Hook, Line and Sucker
Personalized Phishing Scams Use Customers' Names to Attract Attention

By Don Oldenburg
Washington Post Staff Writer
Sunday, April 2, 2006

As rife as the Internet is with miscreant creeps trying their best to steal the identity of anyone who'll bite the bait of their e-mail phishing traps, you'd think they'd work harder to create schemes that aren't quite so transparent as the everyday average phishing spam.

And some do.

But there isn't a day my spam filter isn't filthy with pesky e-mails that pretend to come from eBay, PayPal, Chase and other legitimate businesses warning that my account has been compromised, defrauded or whatever. From urgent warnings (verify your information or your account will be suspended within 24 hours!) to look-alike Web sites and logos, most phishing spams are a study in crude social engineering. They're designed to convince the naive, gullible or unthinking to do one thing -- click that link and give up a password or other confidential info.

Never mind that many of them involve companies with which you've never had an account. Most of them take a shotgun approach, scattering bogus e-mails everywhere and to everyone. They're counting on fooling only a few because it costs next to nothing to mass-blast these phony communiqués to millions of people -- and it takes only a handful of suckers to make it worth their while.

Most of us by now know these insipid scams are nothing more than fodder for the delete button. But every once in a while, a real gem of the genre sneaks past the spam filter and talks a good enough game to give even a twitchy trigger finger pause.

I recently received one like that. It was purportedly from PayPal, and that alone raised my suspicions. But this one was different. Instead of pretending to be another ho-hum warning about an account problem, it masqueraded as a receipt for a $410.55 credit card purchase of a "Microsoft Xbox 2360 Premium Edition System" paid through PayPal. The e-mail subject line read: "Receipt of your payment to gamerslair," and inside it showed the seller's e-mail as sales@gamerslair.com (the e-mail of an actual company in Canada).

Despite my doubts, there was just enough of a hint that maybe a crook was using my credit card that I looked it over. Inside, it didn't start with the usual "Dear PayPal User" -- a reliable clue that an e-mail is definitely not from PayPal and should be sent directly to Spam Hell. This one greeted me by name. Under Shipping Information, it even listed some shnook in Concord, N.C., as the guy getting the Xbox 360 I was supposedly paying for.

But just as my blood pressure began to rise, I spotted a flaw. The message at the bottom of the e-mail read as if it came from some parallel consumer universe where -- you'll love this! -- refunds are actually simple matters. "If you haven't authorized this charge," states the e-mail, "click the link below to cancel the payment and get a full refund."

So, first, I logged on to my PayPal account (keying in http://www.paypal.com/ myself and not clicking on a link in the suspicious e-mail) and checked recent transactions. Nothing wrong.

Next, I forwarded the e-mail to spoof@paypal.com -- PayPal's security depository for dangerous junk like this.

Then, I called PayPal's security department, and a nice young man reassured me that this was, in fact, a phishing scheme and that he was looking at my account and it showed no such charge. He added that he received a report like it the day before.

Finally, I called my credit card company's security department and confirmed that nothing resembling trouble appeared on my account.

But with my bases covered, I was still intrigued by this phishing ploy where the bad guys called me by name. Searching online, I found that FraudWatch International, a site in Britain that tracks phishing attacks, issued an alert about this specific e-mail on March 11. And Millersmiles.co.uk, another online British anti-phishing service, warned that this phishing attack's "dispute transaction" link connects to a PayPal-like Web site that asks for name, birth date, mother's maiden name, driver's license number and state, and credit card info -- just about anything your average criminal needs for identity theft.

Using Whois.net, a domain-based online research service, I tracked the origin of the spam to Dolgoprudny, Russia, a satellite city southeast of Moscow. The personalized message channeled through a network in Amsterdam before arriving in my inbox here.

"Fraudsters are getting more sophisticated in the types of e-mails they are sending," says PayPal spokeswoman Sara Bettencourt. "As customers have become more aware of phishing and spoof, phishing e-mails have become more targeted."

Lois Greisman, associate director of Division of Marketing Practices at the Federal Trade Commission's Bureau of Consumer Protection, calls it "the Cadillac of phishing scams" and says it's a relatively new technique. "Is it unique? No. Have they stepped it up? You bet," she says. "Every step they've taken adds greater fidelity and is more expensive to do."

Greisman recalls a couple years ago when phishing was a new phenomenon and the FTC was warning people to beware of e-mails that appear to come from legitimate companies -- but typically contain misspelled words and bad grammar. "Now you're seeing it personalized," she says. "Scammers are good. They like to stay current."

Dave Jevans says such narrowly targeted fraud, called "spearphishing," has previously focused more on employees from particular corporations or on faculty members at universities -- but not on specific individuals. He speculates that the crooks probably "scraped" random names accompanied by e-mail addresses somewhere online or hacked a database, then sent out tens of thousands of the tailored PayPal spams figuring to hit a decent percentage of actual PayPal customers.

"With 100 million people having PayPal accounts, the odds of success are high," says Jevans, chairman of the Anti-Phishing Working Group, a coalition of corporate and law enforcement groups that tracks identity theft and other online crimes. "But I have not seen many 'named' phishing scams. The use of your full name is a troublesome new development."

As one of the top corporate targets of phishing fraud, PayPal invests plenty in spoof education and anti-fraud measures, and its customers are increasingly reporting such attacks, Bettencourt says. "Customers on the Internet are receiving e-mails like this from banks that they don't belong to, or for purchases they haven't made. Customers should keep in mind PayPal (and any legitimate financial service) will not ask you to follow a link to enter personal, financial or account information. You should always open a new Web browser or call the company directly to confirm or dispute a transaction."

Bettencourt has other pointers for dealing with suspicious e-mails:

· If you receive a suspicious PayPal e-mail asking for this type of information, "forward the e-mail to spoof@paypal.com , and our trust and safety team will let you know if it is in fact an e-mail from us."

· Always log in to your online accounts by opening a new Web browser window (such as Internet Explorer or Netscape) and typing in the URL. Do not follow e-mail links to enter personal or financial information.

· Check your accounts frequently to ensure security, says Bettencourt. "Change your online passwords regularly."

· Never download attachments from anyone you don't know, says Bettencourt, who recommends that eBay and PayPal customers use the eBay Toolbar (available at eBay's security pages), which warns when a user is on a potentially fraudulent Web site. It also enables users to report a spoof Web site. "Once a site has been verified by PayPal to be fraudulent, PayPal will work to shut the site down," she says. "Additionally, that information will automatically be distributed to all other eBay toolbar users, warning them about the spoof Web site."

But the FTC's Greisman says the simplest advice about dealing with phishing scams is probably the best: "When in doubt, delete!"

Got questions or comments? A consumer complaint? A helpful tip? E-mail details toconsumer@washpost.comor write to Don Oldenburg, The Washington Post, 1150 15th St. NW, Washington, D.C. 20071. Because of the volume of mail, personal replies are not always possible.

View all comments that have been posted about this article.

© 2006 The Washington Post Company