PayPal Phishing Email Investigation

Email Details

Sender: security@paypal-support.com (spoofed) Subject: URGENT: Your PayPal Account Has Been Suspended Received: January 12, 2024, 9:15 AM

Phishing Analysis

Email Content

• Professional-looking PayPal branding
• Claimed "suspicious activity detected"
• Urgent call to action: "Verify your account within 24 hours"
• Fake customer service number included

Malicious Elements

1. Link Analysis: Hover showed "paypa1-verification.com" (note digit '1' instead of 'l')
2. Fake Login Page: Perfect replica of PayPal login
3. Data Collection: Requested full credentials + credit card information
4. 2FA Bypass: Fake page also asked for SMS verification codes

Technical Investigation

• Domain Age: Registered 3 days before attack
• SSL Certificate: Self-signed, browser warnings ignored by design
• Hosting: Bulletproof hosting in uncooperative jurisdiction
• Pattern: Similar to 15 other reports this month

Protective Actions Taken

1. Immediate:
   • Did not click any links
   • Forwarded email to PayPal's fraud department
   • Reported to Quiet-Report platform
2. Follow-up:
   • Enabled PayPal's security key feature
   • Set up transaction notifications
   • Educated family and colleagues

Impact

Users Protected: 47 (based on email sharing) Accounts Secured: Verified no unauthorized access Awareness Created: Shared in company security training

Technical Indicators of Compromise

• IP: 185.162.131.104
• ASN: 202425
• Country: Netherlands
• TTPs: Similar to "Silent Librarian" phishing group