When I was browsing through my new email account, I have saw the above email from Paypal saying my account is limited because of a identity issue? This email account is new and I didn’t used it much at all, And surprisingly this email was on my inbox not spam folder. I thought my Paypal account is limited and to verify that I opened up paypal.com on a new tab and logged in. And there was no limitations or whatsoever like said on the email. It didn’t took me much time to recognize that, this is indeed a phishing attempt. So this is what I found,
Real sender of the email is hon@hon.com and he/she has masked the address to intel.service@paypal.com, And returning path is also hon@hon.com. I have opened up the attachment and its a html page which looks like this
Interesting right? 
So I have looked at the source code of the html file and its encoded with javascript unescape() string. Its really a large amount of code there which froze my web browser when I tried to decode it using a web service. With the help of this online decoder I was able to decode the encrypted code and here is the interesting part,
All the other content such as css files are pulled from the real paypal.com and this is the only suspicious part on the code. That IP address belongs to a digitalocean VPS customer. These script kiddies might be signing up on digitalocean using free credits provided by them all over the internet and just abuse the service. I have informed digitalocean but that IP address is offline since I found this.
So moral of the story is that, if you receive this kind of emails asking you to login or do something by clicking the provided link, don’t ever do that. Just open up the mentioned services web site on a new browser window and check it.
Other posts you might feel interesting
The post Just another Paypal phishing attempt appeared first on Ruchirablog | Ruchira Sahan's Weblog!.
