- Internet & the Web
Spam Alert: Please Update Your Account
It's not PayPal
Recently, a new spam email has begun circulating. The message purports to be from the PayPal company, which is owned by eBay. This email is a well-disguised attempt to obtain personal information from unsuspecting PayPal customers. The email is not from PayPal. We will take a close look at the construction of the message to point out some obvious and not-so-obvious visual cues.
The subject of the email is "Please update your account", which is a common request that is mailed out from may reputable companies. A casual PayPal user may well be fooled by the official-appearing graphics and unauthorized use of the PayPal name.
Keep in mind that the Internet is a dangerous place: never respond to an unsolicited email unless you are absolutely sure of the sender.
Text of the spam
Dear PayPal Costumer,
It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.
However, failure to update your records will result in account suspension. Please update your records before February 04, 2011
Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.
Click here to update your PayPal account information
Copyright © 1999-2011 PayPal. All rights reserved.
Information about FDIC pass-through insurance
Note that the email recipient is "undisclosed-recipients". This could be the result of a BCC (Blind Carbon Copy) email 'blast' or a weak attempt to disguise the fact that the spammer doesn't know the name of the intended recipient.
Nowhere in the message is any specific information that personalizes the email. It is obviously directed at everyone with an email address. PayPal would never send out generic emails asking clients to log in and update personal information.
In the above image we hovered our mouse over the link provided in the email. Our email client. Outlook, revealed the actual value of the link, which is obviously not a link to a PayPal web site. Needless to say, but we will say it anyway, never click on a link in an email. If you suspect that the email is legitimate, simply open your browser and type in PayPal.com, or any other legitimate web site. Don't depend on the email to provide you with a valid link.
Interestingly enough, the domain listed above appears to be legitimate, although it is in Lithuania, which is probably not where PayPal houses its' web servers. The company behind the domain seems to be a 'real' CNC (Computer Numerical Control) company. Undoubtedly the site has been hacked and the company is in no way involved with in a scam to obtain personal information from PayPal customers.
Hackers often secret a little code on a legitimate web site. Web hosting is not a trivial pastime. This code collects personal information from unsuspecting Internet users and relays that information via free email accounts. The process is virtually untraceable and certainly impenetrable to anyone without high-level computer security training.
Both links in the email point to the same unsavory location.
Bogus Reply-To Address
Clicking "Reply" on an email will cause the email client software to analyze the original message and pick out the "Reply To" email address stored there. Most sender take care to use a reply-to address that is somewhat related to the domain of the sender, but this particular message comes complete with an obviously deceptive reply-to address. The address is "firstname.lastname@example.org", which is not related to PayPal in any way. The domain, netlogmail.com, entered into a browser, redirects to netlog.com, which is an online social community. Those good folks obviously have nothing to do with this scam. They are merely another ancillary victim of this devious email scam.
The message came from the UK
So far, our devious spam purports to be from PayPal, links to a site in Lithuania, and gives a reply-to address for a social networking site.
The message came from a server in the United Kingdom. It originated on a server with the IP address 126.96.36.199, which belongs to "PoundHost Internet Services" in Berkshire. Undoubtedly, no one at PoundHost is in any way involved with this scam. They provide web hosting and Internet access services: one of their customers was either hacked or infected with a malware program that initiated the email.
What can you do about it.
You can't do much.
The computer that initiated the email has probably been shut down by their service provider. Most spam outbreaks are throttled rather quickly, but unfortunately there are virtually infinite numbers of insufficiently protected systems just waiting to be attacked.
Whatever you do, don't click on the links. We didn't. Although the links pointed to a European server owned by a manufacturing company, the pages that pop up may well appear shockingly similar to legitimate PayPal pages. They may also attack your computer and turn it into a spamming zombie that sucks the lifeblood from your bandwidth until your service provider pulls the plug on you.