|Subject:||We noticed unusual activity in your PayPal account|
PayPal Suspicious Activity
Last Update 0:33 PM, 22 Oct 2017
For your protection, your PayPal ID is automatically disabled.
We detect unauthorized Login Attempts to your PayPal ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the PayPal Community.
What’s going on?
We’re concerned that someone is using your paypal account without your knowledge. Recent activity from your paypal account seems to have occured from a suspicious location or under unusual circumtances.
Your account access has been locked for the following reasons:
- 22 October 2017, We want to check your account surely not login with other device.
- 22 October 2017, Your account has been locked until this issued has been resolved we will waiting for 24 hours or your account has been disabled permanently.
What to do next:
Please click loggin button below to your paypal account and provide the information previously requested: 24 hours via account review, if we do not receive information before this deadline, your account access can be further locked permanently.
To verif your PayPal ID,we advise you to press the login button.
Please do not reply to this email. This email was sent to you, To get in touch go to the paypal website click login and unlock your account.
Help & Contact.
Copyright © 1997-2017 PayPal. All rights reserved.
Scam alert! The E-mail above is a SCAM. It’s a Phishing scam, tying to get your bank-details by luring you to a fake bank website. The message is all fake. The real PayPal
did NOT send this. Be warned!
If you’ve received this by e-mail than mark it as SPAM (if possible) and/or DELETE it.
Tracing the links in this phishing e-mail
Both the LOGIN-button and “Help & Contact.”-link in this e-mail point to a bit.ly URL-shortener link. (For your safety these links have been removed above!) You can check the bit.ly statistics for this link.
This URL-shortener redirects to the following URL:
The webpage on this address redirects the visitor again, this time to the following URL:
This shows a website with a fake PayPal login page:
All links in this webpage (e.g. Contact Us, Privacy, etc.) don’t work here. They want you to log in so they have your PayPal username and password.
After “logging in” (with random details) we get the following page:
It now fakes a (previous) location login verification with a spinning wheel, that spins forever… This is because they now have your login credentials. No need to display more stuff. BUT.. If you click on any of the links (e.g. Contact, Security or Logout) you will see the following page:
So through this form they try to get even more personal details from you in this identity theft scam…
UPDATE: Within 24 hours their fake PayPal site was taken offline!
As to be expected the domain owner details of com-verification-account.com has been hidden through a whois privacy service:
Domain Name: COM-VERIFICATION-ACCOUNT.COM Domain ID: 2177759405_DOMAIN_COM-VRSN Registrar: TUCOWS, INC. Registrar IANA ID: 69 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.4165350123 Registrar URL: http://tucowsdomains.com Creation Date: 2017-10-22T23:06:13Z Registrar Registration Expiration Date: 2018-10-22T23:06:13Z Reseller: Hover Registrant Name: Contact Privacy Inc. Customer 0149522402 Registrant Organization: Contact Privacy Inc. Customer 0149522402 Registrant Street: 96 Mowat Ave Registrant City: Toronto Registrant State/Province: ON Registrant Postal Code: M6K 3M1 Registrant Country: CA Registrant Phone: +1.4165385457 Registrant Phone Ext: Registrant Email: firstname.lastname@example.org Name Server: NS1.TIMETOBACK.COM Name Server: NS2.TIMETOBACK.COM
Both the domain com-verification-account.com as the used subdomain paypal.com-verification-account.com point to the same ip-address:
IP-address: 18.104.22.168 GeoIP Country Edition: US, United States GeoIP City Edition, Rev 1: US, UT, Utah, Provo, 84606, 40.218102, -111.613297, 770, 801 GeoIP ASNum Edition: AS46606 Unified Layer
If you check the website on the domain com-verification-account.com instead of the subdomain you will see a standard html parking page template where they even didn’t edit the default text.
Now let us examine the forwarding domain: mybchc.org
Here are the whois owner details:
Domain Name: MYBCHC.ORG Registry Domain ID: D163307889-LROR Creation Date: 2011-09-13T18:04:47Z Registry Expiry Date: 2018-09-13T18:04:47Z Registrar: TierraNet Inc. dba DomainDiscover Registrar IANA ID: 86 Registrar URL: http://www.domaindiscover.com Registry Registrant ID: C174829199-LROR Registrant Name: Alexis Velasquez Registrant Organization: Registrant Street: 14318 Ben Brush Registrant City: San Antonio Registrant State/Province: TX Registrant Postal Code: 78248 Registrant Country: US Registrant Phone: +1.2102641209 Registrant Phone Ext: Registrant Fax: +1.2102641209 Registrant Fax Ext: Registrant Email: email@example.com Name Server: DNS2.STABLETRANSIT.COM Name Server: DNS1.STABLETRANSIT.COM
Seems legit, probably hacked to serve the page redirecting to the fake PayPal site. On the frontpage of this domain we see the following “charity donation” website:
I would not trust this “donation website”! The selectors for donation amount only show a $25,- option. No idea if this website is legit or not or that it also has been changed by the hackers to retrieve your PayPal account details. Be warned!
Domain: mybchc.org IP-address: 22.214.171.124 mybchc.org mail is handled by 10 mx1.emailsrvr.com. mybchc.org mail is handled by 20 mx2.emailsrvr.com. GeoIP Country Edition: US, United States GeoIP City Edition, Rev 1: US, MI, Michigan, Lansing, 48917, 42.725700, -84.636002, 551, 517 GeoIP ASNum Edition: AS53824 Liquid Web, L.L.C