Email1

Spam of the Day – Receipt for Your Payment to Uk-AdCommerce-EOM@ebay.com

Hello,

You authorised a payment of 37.81 GPB to eBay International UK (UK-ebay-inc-admin@ebay.co.uk)

Your funds will be transferred when the merchant processes your payment. Any money in your PayPal account balance will be used first. If you have a zero balance or insufficient funds in your account, your backup funding source will be charged for the full or remaining payment. Please note that your bank or card provider may charge a dishonour fee if you have insufficient funds to make the payment.

Thanks for using PayPal. To view the full transaction details, log in to your PayPal account.

Email1

Email2

Let me tell you how to spot the phishing details:

  • Email address is not coming from PayPal but from Mail <mail-bounces@pizzariaarturalvim.com.br>; on behalf of; Paypal <service@paypal.co.uk> ; It’s interesting that a pizzaria sends emails!
  • The “To” email address is empty! Should have been my PayPal registered email address.
  • Hello is followed by no name. PayPal knows me! It should have been Dear First Name Last Name.email3
  • The correct header has the transaction ID underlined taking you to the paypal page of the transaction. Here’s a valid header.
  • Capture2eBay Europe Sarl not eBay International UK. Email address is not valid.
  • Look at the fonts! The times new roman above are a dead-giveaway that they did not put enough effort to even use a sans-serif font.
  • Please note that your bank or card provider may charge a dishonour fee if you have insufficient funds to make the payment
  • I am dishonoured! I will commit hara-kiri! Odd language to use in an email.
  • A correct email will not contain such a big blob of text and the font is different.Capture
  • Their emails by comparison are missing a few key elements: the text is different. The merchant is wrong. The font is differently coloured (grey vs black). Email is wrong and in the correct email is not clickable. Description for goods is missing! Pound sign is missing and check out that lovely currency! GPB. Great Pound British.
  • I would love to pay two Pound British for that beer!Capture
  • “Payment sent to” is not underlined in the original paypal email but it is in this one and the email is wrong. I am missing the Receipt ID too in the spoof.

If you are wondering how they make their money by sending fake PayPal transaction emails, you’ll find the answer if you check the footers of the original vs the fake-out side by side.

Yes, the fake allows you to cancel a transaction directly from your mailbox! The link does not take you to PayPal but to a site so spoofy, that even Google Chrome warns you!

Capture

The URL is

http://paypal.co.uk.564535496dbb1a0f71d622f10526db1e.bukafa.com/webscr3/488445cfef34f549905b1154120cd1be/login.php?service=mail&passive=true&rm=false&continue=1#information-login

based on the domain bufaka.com and a dummy sub-domain and paypal.co.uk in front. Looks Turkish, based in Istanbul!

Domain Name: BUKAFA.COM
Registry Domain ID:
Registrar WHOIS Server: whois.isimtescil.net
Registrar URL: http://www.isimtescil.net
Updated Date: 2014-10-16T12:11:29Z
Creation Date: 2014-01-23T09:18:59Z
Registrar Registration Expiration Date: 2016-01-23T09:18:59Z
Registrar: FBS Inc.
Registrar IANA ID: 1110
Registrar Abuse Contact Email: @domaintime.biz
Registrar Abuse Contact Phone: +902163299393
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: whoisprotection.biz
Registrant Street: Bulgurlu Uskudar
Registrant City: Istanbul
Registrant State/Province:
Registrant Postal Code: 34000
Registrant Country: TR
Registrant Phone: +90.2163299393

Notice the HTTP and not HTTPS! no secure lock on the URL and the home page is a total hack from PayPal 2000. The new PayPal login screens are so much nicer! The links to retrieve your forgotten password point to PayPal Australia and look legit. The sign-up link also points to a legit URL for PayPal Australia. It’s odd that they target UK people with PayPal Australia info. But hey, at least you know where they are from!

Capture

The funny part is that their page won’t even send any emails!

Capture

Thank you spammers! You made my day!

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s