There is more going on here than you might suspect.
On the left is an email that filtered through Micorsoft’s live mail/outlook junk mail filtering settings. In their attempt not to “read anyone’s emails” they don’t flag senders as “junk” until someone (or a number of people) proactively do so.
I make this assumption, because, it is easy for anyone who can see the content of this email to identify that this email on the left is junk mail…
It is also easier to assume that the email I received is not junk mail!
I recently used my PayPal account to make a couple of orders on Amazon. After making the orders Amazon requested that I double check my financial information as the orders didn’t get processed… No big deal, it happens.
However, the next day I receive this email from PayPal, and it seems as if it was applicable to my recent transaction, So, I click on it to get the website on the right.
A wonderful reproduction of PayPal’s US website. (Canada’s version has a different cover photo).
NEVER LOG INTO ANY WEBSITE GIVEN TO YOU FROM AN EMAIL!
Fortunately I am well versed in never logging into anything after receiving an emailand rather than logging in I just habitually browse the website. All the links worked, fairly well, so much so I even considered logging in… but… what didn’t seem right was the long domain name up above. I almost didn’t even notice the second “dot” and that set me to double check the well crafted email I was given.
First thing I noticed is that when I hovered over the said link, the redirect wasn’t to www.paypal.com rather, to a website http://menbahsite.com/cgi (I disabled the link, but if you write that second one in your browser you can see the fake PayPal for yourself… Just don’t log in)
After hitting “Log in to view now” the domain name is “changed” either through manipulation or redirection to present as “paypal.com.cgi-bin-websc5.whaterverrandomletters12345” which is definitely not PayPal, just a well crafted criminal website made to steal your password.
Curious, I wanted to see who these losers were who were sending such email, I decidedly checked the source to see who the “real senders” were:
The domain name associated with sending the email is srv-1.sore.nl, which can be made meaningless.. insert that domain in your browser for instance and you will get redirected to a blank page (by design)
However, the associated IP address is often a webserver somewhere hosting a website.
That webserver/host can either be one that doesn’t mind hosting criminal activity, or is being hacked unknowingly. If it’s the later I tend to try to contact the web admin to try to “save” their server from being permanently flagged as an “evil doer” as being flagged is the worst case scenario for any website host.
So I pump that IP Address in my browser:
I’m going to pass at warning the web admin…
I’m just going to assume they are fine with the illegal activity happening on their server, I mean, anyone who misspells “Porno” is up to no good.