The text of the message was as follows:
Date: Mon, 4 Apr 2005 18:37:36 +0200
From: support@paypal.com
Subject: Warning ,update your account
Dear PayPal . valued member,
Due to concerns we have for the safety and integrity of the PayPal community we have issued this message.
It has come to our attention that your PayPal account information needs to be updated. If you could please take 5-10 minutes out of your online experience and update your records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records by 8 April 2005.
Once you have updated your account records your PayPal will not be interrupted and will continue as normal. Please follow the link below and update your account information. https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
PayPal
PayPal Accounts Department
One suspicious sign is that the email message, though showing a "from" address of support@paypal.com, had an originating IP address associated with the amen-pro.com domain name.
Received: from mail.com (vds-345642.amen-pro.com [62.193.214.18])
And looking at the HTML code for the message showed the link that appeared to point to www.paypal.com actually pointed to http://www.paypal.com.sdll.us/webscr/index.html, which is not a PayPal website.
So this message is a phishing attempt. If anyone is unfamiliar with phishing, there is an explanation of the term at http://csharpcomputing.com/Security/phishing.htm. It is basically an attempt to dupe unsuspecting users into revealing sensitive information, such as userids, passwords, and bank account numbers.
But, without looking at the HTML coding in the message, it wouldn't be apparent that you would be taken to a non-PayPal website. And the phisher used JavaScript code on the actual website to cover Internet Explorer's address bar so that it appeared the address bar was pointing to https://www.paypal.com/cgi-bin/webscr?cmd=_login-run, i.e. that you were actually visiting PayPal's website (see Image 1). However, if I moved another window up over the address bar, suspiciously the spoofed PayPal website address appeared over that window (see Image 2. If I right-clicked on the webpage and chose "Properties", I could see that the actual address was http://www.paypal.com.sdll.us/webscr/index.html (see Image 3).
Looking at the code in the index.html file at the spoofed website, I see JavaScript code that refers to variables for window positioning, i.e. vuln_x, vuln_y, vuln_w, and vuln_h. I also see references to vuln_calc, vuln_show, vuln_win, etc., which suggests the writer of the code was developing the code specifically to exploit a vulnerability. Except for a minor variation for window positioning, the code on this side appears to duplicate what is listed at the http://csharpcomputing.com/Security/phishing.htm webpage. There is also a reference to this code being used a almost a year ago at IE URL Ussue Being Used In Phishing In the Wild [USBank], so this is not the first instance of this code being used for phishing.
I reported the spoofed site to PayPal over 5 hours ago,but the site is still up at the moment, though. I understand that PayPal likely has to deal with a great many reports of spoofed sites, though, since it is one of the most popular Internet payment methods, especially for the eBay auction site. And it is also likely difficult for PayPal to locate an entity with authority to shut down the site and get such an entity to take immediate action.
There is an anti-phishing site, the Anti-Phishing Working Group where you can submit phishing email and pharming sites used for phishing schemes.
Some antivirus programs will catch some phishing attempts, i.e. Norton AntiVirus reports this one as JS.Trojan.Blinder, which it reports was discovered by Symantec on March 4, 2005, but not all such phishing attempts will be caught by antivirus software.
Sometimes such email scams are sent through mail servers configured as open relays, meaning anyone can send email through them. But when I checked the originating email server for the messages, vds-345642.amen-pro.com [62.193.214.18], with rlytest, it did not appear to be an open relay.
References: