Hard Work for a Bad Cause

It is becoming easy for me to identify phishing emails these days. Kudos to some of these guys, they give their best to get these mails delivered to inbox despite the mail clients constantly updating their spam filtering methods. Now these guys have to be really smart and surpass these filters and also convince the reader to take an action out of the mail. Even though I was able to identify one of the mails that got into my inbox today, as a phishing email, I was quite impressed by the quality of the mail content. It was a typical mail that my paypal account has been restricted and that I have to complete a checklist by clicking a link to activate it again. The highlight of this mail beyond its actual intent is the right side section of the mail that gives tips on protecting my account - probably something copy pasted but a job well done. The only thing that gave away the authenticity of the mail is the from mail id which wasn’t from paypal.com. Below is the image snapshot (Click to view original).

Phishing Mail

I didn’t leave at that and I wanted to see how well the imitation continues in the rest of the steps. So I clicked on the link in the mail and it took me to an almost similar Paypal site. Look at the below snapshot and compare it with Paypal US website. In the phishing site the only way you can identify it is fraudulent is by looking at two things - one the URL and the second you click on any link like the “About”, “Privacy” etc., it always lands you back to the login page. But just by comparing these two screens you will be surprised at the amount of imitation in terms of fonts, styles, images etc.

Phishing Login Screen

Here is the fun part. The phishers can’t really validate if someone is genuinely using their paypal login and password. But their best bet is if someone really gets convinced that it is from paypal they would input their credentials. But what matters to these people are not the credentials, but the details in the subsequent page. So enter any invalid email address and password, you would be taken to the next page. In the next page comes the details that these guys want - the whole credit card section.  Look at the screenshot (click to view original).

Phishing Detail Screen

Again here the highlight is, to convince the user, they have links like “Help finding your Card Verification Number” and “why is ATM Pin required?”. Clicking on “Why is ATM Pin required?” link shows a popup with the below message.

“By adding VeriSign Payment Services industry-leading tools such as Payflow Link and Payflow Pro to PayPal’s suite of payment solutions, we’re now able to offer online merchants even more choices for their businesses.
Requiring PIN Signatures is the latest security measure against: identity theft, credit card fraud and unauthorized account access. PayPal will verify it with your bank records for your own protection.
If you provide a wrong PIN your account will be suspended for unauthorized account access.

LOL for the last line there :-) .

But Firefox was quick to mark this as a forgery website, when I tried second time clicking on the link to take screenshot for posting here. What surprises me most is, this is not a mere copy paste job, it involves lot of work to imitate the original site, including some testing. For example the login page does a valid email test. So there should be a team with good knowledge on web application programming (this one was done using php, just looking at the URL gave away that), HTML, CSS etc. If only these guys could use their skills to get into a decent job, not only will they be in for a bad cause but the software industry would have got few more good developers. Do these guys realize that by writing software for someone to steal money from those that succumb to this deceit is as good as being thieves themselves?