Another phishing scam that spoofs the entire IE address bar to fool Paypal users into giving up their account information...

This spoofed Paypal email (see image below) is in HTML format (although it does look like a text only email in order add a sense of authenticity to the link text). The link in the email has been disguised using HTML code to look like a genuine link to Paypal but it will open a forged Paypal 'Member Log In' page in the following manner...

The link will open a browser window which is scripted to close and reopen with the address bar removed and at full screen. The really clever part of this bogus page is that it uses script and code to display a replacement address bar with text, and that text is a genuine URL of a secure Paypal page (https://www.paypal.com/cgi-bin/webscr?cmd=_login-run). The fake address bar is constructed with images text (for the URL) as mentioned, the only draw back to this approach for the perpetrators is that some of the images used to build the fake toolbar have a light grey background which only matches the Windows™ Classic desktop scheme. They have even constructed a dummy 'Go' button which appears to be functional.

Since this forged Paypal page is really targeting Internet Explorer users, we recommend that you use a desktop appearance setting other than 'classic'. To change your desktop appearance setting, right click on a blank area of your desktop, select Properties and click the Appearance tab and you will be able to choose a new setting from the Theme drop down box.

The true URL of the bogus page was found to be http://211.114.61.195/.verification/paypal/log1.htm in the initial report on 22nd March, and another URL - http://211.114.61.195/css/.verification/log1.htm - was found on the 25th March. Both addresses resolve to Myongshin Girls High School in Korea.

The nature of the bogus page and the genuine appearance of the email earns this phishing scam a HIGH risk level.

If you have received this email, please remember that it is very common for these email scams to be redistributed at a later date with only slightly different content or the same but with the fake page(s) hosted by a different provider. Also, once you have received one of these hoaxes, it is also common place to receive at least another one and usually a day or two after the first, although not necessarily from the same apparent sender.

The Spoof Email ...

Dear <your email address is put here>,

We recently reviewed your account, and suspect that your PayPal account may
have been accessed by an unauthorized third party. Protecting the security
of your account and of the PayPal network is our primary concern.
Therefore, as a preventative measure, we have temporarily limited access to
sensitive PayPal account features.
Click below in order to regain access to your account:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
For more information about how to protect your account, please visit
PayPal's Security Center, accessible via the "Security Center" link located
at the bottom of each page of the PayPal website.

We apologize for any inconvenience this may cause, and appreciate your
assistance in helping us maintain the integrity of the entire PayPal
system. Thank you for your prompt attention to this matter.

Sincerely,
The PayPal Team


Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.


PayPal Email ID PP198
PayPal Email ID PP316

The bogus web page ...