם בכלל הבינו מה אני רוצה מהם. בטח חזרו לטפל בפשעים חמורים יותר כמו נהגים שעברו את ה-90 קמ”ש בכביש 2…

  1. The first thing is to always report phishing sites to the party (in this case paypal) that is being spoofed. Most large financial institutions have relationships with companies like RSA/Cyota, a competitor, or some branch of law enforcement that helps them take this down. I can tell you from personal experience that Cyota is very good and very fast.

    Paypal website to report phishing sites:
    https://www.paypal.com/fightphishing

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.