Imagine my suprise when I got a receipt from Paypal telling me I just paid $175.85 for a Nokia phone. Of course I know I didn't just buy a phone and I know Paul didn't just buy a phone, we both have perfectly good phones. Which means one of two things either a) Our Paypal account was fraudulently used or b) it is yet another phishing scam. A quick perusal of the email proved it to be the latter.
Here are the headers of the email in question:
Return-Path:
Received: from 62.193.214.122 (vds-378825.amen-pro.com [62.193.214.122])
by bugsbunny.castlecops.com (8.13.4/8.13.4) with SMTP id j89IAfnh004347
for ; Fri, 9 Sep 2005 14:10:42 -0400
Received: from dns12.inbox.ru (dns12.inbox.ru [73.148.198.193]) by with SMTP;
Fri, 09 Sep 2005 15:10:51 -0400
Date: Fri, 09 Sep 2005 18:02:51 -0100
From: "PayPal"
Reply-To: "PayPal"
Message-ID: <70802275387.409843025699815240819@stopcock>
To: Charmaine Subject: This email confirms that you paid MICROBAZAR (sales@microbazaar.com) $175.85 USD using PayPal
X-Mailer: jura interdict
Organization: anomaly dilettantes from 8953
X-NOD32Result: clean
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
bugsbunny.castlecops.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.8 required=5.2 tests=BAYES_50,FULL_REFUND,
HTML_80_90,HTML_MESSAGE,IP_LINK_PLUS,NORMAL_HTTP_TO_IP,
RCVD_IN_NJABL_SPAM,RCVD_NUMERIC_HELO autolearn=no version=3.0.4
X-Spam-DCCB: CTc-dcc1
X-Spam-DCCR: bugsbunny.castlecops.com 1030; Body=2 Fuz1=2 Fuz2=2
Status:
X-Antivirus: AVG for E-mail 7.0.344 [267.10.19]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-4321D1057A0F======="
A few things that should trigger bells and whistles right away:
I haven't changed my name to Charmaine (neither has Paul)
I've never heard of Microbazaar.com
Paypal hasn't stopped using their own email servers for inbox.ru servers
The email itself is like most of the current phishing scams where the images are pulled directly from the originating source. Tables are the same as they would be in a real receipt. Take a look at the email below there is something wrong with it.