PayPal phishers bite via hacked dog training website

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

If you’re not careful, you might be fooled into believing that it’s a real email from PayPal.

PayPal phishing

Dear customer,

You sent a mobile payment for £47.00 GBP to JD Sports Ltd. A message has been sent to the recipient asking them to accept or refuse the payment.

Sign up to our free newsletter.
Security news, advice, and tips.

Please note that it may take a while for this payment to appear in your Recent Activity list on your Account Overview.

View the details of this transaction online.

But the spammed-out message, which claims you have just made a mobile payment to JD Sports of £47, shouldn’t spur you into clicking on the link to refute the claim.

Because if you do see red at the unauthorised payment, and follow the link you will be taken to what appears – at first glance – to be the real PayPal website.

Fake PayPal website

But be sure to check out that URL. It’s really a website in Hungary that has been hacked.

URL of fake PayPal website

Entering your details on this bogus PayPal page will hand over your credentials to online criminals.

What’s happened here is that a website has been hacked, and criminals have planted a bogus PayPal home page onto the hacked website’s servers. The owners of the website probably aren’t aware of what is happened, and clearly aren’t taking enough care over their website security. Chances are that they have software running on their web server that is vulnerable to exploitation – and allowed the phishers to plant their trap.

I was curious to find out what the Hungarian website was, and wasn’t disappointed when I found out.

It’s an online store selling dog bite training suits. You know, the kind of thing which makes people look like the Michelin man in order to protect you from being bitten by a dog.

Not the normal kind of thing you would buy, of course, unless you were in the business of training dogs to bite people.

Hungarian woof

Everyone should be on the lookout for PayPal phishing emails, and ensure that their own websites are not vulnerable to hackers who might embed malicious code and webpages.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

One comment on “PayPal phishers bite via hacked dog training website”

  1. NoelB

    and yet that site does not appear, at present, in three
    largish malware domain lists (2200 UTC 30/9)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.