Hawk’s Babble-Log

Now this is one of the worst spoofs I’ve ever seen (and I’ve seen many):

Why does this particular email spoof suck so badly? Let me count the ways:

1. The “From” name starts with a copyright symbol.
2. The “From” email address is “info@accounts.it”, which has nothing to do with PayPal.
3. AOL has nothing to do with PayPal. PayPal was bought out by eBay.
4. “screening the accounts is our system” should be “screening the accounts in our system”.
5. There is no period at the end of the second sentence.
6. The sentence following this is bold, the word “Update” is capitalized, and there is a space before the question mark.
7. In the link box, “complete the nexte step ro ‘Update Account.’”? Is that supposed to be English?
8. This sentence should set off warning bells and red flags: “You will be redirected to a secure, pricate Aol server on a random port due security issues.” First off, “pricate” isn’t a word, should be “private” (the C is right next to the V on a QWERTY keyboard). Second, AOL still has nothing to do with PayPal! Third, random port? There is one port for secure web-based transactions: 443. That’s where the ‘https’ comes in (as opposed to ‘http’).
9. In the footer, the text “Aol, company”. Wait a sec, is AOL a company? Never mind that, and who cares? AOL has nothing to do with PayPal.
10. The footer has something about “FDCI pass-through insurance”, which doesn’t make any sense at all. Maybe these idiots meant FDIC? As in the Feds who insure all U.S. bank accounts up to, what is it now, $100,000? PayPal is not a bank. And what the hell is “pass-through insurance”?

But all of that is nothing, absolutely nothing, compared to the link. Yes, finally, the link. I’m not going to post the actual link that was in the email as someone may, somewhere, click on it. But it did look something like this:

http://128.0.0.1/images/www.paypal.com/management/financial/login.html

All of those points above are completely meaningless compared to the link. Why? Because all of those points up there can be corrected, but not the link. All of the above points could be corrected, and the email could be made to look exactly like an actual email from PayPal… except for the link. The link points to a server which has nothing to do with PayPal at all.

Here’s a quick lesson in internet linkage: The part after “http://” and before the next slash (“/”) is the domain name, and the domain name is the important part. In this case, there is no domain name but an actual IP address. This should never happen. Mind you, I didn’t use the actual IP address in the spoof email, I removed it to protect some people from clicking on the link anyway (even though those people probably deserve it).

The domain name is the important part. The part after “/images” which says, “/www.paypal.com” is a directory on that server, not paypal.com. Here is what an actual link to paypal would look like. Well, not exactly, but the important part is in bold:

https://www.paypal.com/blah/whatever/yaddayadda

The part after the domain name is actually not important from the standpoint of, “Is this a good link?” From your perspective, it doesn’t matter what follows the domain name in the link. That’s for PayPal’s Webmaster to decide. But if the domain name is an IP address, you have no idea what server you’re going to and it could look like anything. It would probably be a page which looked like PayPal (using the PayPal logo as in the spoof email) and had fields to fill out such as, “PayPal Login Email”, “PayPal Password”, “Your Social Security Number”, “Your Bank Account Number”, etc. If you click one of these hokey links and fill out those fields, you might as well drop your pants and bend over.

There is another important part here, the “https” as opposed to “http”, but that’s less important in the link as your browser can be redirected to the secure site once you reach the (correct) website. For example, if you go to http://www.paypal.com, the site will redirect you to https://www.paypal.com, because every page on PayPal is secure and encrypted. So it’s not so important whether the link is secure or not. What is important is the domain name. Here’s an example of an incorrect link:

http://www.paypal.com.screwu.ru/secure/login.html

The sub-domains make it look like it’s a paypal site, but the domain name is actually “screwu.ru”, in Russia.