Fake PayPal email

James Ryan Jonas

Now that you have a PayPal account, you should be wary of emails you receive supposedly from PayPal. Although the email might have a header and logo similar to that of PayPal, most of these are actually phishing mails intent on stealing your personal information.

More information about phishing, how to check if an email is fake, and ways to protect yourself from phishing can be found in the What is Phishing? article. A sample phishing website is explained in the “Beware of the fake egold website!” article.

Yesterday we received an email purportedly from PayPal asking us to login to the site to update our personal records. Failure to do so, the email says, will result in account suspension. Here’s a screenshot of the email.

At first glance, it looks like an authentic PayPal email. A closer analysis of the entire content, however, will lead you to believe this is a fake email. Let’s go through the contents in detail.

The Email Header

If you didn’t pay much attention to the header, you would think the email was indeed from PayPal. In the first place, the sender of the mail was “service@paypal.com” — supposedly an official PayPal address.

Date: 30 Oct 2006 16:09:34 -0000
Subject: Warning Notification !
From: service@paypal.com

Advances in technology, however, have given mail senders the ability to change the header of an email. Although the mail was sent by “service@paypal.com,” the actual sender was different. To see who sent the mail and from where it was sent, check the email’s full headers. Our email in question has these full headers:

X-Apparently-To: xxxxx@yahoo.com via 66.218.93.230; Mon, 30 Oct 2006 10:38:46 -0800
X-Originating-IP: [69.26.175.108]
Return-Path: <anonymous@vhost.onestop.net>
Authentication-Results: mta241.mail.mud.yahoo.com from=paypal.com; domainkeys=neutral (no sig)
Received: from 69.26.175.108 (HELO vhost.onestop.net) (69.26.175.108) by mta241.mail.mud.yahoo.com with SMTP; Mon, 30 Oct 2006 10:38:46 -0800
Received: (qmail 64089 invoked by uid 65534); 30 Oct 2006 16:09:34 -0000
Date: 30 Oct 2006 16:09:34 -0000
Message-ID: <20061030160934.64088.qmail@vhost.onestop.net>
To: xxxxx@yahoo.com
Subject: Warning Notification !
From:service@paypal.com
Reply-to:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Content-Length: 1827

Note the message ID, domain keys, sender’s IP and mail server and compare these with the headers of an authentic PayPal email:

X-Gmail-Received: e3648473ad76129564fb58bfcdf8607df9661f7c
Delivered-To: xxxxx@gmail.com
Received: by 10.82.162.9 with SMTP id k9cs34780bue;
Tue, 31 Oct 2006 09:59:51 -0800 (PST)
Received: by 10.78.128.11 with SMTP id a11mr7196313hud;
Tue, 31 Oct 2006 09:59:51 -0800 (PST)
Return-Path: <payment@paypal.com>
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
by mx.google.com with ESMTP id 30si7241523hub.2006.10.31.09.59.49;
Tue, 31 Oct 2006 09:59:51 -0800 (PST)
Received-SPF: pass (google.com: domain of payment@paypal.com designates 66.211.168.231 as permitted sender)
DomainKey-Status: good (test mode)
Received: from phx22web06.phx.paypal.com ([10.190.3.65])
by mx1.phx.paypal.com (8.13.7/8.13.7) with SMTP id k9VHxmQQ009397
for <futuregizmo@gmail.com>; Tue, 31 Oct 2006 09:59:48 -0800
X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 mx1.phx.paypal.com k9VHxmQQ009397
DomainKey-Signature: a=rsa-sha1; s=dkim; d=paypal.com; c=simple; q=dns;
b=djHkqQ3G0SBcInbasEfcnysOosmZs2BFgprBglyhUY06Xxi92G9tBrAWXT61fQK97
BqzuD678UhG3jSt1KcaVbNqvVTxUC37FAF7p/lxUeq3ceXCGS/uh8nNSIuHjlPJbt9Q
lGdb++neV/DZ5Uf2wne+WgIXyuQsARLvXpJ9Xlk=
X-DKIM: Sendmail DKIM Filter v0.5.1 mx1.phx.paypal.com k9VHxmQQ009397
DKIM-Signature: a=rsa-sha1; c=simple/simple; d=paypal.com; s=dkim;
t=1162317588; bh=itgF7PyvQkUyZa4tpiPKD1MSl1E=; h=Received:Date:
Message-Id:Subject:X-MaxCode-Template:To:From:X-Email-Type-Id:
X-XPT-XSL-Name:Content-Transfer-Encoding:Content-Type:MIME-Version:
Sender; b=MMkZrnvaGEjSDxMgDfqirGRzsMaBBCi1dB4DEtzkA/wec6hnewcyHjZ5F
nAKBdaftKXA9/dFtQGKAeSyAKwVSeTtydSTPOCcEMiIvdsCpkBt5voENlNz+De2j57H
IPHhrnQcP1Mch4zYzo2pmmjLTOEfgPAclmLvkNxWSKk1SIk=
Received: (qmail 9317 invoked by uid 99); 31 Oct 2006 17:59:48 -0000
Date: Tue, 31 Oct 2006 09:59:48 -0800
Message-Id: <1162317588.9317@paypal.com>
Subject: Receipt for your Money Request
X-MaxCode-Template: email-receipt-individual-money-request
To: <xxxxx@gmail.com>
From: “service@intl.paypal.com” <service@intl.paypal.com>
X-Email-Type-Id: PP117
X-XPT-XSL-Name: /default/en_US/request/ReceiptIndividualMoneyRequest.xsl
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=windows-1252
MIME-Version: 1.0
Sender: <sendmail@paypal.com>

