TOKYO (MacHouse) – More than 9 hours ago, an organized cyber criminal group circulated a phishing message implicating an online payment company. The title of the message is shown as Update Your Billing Records – Urgent Action Required. And sender’s address is stated as firstname.lastname@example.org. The phishing message goes
Due to recent fraudulent transactions, we have issued the following security requirements.
It has come to our attention that 98% of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell non existant items. Thus we require our members to add a Debit/Check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your Debit/Check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the PayPal® service. However, failure to confirm your records will result in your account suspension.
We are requesting this information to verify and protect your identity. Federal regulations require all financial institutions to obtain, verify, and record identification from all persons opening new accounts or obtaining ongoing payment services. This is in order to prevent the use of the U.S. banking system in terrorist and other illegal activity. For these reasons, PayPal® will utilize services provided by various credit reporting agencies to verify the information you submit to us.
Once you have updated your account records your pending PayPal® account transactions will not be interrupted and will continue as normal.
To update your billing records please proceed to our secure webform by clicking here.
Screenshot 01 – Source:
Screenshot 02 – Source:
The URL underlying the hyperlink in the message is http://info.esyu.com.cn/www.paypal.com/EN/
paypal-update/index.htm. (A continuous URL is divided into two lines.) Clicking on it, one will be directed to a phishing website hosted in China (the host connected by Shaoxing Telecom Bureau). (See Screenshot 02.)
Screenshot 03 – Source:
Screenshot 04 – Source:
Screenshot 03 shows the HTML source code of the phishing message. It appears that the immediate source of the phishing message is traced to the IP address of 22.214.171.124. According to ARIN, this IP address is assigned to the City of Waupaca, WI, USA. The header also indicates the true origin of the PayPal phishing message. It’s the terminal with the IP address of 126.96.36.199. This IP address may be traced to a Telenet service operated in Belgium.
Click on the button to watch a short documentation video.
Click on the button to watch more documentation videos.