The phishing email

The email header

 Delivered-To: xxx@gmail.com
Received: by 10.202.71.131 with SMTP id u125csp1210882oia;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
X-Received: by 10.28.45.69 with SMTP id t66mr661693wmt.41.1469791950832;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
Return-Path: <sh198725@atena21.gdn-superhost.pl>
Received: from mailGW-1.gdn-superhost.pl (mailGW-1.gdn-superhost.pl. [178.250.47.101])
 by mx.google.com with ESMTP id v66si3080759wmf.69.2016.07.29.04.32.30
 for <xxx@gmail.com>;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of sh198725@atena21.gdn-superhost.pl designates 178.250.47.101 as permitted sender) client-ip=178.250.47.101;
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of sh198725@atena21.gdn-superhost.pl designates 178.250.47.101 as permitted sender) smtp.mailfrom=sh198725@atena21.gdn-superhost.pl
Received: by mailGW-1.gdn-superhost.pl (Postfix, from userid 500)
 id 77A34104353; Fri, 29 Jul 2016 13:32:30 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 mailGW-1.gdn-superhost.pl
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,HTML_FONT_SIZE_HUGE,
 HTML_MESSAGE,MIME_HTML_ONLY,NO_RELAYS,URIBL_BLOCKED autolearn=no version=3.3.2
X-Spam-Languages: en
Received: by atena21.gdn-superhost.pl (Postfix, from userid 35301)
 id 8681717C0278; Fri, 29 Jul 2016 13:32:23 +0200 (CEST)
To: xxx@gmail.com
Subject: Unusual activity in your account
X-PHP-Script: andrea.lattari.eu/modules/blog/ml.php for 197.3.225.82
From: Security Team <ppl@jacob-broom.dreamhost.com>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <20160729113223.8681717C0278@atena21.gdn-superhost.pl>
Date: Fri, 29 Jul 2016 13:32:23 +0200 (CEST)

The phishing Paypal site

Without https of course, my firefox shows that hosting in Germary

fake_paypal_02

The phishing IP information

fake_paypal_11

The phishing site registration information

fake_paypal_12

Try to login the phishing site

fake_paypal_03

Login failed. However the “My Paypal” and “Log out” button at right top corner don’t work

fake_paypal_04

After press the Continue button, it will brings you to update credit/debit card

fake_paypal_05

The phisher wants all your information, have to add billing address to next step

fake_paypal_06

The billing address page

fake_paypal_07

The phisher will ask for remaining information of you

fake_paypal_08

Congratulations! You have submitted all necessary information to phisher

fake_paypal_09

Finally, the phisher will bring you back to the real Paypal website.

fake_paypal_10

Final Thought:

The phishing campaign website design and quality is good. Phisher looking for high quality of data, many fields with validation, the data collection flow is nice.

To avoid trap by those kind of phishing email is easy, the website without https, and the domain name is very easy to identify.

Advertisements