Fishing scams

We noticed unusual activity in your PayPal account

Subject: We noticed unusual activity in your PayPal account
From:   your@email.address
Date:   2017-10-23
To:   your@email.address


PayPal Suspicious Activity

Last Update 0:33 PM, 22 Oct 2017

Dear Customer

For your protection, your PayPal ID is automatically disabled.

We detect unauthorized Login Attempts to your PayPal ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the PayPal Community.

What’s going on?
We’re concerned that someone is using your paypal account without your knowledge. Recent activity from your paypal account seems to have occured from a suspicious location or under unusual circumtances.

Your account access has been locked for the following reasons:

  • 22 October 2017, We want to check your account surely not login with other device.
  • 22 October 2017, Your account has been locked until this issued has been resolved we will waiting for 24 hours or your account has been disabled permanently.

What to do next:
Please click loggin button below to your paypal account and provide the information previously requested: 24 hours via account review, if we do not receive information before this deadline, your account access can be further locked permanently.

To verif your PayPal ID,we advise you to press the login button.

Please do not reply to this email. This email was sent to you, To get in touch go to the paypal website click login and unlock your account.
Help & Contact.
Copyright © 1997-2017 PayPal. All rights reserved.

Scammer Alert

Scam alert! The E-mail above is a SCAM. It’s a Phishing scam, tying to get your bank-details by luring you to a fake bank website. The message is all fake. The real PayPal
did NOT send this. Be warned!

If you’ve received this by e-mail than mark it as SPAM (if possible) and/or DELETE it.

Tracing the links in this phishing e-mail

Both the LOGIN-button and “Help & Contact.”-link in this e-mail point to a URL-shortener link. (For your safety these links have been removed above!) You can check the statistics for this link.

This URL-shortener redirects to the following URL:

The webpage on this address redirects the visitor again, this time to the following URL:

This shows a website with a fake PayPal login page:

Fake PayPal Login

All links in this webpage (e.g. Contact Us, Privacy, etc.) don’t work here. They want you to log in so they have your PayPal username and password.

After “logging in” (with random details) we get the following page:

Fake PayPal After Login

It now fakes a (previous) location login verification with a spinning wheel, that spins forever… This is because they now have your login credentials. No need to display more stuff. BUT.. If you click on any of the links (e.g. Contact, Security or Logout) you will see the following page:

Fake PayPal Account Summary

So through this form they try to get even more personal details from you in this identity theft scam…

UPDATE: Within 24 hours their fake PayPal site was taken offline!

As to be expected the domain owner details of has been hidden through a whois privacy service:

Domain ID: 2177759405_DOMAIN_COM-VRSN
Registrar: TUCOWS, INC.
Registrar IANA ID: 69
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.4165350123
Registrar URL:
Creation Date: 2017-10-22T23:06:13Z
Registrar Registration Expiration Date: 2018-10-22T23:06:13Z
Reseller: Hover

Registrant Name: Contact Privacy Inc. Customer 0149522402
Registrant Organization: Contact Privacy Inc. Customer 0149522402
Registrant Street: 96 Mowat Ave
Registrant City: Toronto
Registrant State/Province: ON
Registrant Postal Code: M6K 3M1
Registrant Country: CA
Registrant Phone: +1.4165385457
Registrant Phone Ext: 
Registrant Email:


Both the domain as the used subdomain point to the same ip-address:

GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, UT, Utah, Provo, 84606, 40.218102, -111.613297, 770, 801
GeoIP ASNum Edition: AS46606 Unified Layer

If you check the website on the domain instead of the subdomain you will see a standard html parking page template where they even didn’t edit the default text.

Now let us examine the forwarding domain:
Here are the whois owner details:

Domain Name: MYBCHC.ORG
Registry Domain ID: D163307889-LROR
Creation Date: 2011-09-13T18:04:47Z
Registry Expiry Date: 2018-09-13T18:04:47Z
Registrar: TierraNet Inc. dba DomainDiscover
Registrar IANA ID: 86
Registrar URL:

Registry Registrant ID: C174829199-LROR
Registrant Name: Alexis Velasquez
Registrant Organization:
Registrant Street: 14318 Ben Brush
Registrant City: San Antonio
Registrant State/Province: TX
Registrant Postal Code: 78248
Registrant Country: US
Registrant Phone: +1.2102641209
Registrant Phone Ext:
Registrant Fax: +1.2102641209
Registrant Fax Ext:
Registrant Email:


Seems legit, probably hacked to serve the page redirecting to the fake PayPal site. On the frontpage of this domain we see the following “charity donation” website:

Charity donation site

I would not trust this “donation website”! The selectors for donation amount only show a $25,- option. No idea if this website is legit or not or that it also has been changed by the hackers to retrieve your PayPal account details. Be warned!

IP-address: mail is handled by 10 mail is handled by 20
GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, MI, Michigan, Lansing, 48917, 42.725700, -84.636002, 551, 517
GeoIP ASNum Edition: AS53824 Liquid Web, L.L.C

Post Author: Webmaster

Leave a Reply

Your email address will not be published. Required fields are marked *