If you’re not careful, you might be fooled into believing that it’s a real email from PayPal.
You sent a mobile payment for £47.00 GBP to JD Sports Ltd. A message has been sent to the recipient asking them to accept or refuse the payment.
Please note that it may take a while for this payment to appear in your Recent Activity list on your Account Overview.
View the details of this transaction online.
But the spammed-out message, which claims you have just made a mobile payment to JD Sports of £47, shouldn’t spur you into clicking on the link to refute the claim.
Because if you do see red at the unauthorised payment, and follow the link you will be taken to what appears – at first glance – to be the real PayPal website.
But be sure to check out that URL. It’s really a website in Hungary that has been hacked.
Entering your details on this bogus PayPal page will hand over your credentials to online criminals.
What’s happened here is that a website has been hacked, and criminals have planted a bogus PayPal home page onto the hacked website’s servers. The owners of the website probably aren’t aware of what is happened, and clearly aren’t taking enough care over their website security. Chances are that they have software running on their web server that is vulnerable to exploitation – and allowed the phishers to plant their trap.
I was curious to find out what the Hungarian website was, and wasn’t disappointed when I found out.
It’s an online store selling dog bite training suits. You know, the kind of thing which makes people look like the Michelin man in order to protect you from being bitten by a dog.
Not the normal kind of thing you would buy, of course, unless you were in the business of training dogs to bite people.
Everyone should be on the lookout for PayPal phishing emails, and ensure that their own websites are not vulnerable to hackers who might embed malicious code and webpages.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “PayPal phishers bite via hacked dog training website”
and yet that site does not appear, at present, in three
largish malware domain lists (2200 UTC 30/9)