PayPal phishers bite via hacked dog training website

If you’re not careful, you might be fooled into believing that it’s a real email from PayPal.

Dear customer,

You sent a mobile payment for £47.00 GBP to JD Sports Ltd. A message has been sent to the recipient asking them to accept or refuse the payment.

Sign up to our newsletter
Security news, advice, and tips.

Please note that it may take a while for this payment to appear in your Recent Activity list on your Account Overview.

View the details of this transaction online.

But the spammed-out message, which claims you have just made a mobile payment to JD Sports of £47, shouldn’t spur you into clicking on the link to refute the claim.

Because if you do see red at the unauthorised payment, and follow the link you will be taken to what appears – at first glance – to be the real PayPal website.

But be sure to check out that URL. It’s really a website in Hungary that has been hacked.

Entering your details on this bogus PayPal page will hand over your credentials to online criminals.

What’s happened here is that a website has been hacked, and criminals have planted a bogus PayPal home page onto the hacked website’s servers. The owners of the website probably aren’t aware of what is happened, and clearly aren’t taking enough care over their website security. Chances are that they have software running on their web server that is vulnerable to exploitation – and allowed the phishers to plant their trap.

I was curious to find out what the Hungarian website was, and wasn’t disappointed when I found out.

It’s an online store selling dog bite training suits. You know, the kind of thing which makes people look like the Michelin man in order to protect you from being bitten by a dog.

Not the normal kind of thing you would buy, of course, unless you were in the business of training dogs to bite people.

Everyone should be on the lookout for PayPal phishing emails, and ensure that their own websites are not vulnerable to hackers who might embed malicious code and webpages.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.