One domain name that should be illegal

I realize that nearly everyone in this world wants to make money. I also know that most people are willing to cheat and lie and scam for money, which is their right… usually. But when something comes across my email in order to phish or attempt to scam, things get annoying. So, now I’m annoyed.

Because some of my email addresses have been around for many years, I get to sift through pounds and pounds of email. Within the last couple weeks, I’ve received the same message on multiple email accounts, questions about it from friends, and today a question about it from family. Time to me to warn people about the phishing site “paypal-secure-login.com” before anyone gets scammed.

I went to the site and noticed that it took a long time to load. I pinged the domain name in order to find out what IP address the server responds with, which is 212.199.95.108. I went to Arin and put in the IP address. The result made sense for the website being slow to load, it’s hosted in Amsterdam. The website connection seems slow because chances are the servers are all high.

Looking at the website, it doesn’t look too dissimilar from the real Paypal login site.

Let’s take a quick look at the site and compare it to the real Paypal site though, only we won’t just look at it quickly, we’ll compare it more closely.

The main horizontal link structure looks the same. It even has the same links. Of course, this is pretty smart that most phishing sites don’t take the time to replicate (or steal), because the don’t want you to leave their site. This site takes the chance of you leaving, but gives you a realistic opportunity while you are on the page. We’ll get to the different color address bars in a minutes.

There is definitely something not matching when you look at the bottom status bar, that would be the JavaScript error. Since not all browsers show the status bar (in IE 7 it needs to be enabled for viewing) this is something that might go undetected. Something you can see more obviously in a side-by-side comparison is the lock picture next to the “Account login” words. Though this detail is so minute that it might be missed by even daily Paypal visitors.

The URL looks pretty legit, it has the word “paypal” in it. Notice that it’s not a secure login though. SSL is something that phishing sites don’t attempting to fake (though it is easy to generate SSL certificates). The reason is that phishing sites aren’t trying to get you or me, they are trying to get people not paying attention or just ignorant. The links on both sites are almost entirely the same… including the “Log In” link.

One click on the SSL certificate shows that there the real Paypal site has a certificate from one of the trusted certificate issuers on the Internet.

Small differences continue, this time with the arrow icon next to the language drop down. Both drop down menus have the same options. Without that SSL cert, this looks really realistic.

Sloppiness apparently occurred when the new bottom horizontal links menu was created. Those bottom window links don’t exist on the real Paypal site.
Actually, the only non-Paypal link on the fake-Paypal site was for the “Developers” link. The link doesn’t go anywhere, it just errors out on the fake site, but it’s still one of very few errors on this copy-site.

This is a really good fake phishing site, and should be taken down immediately. Chances are the Amsterdamians are too high to react to requests for the site to be taken down.

If you have any questions about potential phishing sites, please let us know.