TOKYO (MacHouse) – The existence of a PayPal phishing website surprises nobody these days. For example, we reported a couple of them at the end of last month alone. Perhaps, PayPal itself doesn’t take it seriously any more even when they find out that there is a phishing website pretending to be their service.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: aplus.net |
 Screenshot 03 – Source: aplus.net |
About 23 hours ago, an organized cyber scum group circulated a spam e-mail message to misrepresent PayPal again. The subject line of the spam message is
!ClamAV:VIRUS found:Phishing.Heuristics.Email.SpoofedDomain! Update Your PayPal Account Personal Information
What is ClamAV? It’s an open-source anti-virus software package for UNIX. Reading the message, it sounds like recipient’s PayPal account was once suspended because it says
Our review is complete and we have restored your account.
Then the spam message urges the recipient to update its PayPal account by clicking on the URL in the message. The underlying URL is not that of PayPal. It’s http://www.imp-igg.com. Clicking on the given link, one is actually redirected to an active PayPal phishing website hosted at the domain of aplus.net.
Our preliminary analysis shows that the phishing website is currently hosted in San Diego. The redirection point and the phishing website are both harbored by a suspicious web hosting company called Aplus.net Internet Services (aplus.net). And the spam message appears to originate from Hungary.
We will have a more detailed report in several hours.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Beware of French PayPal Phishing Website Hosted at WordPress Blog (Prenez garde d’un site Web phishing de PayPal accueilli à infantmemories.com.)
Beware of PayPal Phishing Mail Circulated by Moroccan Cyber Criminal Group
