ALERT - Phishing Attack On PayPal Users

Tuesday, November 15, 2005

I just received a phishing attack I almost fell for. Luckily I noticed that the email directed me to an insecure (http and not https) login site before I entered my log-in data. The email stated as sender and contained the following text:
Notification of Limited Account Access
Why is my account access limited?
Your account access has been limited for the following reason(s):
Nov. 15, 2005:
1. We would like to ensure that your account was not accessed by an unauthorized third party.
Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features.
2. Unusual account activity has made it necessary to limit account access until additional verification information can be collected.
3. If your account was hijacked, the bank account attached is vulnerable too. Please respond as soon as possible!
How can I restore my account access?
Please visit the Resolution Center and complete the "Steps to Remove Limitations."
NOTE: Resolution Center links to an insecure website with some cgi.bin stuff in the link. At that site they require your login data.
Once you complete all of the checklist items, your case will be reviewed by one of our Account Specialists.
We will send you an email with the outcome of the review.
If, after reviewing your account information, you seek further clarification regarding your account access,
please contact PayPal by visiting the Help Center and clicking "Contact Us".
PayPal Account Review Department
PayPal Email ID PP522
I have informed PayPal about this event. It is the first time I received such an attack. Please pass on this information to whom it may concern.

The header of the email contains this:
Subject: PayPal Account Compromised.Unconfirmed change of email address.
Date: 15. November 2005 16:59:27 GMT+01:00
X-Apparently-To: via; Tue, 15 Nov 2005 10:12:59 -0800
X-Originating-Ip: []
Authentication-Results:; domainkeys=neutral (no sig)
Received: from (EHLO ( by with SMTP; Tue, 15 Nov 2005 10:12:58 -0800
Received: (from root@localhost) by (8.11.6/8.11.6) id jAFFxRT06410 for; Wed, 16 Nov 2005 00:59:27 +0900
Message-Id: <>
Content-Type: text/html

The mail originated Korea, DNS lookup shows me.


Wikinvest Wire