Paypal Phishing email: Verify Account Preparing Service
I've been getting a lot of Paypal spam emails recently, and I finally got curious enough to take a look at one of them. I'll give you the TL:DR upfront; this email ends with nothing of substance but it does have an interesting double redirect I found interesting.
On Friday I got this email with a "receipt pdf" attached. (MD5: deb2cb3021416d2650667735e2289cc5)
The email claimed to have come from int.paypal.com but in reality, it comes from:
Unfortunately, Centralops doesn't have an IP address for that mail server
But as we can see the email clearly isn't from PayPal, but let's take a look at the actual attachment. Taking a look at the header shows that this is infact a PDF and doesn't contain an embedded executable.
Know that we know this is safe to open (I'm in an isolated VM) let's take a look at it.
Opening the PDF and hovering over the "verify now" open shows a Tumblr redirect link. If you're familiar with URL encoding, you'll notice the second redirect link in there, but just to make it easy to see I used CyberChef to decode the URL.
I had to look up what parg.co is but when I did, I found out that it's yet another URL shortener.
Following the link didn't bring me anywhere exciting. I got brought to cantstopsneezing.com (ip: 22.214.171.124). Which seems to have been created the day I received the email.
I can only really speculate what the website was used for since it was offline by the time I tried to navigate to it. I tried several different browsers and user agent strings to try and get the website to serve me a file but it didn't, so I'm assessing that the creators shut it down after a few hours or a day.
I'm assessing that this was likely one of two things; either it was to serve malware or it was to harvest credentials. The truth, we'll probably never know.