The phishing email
The email header
Delivered-To: firstname.lastname@example.org Received: by 10.202.71.131 with SMTP id u125csp1210882oia; Fri, 29 Jul 2016 04:32:30 -0700 (PDT) X-Received: by 10.28.45.69 with SMTP id t66mr661693wmt.41.1469791950832; Fri, 29 Jul 2016 04:32:30 -0700 (PDT) Return-Path: <email@example.com> Received: from mailGW-1.gdn-superhost.pl (mailGW-1.gdn-superhost.pl. [184.108.40.206]) by mx.google.com with ESMTP id v66si3080759wmf.69.2016.07.29.04.32.30 for <firstname.lastname@example.org>; Fri, 29 Jul 2016 04:32:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of email@example.com designates 220.127.116.11 as permitted sender) client-ip=18.104.22.168; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of firstname.lastname@example.org designates 22.214.171.124 as permitted sender) email@example.com Received: by mailGW-1.gdn-superhost.pl (Postfix, from userid 500) id 77A34104353; Fri, 29 Jul 2016 13:32:30 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mailGW-1.gdn-superhost.pl X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,HTML_FONT_SIZE_HUGE, HTML_MESSAGE,MIME_HTML_ONLY,NO_RELAYS,URIBL_BLOCKED autolearn=no version=3.3.2 X-Spam-Languages: en Received: by atena21.gdn-superhost.pl (Postfix, from userid 35301) id 8681717C0278; Fri, 29 Jul 2016 13:32:23 +0200 (CEST) To: firstname.lastname@example.org Subject: Unusual activity in your account X-PHP-Script: andrea.lattari.eu/modules/blog/ml.php for 126.96.36.199 From: Security Team <email@example.com> MIME-Version: 1.0 Content-Type: text/html Message-Id: <20160729113223.8681717C0278@atena21.gdn-superhost.pl> Date: Fri, 29 Jul 2016 13:32:23 +0200 (CEST)
The phishing Paypal site
Without https of course, my firefox shows that hosting in Germary
The phishing IP information
The phishing site registration information
Try to login the phishing site
Login failed. However the “My Paypal” and “Log out” button at right top corner don’t work
After press the Continue button, it will brings you to update credit/debit card
The phisher wants all your information, have to add billing address to next step
The billing address page
The phisher will ask for remaining information of you
Congratulations! You have submitted all necessary information to phisher
Finally, the phisher will bring you back to the real Paypal website.
The phishing campaign website design and quality is good. Phisher looking for high quality of data, many fields with validation, the data collection flow is nice.
To avoid trap by those kind of phishing email is easy, the website without https, and the domain name is very easy to identify.