Dodgy PayPal emails and how to spot them

Blog
  • ing_19047_01000.jpg

    The dodgy email has been around for some time - often varying in complexity. In most cases, the attempts at spoofing one of the emails is generally very poor. Ranging from incorrect fonts, colour schemes, and overall layout, most of these are really easy to spot. However, the game seems to have been “upped” somewhat over the past few months, and yesterday evening, I received this very convincing email  - supposedly from PayPal in my inbox

    Now, to the untrained eye, this could look very convincing indeed. Should we do as they ask ? Hold it right there. Let’s break down this email by first looking at the address to see who actually sent it

    Yeah, that’s not PayPal is it ? It’s some random address a somewhat nefarious individual has created in order to make it look like it’s from PayPal themselves. In most cases, you can easily mask the fake address by placing the “real” one as the “sent from” - in this instance, it looks as though PayPal sent it, but if you dig deeper, this isn’t the case.

    Another way we can see where the message originated from is to check the message headers themselves.

    The first 5-10 lines of the message header gives us insight into the origins of the message. Here’s those very lines from the message I received

    Received: from 10.200.76.142 by atlas220.free.mail.ir2.yahoo.com with HTTPS; Thu, 9 Dec 2021 22:22:26 +0000 Return-Path: <9C1pbZ6mPTYKkb0ENR1h4vEzyvGs2GiPxdcooHot@paktron.info> X-Originating-Ip: [209.85.128.103] Received-SPF: pass (domain of paktron.info designates 209.85.128.103 as permitted sender) Authentication-Results: atlas220.free.mail.ir2.yahoo.com; dkim=unknown; spf=pass smtp.mailfrom=paktron.info;

    As you can see from the last line, the domain that **ACTUALLY **sent the message was “paktron.info”, and definitely not PayPal.

    Digging even further, we can also see that “paktron.info” uses Gmail to relay it’s emails

    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=1e100.net; s=20210112;
            h=x-gm-message-state:date:to:from:subject:message-id:mime-version
             :content-transfer-encoding;
            bh=JDzBYqxLWbyz1euLpGy5I34M1DgaEIWD1DyTSYgKsOU=;
            b=TfLkxbgWVIYonMrIzqbetxzD+F1D3Tf4wHm+l4svGqQH96cM0Og7XVAQtnfe2taJ8c
             g4T71omH7gq2AGk3zzz09RjjyE47taZhx1p5VhZWkQ93LuAnRZvszLg+QkW59SIHqBs0
             bgUzEKtJN3V4pm8YX4XR8KE6+OBRs4ma6GbnOg2n0xW5RPN6WBDihA3PyYB9Ve4GOS+H
             DCaOlLdJcBq7ftf3ska5Jp4vOAcM/ZTJ0hgjv8ZUf7N08a7gUTcKRnykRkwn0hYUnjlh
             lImEHPd8S1e4lGLFPpJVMkp1EvRgRBjcPbPIOlcSCgpeBlq2MOFdywcjbHWG2ptC5g5W
             rP7A==
    X-Gm-Message-State: AOAM531L2V7LNH6Y/goIZUfnCa5gvlMbyHFvBdrK/9PBccraWnlFrqkr
    	zwyg/3GLjdJrLPJTVWHmgzlc2QEzzZ9tlHG4hRyBao96vaifQ9enb75yoAEM5jzUDA==
    X-Google-Smtp-Source: ABdhPJwpppASrcH9t3k4kQJ12BODF4ra+WqBwbTQJMjq3PIk+TIemDoplAtzOjynJsvKoSe0ECKHYHQQNxu1
    X-Received: by 2002:a1c:ed0a:: with SMTP id l10mr10968558wmh.140.1639088545974;
            Thu, 09 Dec 2021 14:22:25 -0800 (PST)
    Received: from notifications-317.loccitane.com ([2a04:ecc0:8:a8:4567:234f:0:1])
            by smtp-relay.gmail.com with ESMTPS id m15sm75873wmg.19.2021.12.09.14.22.25
    

    And to confirm this, a quick “whois” will show us that the domain registrar is in fact, Google.

    Admittedly, it has privacy protection, so it’s not “Google” per se, but the domain was registered in November 2021, and is relatively new so it pretty clear it’s purpose is solely to send malicious email given that there is no web presence for it.

