[ Alert ] : Your account just make supicious transaction - PayPal SPAM WARNING !!!
We have seen this email today and it is a dangerous phishing email playing with paranoia concerning PayPal and fraud.
The text is full of mistakes but this may be a deliberate tactic of some kind.
the email reads:
Di isi dong bossku
From: PayPal Service <[email protected]>
Sent: Friday, July 12, 2019 12:31 AM
Subject: [ Alert ] : Your account just make supicious transaction
Your account just make supicious transaction, We've temprary limited your account due o this supicious activity until this issue is resolved.
Here is transaction detail:
- Transaction date : July 10 2019
- Transaction amount : $35 USD
- Transaction ID : GG3178523194EF4
If You didn't authorize this transaction please dispute transaction soon.
Please login to your account and provide the requested information to dispute this transaction before July 15 2019.
If we don't receive the requested information soon, We can't refund your money and your account may be closed without any notification.
The actual link takes you to http://hljjmbaby.com/Sign which is already flagged as bad on Google Chrome and Microsoft Edge.
This then forwards you to https://support.manageaacccount.pfpstudios.com/signin which Google and Microsoft have also marked as deceptive.
Again this page is secured with a Let's Encrypt three month certificate to help fool people into assuming legitimacy.
The site is very convincing - obviously made by someone who has a close grasp of how to con people. The dialogue goes on to tell you that as this is an unrecognised device, you will need to supply credentials with which to authenticate yourself:
It goes on - these are determined people...
you see that it validates formatting and basic card number validation as well as dates etc.
Now with the visa validation page - which validates the numbers again against likely ranges.
Now it goes on to gain your PayPal login - it is important to note that the page asked us for this earlier - they do not check one against the other though.
Now this I am really surprised at - asking for photo ID???
Now whether there is a check here that we could not pass with our monkey photo, I do not know, but we had to click 'Not now' to proceed.
Our monkey photo did not cut it...
But you can see that the page does allow an upload - these people have spent a lot of time with this.
Well my account is fully restored - and they have my Paypal login, my bank account details, my debit/credit card details and my photo ID. This site is perpetrated by professionals who have spent weeks with this, possibly employing ex bank or paypal people. The IP address that downloaded the certificate is unlikely to give any clue as they are probably too wise for that, but this website will re-appear over and over as they hack various wordpress sites to upload it to. They have invested too much not to get the most from their fraudulent code.
Traffic monitoring may give some clue as to where this info is being sent and either way we will report this code and see if we can get the FBI involved.