The email in question was sent through IP address 69.26.175.108 while the original PayPal email was sent from the IP address 66.211.168.231. Looking up the WHOIS record of the first IP address, we get the following, a confirmation that the mail did not originate from any of PayPal’s servers.

Net Sentry Corp NETSENTRY (NET-69-26-160-0-1)
69.26.160.0 – 69.26.191.255
xeex NETSENTRY-XEEX-01 (NET-69-26-172-0-1)
69.26.172.0 – 69.26.175.255
Your OneStop Network, Inc. YOUR-ONESTOP-NETWORK (NET-69-26-175-0-1)
69.26.175.0 – 69.26.175.255

The second IP address has the following WHOIS record, and shows that the mail was in fact from a server of eBay, mother company of PayPal.

OrgName: eBay, Inc
OrgID: EBAY
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95008
Country: US

NetRange: 66.211.160.0 – 66.211.191.255
CIDR: 66.211.160.0/19
NetName: EBAY-2
NetHandle: NET-66-211-160-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: SJC-DNS1.EBAYDNS.COM
NameServer: SJC-DNS2.EBAYDNS.COM
NameServer: SMF-DNS1.EBAYDNS.COM
NameServer: SMF-DNS2.EBAYDNS.COM
Comment:
RegDate: 2006-01-25
Updated: 2006-01-25

The Logo

Don’t be fooled by the logo used in the email. It was simply grabbed from PayPal’s site (URL: and intentionally used to deceive recipients that the email was an official PayPal correspondence.

The Welcome Greeting

All PayPal emails start with a personalized greeting that mentions your PayPal’s account name. The email in question used the generic “Dear sir” greeting, a sign that this email was sent in bulk.

The Login Link

The final giveaway that the email is in fact a fake PayPal email is the login link to your account. If you hover (rest) your cursor over the “Click here to update your PayPal account information” link, you will notice in the lower-left portion of the browser that the link redirects to — a link unrelated to PayPal. Visiting the site will lead you to an exact replica of the PayPal login page, but this is actually a phishing site.

THE SPOOF PAYPAL EMAIL

Warning Notification

Dear sir,

It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension. Please update your records before November 06, 2006.

Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.

Click here to update your PayPal account information

Actual Link (DO NOT VISIT):

What you should do

We advise you not to visit that link and not to input any information in the login fields in the site. Forward the fake email to spoof@paypal.com to notify PayPal about these new PayPal phishing emails and sites. If you are using Gmail, you can report the mail as a phishing email by clicking More Options > Report Phishing.

You should never fully trust any email you receive supposedly from PayPal. Use the guide above to check whether the mail is indeed authentic or merely a fake, phishing email.

James Ryan Jonas teaches business management, investments, and entrepreneurship at the University of the Philippines (UP). He is also the Executive Director of UP Provident Fund Inc., managing and investing P3.2 Billion ($56.4 Million) worth of retirement funds on behalf of thousands of UP employees.