PayPal Phishing Campaign Investigation:
From last few days, I received multiple suspicious emails regarding my Paypal account. In this article, I will tell you some basic steps to identify these types of suspicious emails. Below the snap of a suspicious email that I received regarding my PayPal account and we will investigate this email.
In IT terms these emails are called Phishing emails and purpose of these emails to get the personal information of victims say username of your finical account, password of your finical account, date of birth and many other Personal Identify Information (PII).
Let’s start:
1: The subject of the email present that this is important information regarding my account and my full attention required on this. This is a very effective trick that hackers used to hide bad attentions behind this alarming subject line. (as per below-attached)
2: In the subject line, the hacker uses the Special character in around Action and News statement. Legitimate companies never use any special character like this in subject line. Hackers use this to bypass email security controls.
3: In the first step, I search the subject line on Google and get a few hints that make this email suspicious. This type of email already reported by users against different companies.
4: Hacker use the email address (secure[@]int-limited[.]com) that try to made the Subject of the email is look like this is from the security department but when we check the real address behind the top, the email is different (as per below-attached). We call this Email Masking, and hackers use this trick frequently in phishing campaigns.
PayPal mostly use only account name PayPal with email say “PayPal <paypal@mail.paypal.co.uk>”
5: Now need to check the domain int-limited* in Google, I didn’t find any clue that this domain belongs to PayPal except intl.paypal.com.
6: When I checked the Whois record of int-* domain on who.is, I found that this domain is not registered yet or no data available in Whois record.
7: I’ve confirmed that it does not relate the masked domain to Paypal. Now going to check the reputation of the original domain where this email initiated (spainjanjuk dot com). I use bright cloud to check the reputation of the domain. This is a freely available service. There are many other free resources available to check the reputation of any domain.
As per Bright cloud result, this domain score is 40 out of 100 due to risk score this domain is suspicious. Also, this domain is uncategorized.
8: Place the logo of PayPal on top left of the email body to make this email look legitimate and pretend that this is from PayPal. This is just a Logo and no URL embed in this.
You can get the logo file easily from Google Images. Paypal always uses the embedded URL of Paypal behind the logo.
9: In the email body, a URL is embedded in Log in to PayPal button. When I mouse hover, the embedded URL is not belonging to the PayPal domain. I copied that domain and past it for Dynamic Analysis on urlscan.io (free).
9–1: As you can see that domain is not belong to PayPal.
9–2: The embedded URL is Malicious as per Google Safe Browsing.
9–3: The embedded URL redirects to another URL, that is also not belonging to the PayPal domain.
Conculion:
As per the analysis, it’s confirmed that this is a Phishing email, and I have investigated this without install any tool or any rocket science. I used freely available resources for the conclusion.
I have forwarded this email to PayPal security (spoof@paypal.com) and also report this in the Microsoft junk system (a Junk button on top of the email body)