    If we also look at the underlying source code of the message we received, we can also see that the “Login to PayPal” button isn’t all what it seems - in fact, it wants to send us somewhere completely different - no doubt a malicious site that looks like PayPal, but in fact isn’t.

    target="_blank" href="https://l.wl.co/l?u=https%3A%2F%2Fme2.do%2FG0YhbPsc&signature=JmhXt100uR&trackingid=JijD70jaqr27E&amp=1" style="text-decoration:none;color:#ffffff !important;white-space:nowrap;">𝖫𝗈𝗀𝗂𝗇 𝗍𝗈 𝖯𝖺𝗒𝖯𝖺𝗅 </a></td>
    

    It’s becoming increasingly common for attackers to “hide” malicious links inside “URL Shorteners” as a attempt to mask the real link. Clicking on this link within a sandbox environment takes us here

    And if we check the URL itself against the vast variety of malicious link checkers, we can easily see that it’s not all it purports to be

    And there you have it. It’s a known “Phishing” site - so called, because it is literally “fishing” for information that you could well readily provide thinking it was your PayPal account you were logging into. Chances are that nothing would actually happen once you submitted your details, but all you’ve dine here in fact is to provide the login ID and password of your PayPal account to an attacker.

    One of the best ways of avoiding this scenario in the first place is of course to question the email being sent. For example

    1. Does the email address who sent it match any of PayPal’s ?
    2. Are there grammatical errors such as poor spelling, or generally bad punctuation ?
    3. If you hover your mouse over any buttons or links, most email clients will show you the link that is hiding underneath it. Does it look like PayPal ?
    4. Is the address you’ve received the email on actually registered anywhere with PayPal ?

    Protection of your PayPal account is key. One of the strongest methods of protection is to enforce two factor authentication. This essentially extends the login requirement to a username, password, and something only you have - in this case, the 6 digit code (or push notification if you use the PayPal app itself) which is only available on a device in your possession. Even if an attacker did manage to get your username and password, they still wouldn’t be able to login without the code being provided.

    Having said that, it’s not difficult to hijack a SIM card so that any attacker wanting to obtain the two factor code via SMS could actually be in a position to do so.

    That’s a topic of discussion for another post though… 🙂

    Stay safe out there - let me know if any questions.


  • 1 Votes
    3 Posts
    46 Views

    @DownPW absolutely. Then there’s also the cost of having to replace aging hardware - for both the production site, and the recovery location.

  • 13 Votes
    17 Posts
    107 Views

    @小城风雨多 I was a die-hard OnePlus user since the 6T, but my experience with the 9 series has left me extremely disappointed and I probably won’t go back now I have a Samsung S23+ which works perfectly.

  • 2 Votes
    1 Posts
    27 Views

    Just seen this post pop up on Sky News

    https://news.sky.com/story/elon-musks-brain-chip-firm-given-all-clear-to-recruit-for-human-trials-12965469

    He has claimed the devices are so safe he would happily use his children as test subjects.

    Is this guy completely insane? You’d seriously use your kids as Guinea Pigs in human trials?? This guy clearly has easily more money than sense, and anyone who’d put their children in danger in the name of technology “advances” should seriously question their own ethics - and I’m honestly shocked that nobody else seems to have a comment about this.

    This entire “experiment” is dangerous to say the least in my view as there is huge potential for error. However, reading the below article where a paralyzed man was able to walk again thanks to a neuro “bridge” is truly ground breaking and life changing for that individual.

    https://news.sky.com/story/paralysed-man-walks-again-thanks-to-digital-bridge-that-wirelessly-reconnects-brain-and-spinal-cord-12888128

    However, this is reputable Swiss technology at it’s finest - Switzerland’s Lausanne University Hospital, the University of Lausanne, and the Swiss Federal Institute of Technology Lausanne were all involved in this process and the implants themselves were developed by the French Atomic Energy Commission.

    Musk’s “off the cuff” remark makes the entire process sound “cavalier” in my view and the brain isn’t something that can be manipulated without dire consequences for the patient if you get it wrong.

    I daresay there are going to agreements composed by lawyers which each recipient of this technology will need to sign so that it exonerates Neuralink and it’s executives of all responsibility should anything go wrong.

    I must admit, I’m torn here (in the sense of the Swiss experiment) - part of me finds it morally wrong to interfere with the human brain like this because of the potential for irreversible damage, although the benefits are huge, obviously life changing for the recipient, and in most cases may outweigh the risk (at what level I cannot comment not being a neurosurgeon of course).

