[Macaholic]

Phishing scams are a cinch to flag and ignore.. but this one I got this morning is a little tricky. Can it be real? Please find it attached, with my personal info masked.

If it's a scam, it looks to be a good one as far as I can tell. here are a couple of aspects to it that seem legit:

1) The salutation addresses me BY NAME (phishing emails usually have generic greetings like "Dear PayPal customer").

2) It was written in plain text (usually, phishing emails are of the HTML type, loaded with easily obtained graphical elements which are used to make the email appear legit)

3) There is NO hyper-linked text in this email which, while appearing to be legit, are usually masking a redirect to a server either set-up or hacked to provide a "login page" that actually harvests your info for the crooks. This email tells me specifically to open a browser window and manually type PayPal's addresses -- the prudent manner with which to access genuine sites.

The only red flag I can detect is the case ID number, which appears too rudimentary to be genuine. Waaaaay too many zeros to be a case-specific identifier... given the sheer number of cases PayPal has surely dealt with before my account pinged their "radar".

I have included all the header info as well which, despite the redirect from my GoDaddy-registered email domain to my ISP's mail servers and "true" addresses with Rogers, appears to be valid and free of any other intermediary routing.

Thoughts? Opinions?

 

[CanadaRAM]

So what's the problem?
The email is not providing a link to direct you to logon by clicking.
Log onto your Paypal account in the normal way in your browser by manually typing the URL (https : // www . paypal . com) and see what messages there are there.

 

[The Doug]

Look here.

 

[HowEver]

.

 

[Macaholic]

Okay. Logged into paypal. There's nothing there and the Case ID turns up nothing.

So... what's the point of this email then?? There's no redirect. No "payoff" of my personal info. An intended time waster?? If so, it sure works!

 

[Kazak]

Another case solved, Sherlock Hemlock.

 

[eggman]

After the "Sincerely," in the graphic - was there any further Paypal contact info? Apparently some scammers have set up phone #'s and automated systems to capture information.

This could work quite nicely here - the potential victim gets the email, carefully logs into the real site - finds nothing wrong... this is worrisome - so they now call the number which was in the email, and they get a legit sounding voicemail system asking for a credit card #...

I found references to it here:

The no link, no click, phishing scam

Under the heading "The no link, no click, phishing scam".

Of course, if there was no other contact info after the email's closing, I have no idea what they might be attempting. Desensitization? Overwhelming Paypal with questions from clients? Other mischief?

 

[HowEver]

.

 

[Macaholic]

The only additional beyond what I showed in that screenshot was:

----------------------------------------------------------------

----------------------------------------------------------------
Copyright © 1999-2007 PayPal. All rights reserved.

PayPal Email ID PP638

No phone numbers or ANY other method of contact (or deception) presented other than to manually type in the legit, secure PayPal web address and to access the links embedded therein. Weird, eh?

Anyway, an interesting event today.

 

[jaline]

It's fake. Report it to Paypal.

 

[krs]

Two possible things come to mind with this scenario:

1. Opening the email somehow dowloaded a malicious file to your computer. I read not too long ago, that this was now possible with plain emails, but again, that "Windows" file would not be able to run on the Mac, so no harm done.

2. The person who sent the email has a keylogger installed on your computer. Rather than wait until you normally log into Paypal (which could take a while), he/she sent you this email to get you to log in so that they can capture your Paypal account information.

But of course it could be something totally different or nothing at all.

 

[ErnstNL]

I'm with KRS on the keylogger thingy.
I had one installed on my PC and I was lucky to get it off before harm occurred. Stubborn it was.

 

[CanadaRAM]

Folks, the IP address in the headers resolves to PayPal -- there is nothing to indicate scam here - no phone number, no link, no attachment, no phony addresses in the header (presuming as the OP said, that the secureserver servers are their own ISP)

66.211.168.231 = [ mx1.phx.paypal.com ]

(Asked whois.arin.net:43 about +66.211.168.231)

OrgName: eBay Inc
OrgID: EBAY
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95008
Country: US
NetRange: 66.211.160.0 - 66.211.191.255
CIDR: 66.211.160.0/19
NetName: EBAY-2
NetHandle: NET-66-211-160-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: SJC-DNS1.EBAYDNS.COM
NameServer: SJC-DNS2.EBAYDNS.COM
NameServer: SMF-DNS1.EBAYDNS.COM
NameServer: SMF-DNS2.EBAYDNS.COM
Comment:
RegDate: 2006-01-25
Updated: 2006-01-25
OrgTechHandle: EBAYN-ARIN
OrgTechName: eBay Network
OrgTechPhone: 1-408-376-7400
OrgTechEmail: [email protected]

 

[HowEver]

.

 

[Macaholic]

But if PayPal did not send the message (since the OP did not need to restore account access)...

None that I could find in my account. Like, I chacked all the tabs at the top and found no warning message. And, my transaction history is accurate.

 

[CanadaRAM]

But if PayPal did not send the message (since the OP did not need to restore account access)...

On the other threads linked, there was the suggestion that the PayPal servers were sending out random unnecessary notices.

If the email was addressed by the correct individual's name (not by Dear Paypal Customer), if there were no hyperlinks, no phone number, if WHOIS on the IP addresses in the headers indicate it came from Paypal's servers and there are no other servers in the chain...

Then I think we are chewing over this bone for nothing.

The chance of a scammer having the personal name, successfully spoofing all of the header information, AND by not having a link or phone number, therefore having to rely on a previously installed keylogger on the machine to capture the manual login --- is vanishingly small.

However if you are still concerned, contact PayPal through their Security centre and give them a copy of the mail, ask them what happened.

 

[Macaholic]

Then I think we are chewing over this bone for nothing.

I agree.

The chance of a scammer having the personal name, successfully spoofing all of the header information, AND by not having a link or phone number, therefore having to rely on a previously installed keylogger on the machine to capture the manual login --- is vanishingly small.

INDEED!

 

[RunTheWorldOnMac]

I agree with CanadaRam and KRS. Only thing left to do is call PayPal and report back to us on what it really is.

 

[krs]

Because of this thread, I decided to run MacScan on my Mac just for the heck of it.

No Keyloggers, but it did find 15 tracking cookies whatever that is.

The OP could run MacScan just for peace of mind - takes fairly long, but at least doesn't screw up the Mac like Norton did on OS 9.

 

[Macaholic]

I've reported it to PayPal.

My MacScan demo has expired... but I'm assuming I've no problem with a key logger.