PayPal phishers bite via hacked dog training website

Graham Cluley
Graham Cluley
@[email protected]

If you’re not careful, you might be fooled into believing that it’s a real email from PayPal.

PayPal phishing

Dear customer,

You sent a mobile payment for £47.00 GBP to JD Sports Ltd. A message has been sent to the recipient asking them to accept or refuse the payment.

Sign up to our free newsletter.
Security news, advice, and tips.

Please note that it may take a while for this payment to appear in your Recent Activity list on your Account Overview.

View the details of this transaction online.

But the spammed-out message, which claims you have just made a mobile payment to JD Sports of £47, shouldn’t spur you into clicking on the link to refute the claim.

Because if you do see red at the unauthorised payment, and follow the link you will be taken to what appears – at first glance – to be the real PayPal website.

Fake PayPal website

But be sure to check out that URL. It’s really a website in Hungary that has been hacked.

URL of fake PayPal website

Entering your details on this bogus PayPal page will hand over your credentials to online criminals.

What’s happened here is that a website has been hacked, and criminals have planted a bogus PayPal home page onto the hacked website’s servers. The owners of the website probably aren’t aware of what is happened, and clearly aren’t taking enough care over their website security. Chances are that they have software running on their web server that is vulnerable to exploitation – and allowed the phishers to plant their trap.

I was curious to find out what the Hungarian website was, and wasn’t disappointed when I found out.

It’s an online store selling dog bite training suits. You know, the kind of thing which makes people look like the Michelin man in order to protect you from being bitten by a dog.

Not the normal kind of thing you would buy, of course, unless you were in the business of training dogs to bite people.

Hungarian woof

Everyone should be on the lookout for PayPal phishing emails, and ensure that their own websites are not vulnerable to hackers who might embed malicious code and webpages.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “PayPal phishers bite via hacked dog training website”

  1. NoelB

    and yet that site does not appear, at present, in three
    largish malware domain lists (2200 UTC 30/9)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.