Phishingrefers to a form of social engineering done through e-mailand/or web pages.It”s an attempt to trick people into revealing sensitivepersonal information, usually financial, by masqueradingas a bank or similar.
You are watching: Html:paypal-b[phish]
Step 1 — Mail Arrives
Mail arrives, and a typical mail tool takes the naiveapproach that all the header fields can be believed.The message details would appear to be as follows:
What does the message say?If you take the extremelydangerous step of letting your mail tool render theHTML, here is what you would see:
![]() |
URGENT: PayPal System Problems |
PROTECT YOUR PASSWORDNEVER give yourpassword to anyone and ONLY log in at PayPal”s website. If anyone asks foryour password, please follow the Security Tips instructions on the PayPalwebsite.Please do not reply to this e-mail. Mail sent to thisaddress cannot be answered. For assistance, log in to your PayPal accountand choose the “Help” link in the footer of any page. |
Look at that! Real PayPal artwork,some very legitimate looking text,a valid PayPal URL, andeven appropriate security warnings.
BUT THAT MESSAGE IS ENTIRELY BOGUS,AN ATTEMPT TO STEAL YOURPERSONAL INFORMATION!
Let”s look at the real header and the actual messagedata, to see what”s going on.
Step 2 — Reading the real mail header
Here is the real mail header.Notice the bold line showing the first SMTP hop.
See more: How Long Is Six Inches Images, Stock Photos & Vectors, How Long Is Six Inches
From support
paypal.com Mon Jan 5 11:05:17 2004Return-Path: Received: from sccigwc01.asp.att.net (<63.240.76.150>) by sccigwc01.asp.att.net (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id for ; Mon, 5 Jan 2004 16:11:16 +0000Received: from smerp (unknown<61.80.83.4>) by sccigwc01.asp.att.net (sccigwc01) with SMTP id ; Mon, 5 Jan 2004 16:11:15 +0000From: “payPal.com” Subject: PayPal Account UpdateTo: bobcromwell
paypal.comDate: Tue, 6 Jan 2004 01:05:17 +0900X-Priority: 2X-Library: Indy 8.0.25Message-Id: Status: RX-Status: NX-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: The mail was really sent from 61.80.83.4.Anyone with the GNU version of whoiscan see that this is a member of a block of 128 IP addresses:
kt.co.kr…. lots more deleted ….If you don”t have the GNU version of whois,then userobtex.org.
Look at the difference in the two date fields in theheader — here is the simplified header as shown bya typical mail tool one more time:
As per the Date: field,the sending machine seems to think it”s in the UTC+9time zone, which would be in eastern Asia.And given the offset between the timestamps in theDate: and first Fromfields, that seems to be the case.
Step 3 — Reading the Real Message
Here is the actual HTML code making up the message body.If you are like me, your mail tool does not render anyHTML but just displays the real message contents, asshown below.The only HTML-formatted mail I get is from spammers andscammers.If you are curious about how spammers and scammers try totrick you, then you might want to actually look at theHTML code.Otherwise, just throw away all your HTML-formatted mail.
If someone needs fancy fonts and formatting to get theirpoint across, then apparently they don”t know how to writemeaningful prose.Reading their text would be a waste of your time.
URGENT: PayPal System Problems |
See more: If An Economy Is Being &Quot;Productively Efficient,&Quot; Then That Means The Economy Is:
PROTECT YOUR PASSWORDNEVER give yourpassword to anyone and ONLY log in at PayPal”s website. If anyone asks foryour password, please follow the Security Tips instructions on the PayPalwebsite.Please do not reply to this e-mail. Mail sent to thisaddress cannot be answered. For assistance, log in to your PayPal accountand choose the “Help” link in the footer of any page. |