    Interested in other views - would you offer yourself as a test subject for this? If I were in a wheelchair and couldn’t move, I probably would I think, but would need assurance that such technology and it’s associated procedure is safe, which at this stage, I’m not convinced it’s a guarantee that can be given. There are of course no real guarantees with anything these days, but this is a leap of faith that once taken, cannot be reversed if it goes wrong.

  • 1 Votes
    3 Posts
    52 Views

    @DownPW yes, exactly my point.

  • 10 Votes
    12 Posts
    138 Views

    @veronikya said in Cloudflare bot fight mode and Google search:

    docker modifications are a pain in the ass,

    I couldn’t have put that better myself - such an accurate analogy. I too have “been there” with this pain factor, and I swore I’d never do it again.

  • 9 Votes
    12 Posts
    98 Views

    @crazycells said in ION brings clients back online after ransomware attack:

    you know, they believe the world revolves around them

    Haha, yes. And they invented sex.

  • 0 Votes
    1 Posts
    141 Views

    1631812756399-catfish-min.webp
    Anyone who uses dating agencies or even social media itself should be aware of the risk that a “catfish” poses. However, despite all of the media attention, catfish are constantly successful in their campaigns, and it seems as though everyday there is yet another victim. But why is this persistent campaign so successful ? In order to understand how a catfish scam operates, we first need to look at who they target, and why. Trust is gained as quickly as possible as the risk of being caught out very early in the process is much too high. Catfish campaigns tend to target individuals – particularly those considered vulnerable. But how do they know that these individuals are vulnerable and a healthy target in the first place ? More on that later. For now, let’s look at how a catfish will apply their skills on unsuspecting victims. By far the most common type of attack is via online dating, and seeing as there appears to be plenty of choice in terms of platforms and users adopting their services, the fruit on the tree is plentiful, and replenished at an alarming rate.

    How does a catfish select a target ?

    The more experienced catfish will have multiple targets and campaigns running concurrently. Adopting this approach as a “beginner” is actually unwise, as there is too much detail to remember in order to pull off an effective deception without raising suspicion. Can you imagine grooming a target then getting their name wrong, or other key information they may have unwittingly provided ? No. For this exact reason, the novice catfish will target one individual at a time. Whilst this doesn’t sound very enterprising, the experienced catfish, however, will operate multiple campaigns simultaneously. This produces a significantly higher yield, but it also means that the risk of exposure is greater. Based on this, each campaign is carefully tracked and “scripted” - in fact, each campaign has a written story - pretext if you will, that is simply copied and pasted in communications. This provides the assurance that the particular “story” being used does not stray off course, or arouse suspicion unintentionally. Based on official evidence, the origin of where most catfish campaigns originate from is Nigeria. In fact, it’s big business - well over USD 2bn in fact.

    Here’s a video courtesy of ABC that describes some of the techniques I have mentioned above - including the “scripted” mechanism.

    The catfish selects their target based on a number of factors – with social skills being top the list. A personality of a wet blanket is seldom effective, so the catfish must create an online persona (usually a Facebook profile) that is credible, and can be reinforced and intertwined with real life events. Such an example of this is a soldier serving in Afghanistan (there are many others, although this is an active campaign which is known to succeed). It would appear that the military lifestyle, the uniform, and the exciting stories are enough to entice a lonely individual looking for friendship and romance. A vital component of the scam is that the occupation of a soldier allows multiple periods where contact can be minimal for various “military” reasons that the catfish informs their target they cannot divulge for official secrecy reasons.

    This actually provides the perfect cover in order for the scam to progress. Time is required in order to plan the next stages of the campaign if it is to succeed. Another important element to remember is that the catfish needs to be mindful of time zones – you cannot be based in Nigeria and use the same timezone when you are supposedly stationed in Afghanistan, for example. The catfish would have collected enough intelligence about their target to remain one step ahead at all times. This typically involves research, with most of the required information sadly provided by social media. This includes dates and places of birth, interests, hobbies, and a myriad of other useful data that all adds up to the success of the campaign. The catfish uses this information to form trust with the target, and, coupled with the online persona created previously, the wheels are firmly attached. The con is on, so to speak. Using the data collected earlier, the catfish makes use of a variety of techniques in order to gain confidence and trust, with the social element being of utmost importance. Another key point for the catfish is the ability to engage in discussion, be articulate, and most of all, come across as being intelligent. Spelling is important, as is the ability to use grammar and punctuation correctly.

