This just came in the mail: (twice – at two different mailboxes – I must be a high value target for these guys)
A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah – I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:
- The phishing site (the one led to by the obvious “CANCEL TRANSACTION” link) is hosted on al3abnt.com.
- al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
- The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something… been around there a couple of times :-)).
- The blog (see screenshot below) seems pretty anti-Israeli (note the “we are with the third intifada” button on the top-left corner) – thus explaining the interest in local Israeli PayPal accounts.
- Obviously – there’s no-one to send the notification to… no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature…
I’m guessing that a CERT would have done the following:
- Publish a warning notification on the offending site, and the email template.
- Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information – feel free to try it out 🙂 ).
Be safe out there!