PayPal Phishing Scam - Access from a Foreign IP address

VERY IMPORTANT INFORMATION, READ THIS FIRST: The example and associated information published on this page are subject to the SHPAMEE Terms Of Use. Please familiarise yourself with these terms before viewing or using any information on this page.

Header:

From - Sat Jul 12 12:17:27 2008
X-Account-Key: account8
X-UIDL: x
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: x
X-YahooFilteredBulk: 222.72.85.4
X-Originating-IP: [222.72.85.4]
Authentication-Results: mta160.mail.ukl.yahoo.com from=paypall.com; domainkeys=neutral (no sig)
Received: from 222.72.85.4 (EHLO tmserver.tmsgm.com) (222.72.85.4)
by mta160.mail.ukl.yahoo.com with SMTP; Fri, 11 Jul 2008 23:10:44 +0000
Received: from User ([74.202.4.42]) by tmserver.tmsgm.com with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 12 Jul 2008 07:04:29 +0800
Reply-To: <no-replay@paypall.com>
From: "service@paypall.com"<service@paypall.com>
Subject: Notification of Limited Account Access.
Date: Fri, 11 Jul 2008 16:16:13 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <x@tmserver.tmsgm.com>
X-OriginalArrivalTime: 11 Jul 2008 23:04:29.0343 (UTC) FILETIME=[78F692F0:01C8E3AA]

Body:

Dear PayPal valued account holder,

We recently noticed one or more attempts to log in your PayPal account from a foreign IP address and we havereasons to believe that your account was hijacked by a third party withoutyour authorization.
If you recently accessed your account while traveling, the log in attempts may have initiated by you.

However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account.

Please click here to login into your PayPal account and then fill in the required informations. This is required for us to continue to offer you a safe and risk free environment.

The log in attempt was made from:

IP address: 89.28.4.49
ISP host: www.foto.md

If you choose to ignore our request, you leave us nochoice but to temporally suspend your account.
We ask that you allow at least 48hrs for the case to beinvestigated and we strongly recommend not making any changes to youraccount in that time.

* Please do not respond to thisemail as your reply will not be received.

Thank you for your patience as we work together to protectyour account.

Comments:

Refer to the 2nd example on the following page, sent on 16 September 2007: Chase Online Phishing scams

You will notice that the same template was used in the Chase phishing example, the only difference is the Chase logo and the references to JPMorgan Chase & Co., the anchor text of the phishing link and the alleged IP address and ISP host.

We ask that you allow at least 48hrs for the case to be investigated and we strongly recommend not making any changes to your account in that time.

But you want your victims to log into the account and "fill in the required informations"?

Please do not respond to this email as your reply will not be received

A phishing scammer telling the truth, so there is hope after all. A reply to service@paypall.com (pay attention the double 'l') is obviously not the same as a reply to service@paypal.com. The sender's e-mail address can easily be spoofed, so even an e-mail that appears to be from service@paypal.com, is absolutely no guarantee that it really came from PayPal.com. PayPal will anyway never send e-mails like this.

[Previous Example] [Back To The Main SHPAMEE Index] [Next Example]