This just came in the mail: (twice - at two different mailboxes - I must be a high value target for these guys)

A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah - I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:

 

  1. The phishing site (the one led to by the obvious "CANCEL TRANSACTION" link) is hosted on al3abnt.com.
  2. al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
  3. The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something... been around there a couple of times :-)).
    4.  
  4. The blog (see screenshot below) seems pretty anti-Israeli (note the "we are with the third intifada" button on the top-left corner) - thus explaining the interest in local Israeli PayPal accounts.
  5. Obviously - there's no-one to send the notification to... no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature...

I’m guessing that a CERT would have done the following:

  1. Publish a warning notification on the offending site, and the email template.
  2. Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information - feel free to try it out :-) ).

Be safe out there!