PayPal is teaching fraudsters how to create the perfect phishing email

PayPal is sending a lot of emails these days, one of these got me confused.

I am sure now it is a valid email, but the multitude of different links in it and the confusing information is making this email very suspicious.

 

Here is a summary of the email:

 

Ihre Meinung ist uns wichtig. Daher möchten wir Sie einladen, ein paar Fragen zu Ihrer Erfahrung mit PayPal zu beantworten. Sie helfen uns damit, unseren Service für Sie noch besser zu machen. Alle Antworten sind selbstverständlich anonym und vertraulich.
Um an dieser 10- bis 15-minütigen Umfrage teilzunehmen, klicken Sie einfach auf den Button. Sie haben bis zum 27/01/2023
Als Dankeschön für Ihr Feedback erhalten Sie automatisch eine Gewinnchance für einen Mastercard-Geschenkgutschein im Wert von 1.000 €.* Für weitere Einzelheiten zu Gewinn und Teilnahmeregeln, klicken Sie bitte hier.
Jetzt mitmachen

 

 

How do I know the email is not a phishing?

Because all of these together (not separated):

  • It addresses me via name
  • It writes my email address below
  • All domains belong to PayPal
  • No confidential information is requested

 

Why is this email suspicious:

  • The subject promises the chance to get a large amount of money if the user participates to the survey
  • The subject creates a lot of pressure by setting a short deadline to the participation  (<7 days)
  • The “hier” link to paypal-survey.com redirects to paypal.com.

I have checked the Whois info for https://whois.domaintools.com/paypal-survey.com and it looks like it is belonging to PayPal, but it is so badly redacted (damn GDPR!) that I can’t be sure.

  • The button  “Jetzt mitmachen” is a link to paypal.com that gets immediately redirected to paypal-survey.com: https://www.paypal-survey.com/survey/selfserve/229b/ppp22011?source=xxx
  • Immediately after click on Next in that page, I get redirected to

https://us.surveyme.online/F8034_Screener_DE/cgi-bin/ciwweb.pl?studyname=F8034_Screener_DE&username=1&path=https%3A%2F%2Fwww.paypal-survey.com%2Fsurvey%2Fselfserve%2F229b%2Fppp22011%3Fstate%3Dxxxxxxxxxxxxxxx&source=xxx&hid_pagenum=1&hid_link=1&hid_javascript=1&hid_screenwidth=1924

  • There is a 3rd party collecting data

 

PayPal ARE YOU SERIOUS ?!

It is very easy to create a phishing email in the very same way this email is created, .

Stop messing up with your users.

The vast majority of your users is not able to differentiate between a phishing email and your email.

 

I informed phishing@paypal.com about this email.

No, I did not participate to the survey.

 

Conclusions:

  • Never fill in surveys, no matter what they promise
  • Never provide PayPal account information, bank account information
  • Never provide any kind of personal identifiable information

© Copyright 2023 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

Related Posts

Targeted phishing on customers of Strato.de

My domain mustaca.com is hosted at Strato.de. I received several such emails, showing that somebody really scrapes the next for finding targets of various ISPs. Lieber Kunde, Wir informieren Sie, dass die Domain mustaca.com ausläuft. Wie kann man sich erneuern ? Der Erneuerungs Vorgang ist schnell und einfach: bestellen Sie einfach online und bezahlen Sie […]

Targeted Phishing: Your auth password for [ user@host.com ] expires today !

It’s been a while since I received a targeted phishing. This time it is on one of my email accounts hosted on Google, and strangely, their phishing filter did not catch this one.     ITNotification <ITNotices@mail.com>  sorin@mustaca.com Expiration Your Password for sorin@mustaca.com has expired today. You can change your Password or continue using current Access   KEEP PASSWORD  ->erased domain on geocities.com   sorin@mustaca.com Admin. 2023 […]

Aggressive phishing against Strato.de customers

Strato.de (now belonging to 1&1) is one of the biggests hosters in Germany. Since a few weeks we see a lot of emails containing various texts that try to convince the user to login to his strato.de account and perform some actions. Strato published on their blog also a post about these fake emails: https://strato.de/blog/achtung-aktuell-wieder-phishing-mails-im-namen-von-strato-im-umlauf/ […]