    Those of us who are “grammar snobs” can easily spot a deception in the form of a social media message or email owing to the notoriously poor grammar – usually always the result of English not being the primary language in use. Bearing in mind that most initial contact is via instant messaging, online chat, and email, it is important for the catfish to avoid suspicion and early detection - and in essence, remain “under the radar” at all times.

    How much effort is involved ?

    The amount of effort a catfish will put in generally depends on multiple factors. The sole aim of the perpetrator is financial, and any seasoned criminal will be looking to gain trust quickly, and will always have a story prepared. The point here is that the target needs to be a willing participant – nobody is holding a gun to their head, and they must be convinced of the integrity of their new online beau in order to part with money of their own volition. The previously constructed story needs to be consistent, and plausible if the campaign is to succeed. Once the target is engaged, the catfish is then in a position to effectively “groom” the individual, and uses the response and personality of the target to gauge when the next part of the plan should be executed. This in itself can be a fine art depending on the target. If they are intelligent, it may take a considerable amount of time and effort to reel them in. Before the catfish makes this investment, they have to be sure it will be worth it. But how ? Again, social media to the rescue. You’d be hard pressed to believe this, but money and the associated social lifestyle it provides and promotes is a key focal point of social networking, and by definition, “engineering”.

    If the target regularly posts about dining out, drinking, holidays, etc., then this is a clear indicator that they are worth perusing and exploiting, as they clearly have money to spend. Once the catfish has been able to convince the target of their sincerity, the deception then proceeds to the next level. Using the tried and tested “soldier based in another country, shortly completing his tour of duty, and leaving the army” scam, this provides an ideal mechanism to extort money from the target after they have been convinced that the individual they have been talking to wants to start a business, and needs capital etc in order to get started. Another well-known and successful ruse is to claim that they have a sick child (or children) that need urgent hospital care, and they don’t have the money to finance this. Another additional means of topping up the “fund” is the additional ruse that the soldier is not a citizen in the target country, and wants to be with his “new partner”. The by now besotted target agrees to pay for air fare, visa costs, and other associated permits in order to make their dream romance a reality – without realising that they are parting with a significant sum that carries absolutely no guarantee that it will be delivered. In fact, this could not be further from the truth. In a cruel twist, the catfish instructs their target to pay the funds into an account setup and accessible by the criminals involved, where it is collected without delay - often by a “mule” (more on this later).

    The target is completely unaware this has taken place, and only realises what has happened after their romance never materialises, the person they trusted never arrives, and a gaping hole has appeared in their finances as a result. They are now left with the inevitable emotional and financial damage this scam creates, and they must somehow come to terms with the impact – and the associated consequences. The ultimate twist of fate is that the victim transferred their money of their own free will – it wasn’t stolen from them, and, believe it or not, no crime has been committed based on this fact (it sounds crazy, and it is absolutely fraud - but that’s the law). You will also find yourself hard pressed to convince any bank that you have not acted negligently.

    Reducing the risk

    So how can you reduce the risk ? Whilst the below list should start with “…never talk to strangers…”, its not that simple. The below points are guidelines, but should be used along with your own judgement. - Never engage in discussions of a financial or personal nature with people you do not know. The internet is a dangerous place, and the anonymity it provides only makes this worse.

    If you join a dating agency, ensure that all requests for contact are fully screened by the agency themselves before being sent on to you. Most agencies now insist on home visits to new clients in order to combat this growing trend. Never agree to setup a new bank account, or transfer cash – this is a smoking gun, and should be avoided at all costs. Never allow the discussions to continue “off platform” – in other words, always use the dating agency’s systems so that any conversations are captured and recorded. This means no texts, no personal messaging systems, and strictly no contact over social media If someone sends you a friend request on Facebook, ask yourself basic questions, such as “do I actually know this person ?” and “why are they contacting me ?”. If you don’t know them, don’t accept. Try to avoid being tempted by emotional flattery. Whilst we all like praise and the feelgood factor it brings, don’t be reeled in by a catfish. This is one of the core weapons in their arsenal, and they will deploy it whenever necessary Remember – relationships have their foundations firmly rooted in trust. This has to be earned and established over the course of time – it’s not something that appears overnight.