xxxxx

Cantoris
Contributor
Contributor

I've had two pieces of email containing links to the above domain that look legitimate - both addressed to me by full name.

 

The spoof service says they are "likely" fraudulent.  Which is completely unhelpful!!

A moderator on this forum has already said the domain does not belong to PayPal.

PayPal's phishing awareness educational information always says to check links go to paypal.com or paypal.co.uk.

 

BUT have a look at the SSL certificate for the site - i.e. xxxxxxxxxx

It is an Extended Validation certificate issued by DigiCert to "PayPal, Inc. [US]".

[Screenshot attached to bottom of message]

 

That leaves two possible conclusions:

 

1. The advice coming from ALL sources is incorrect and this domain genuinely is related to PayPal!

2. DigiCert have issued a certificate in PayPal's name to a malicious third party by mistake.  Given that this is an Extended validation certificate, it would be catastrophic for their business!

 

Somehow, I feel number one is more likely!

 

Using PayPal's own message centre, so far I have had two pointless standard response emails...

 

Please can someone with some connection to PayPal look into this?  Thanks!

8bb30aaf2add455e279d5c2cc054b8d9

 

 

 

 

Login to Me Too
12 REPLIES 12

Cantoris
Contributor
Contributor

A WHOIS says the domain is registered to the same registrant as paypal.com!

 

https://whois.domaintools.com/paypal-communication.com

 

Login to Me Too

Shurreg
Contributor
Contributor

I second that.

 

The same situation: an email asking me to agree with some changes in user policy. The email has a greeting with my name as registered on PayPal. All links lead to epl.paypal-communications.com. The message has "From: PayPal <paypal-at-mail.paypal.com>" header AND has DKIM matched for domain "mail.paypal.com"!

 

And I got the reply  "We analyzed your report and determined that the suspicious email was likely fraudulent" from PayPal's spoof service, too. My question, nevertheless, remains: if the message is fraud, how could it have matching DKIM signature? I am not asking "How could it contain my real name?" because an answer would clearly be "Watch your security!", but is it indeed me who needs to watch his security now?

 

Ah, yes, I've forgot to mention: the message was on Russian, which is a correct language to address me for PayPal. And I already saw similar reports about very similar messages using correct Indonesian language.

Login to Me Too

Cantoris
Contributor
Contributor

Another email today addressed to me by full name suggesting I apply for credit again with a link to this domain.

 

 

Please can PayPal comment on this.  It is clearly them but it is encouraging us to go against their own anti-phishing advice - to the extent that even their spoof-detection service thinks it's dodgy!!

Login to Me Too

Cantoris
Contributor
Contributor

Chatted with three people at eBay eventually who sounded vaguely interested and that it needed looking at - who passed me from one person to the next.  I was told it would be escalated.

 

I've had another message from PayPal since saying "...I can confirm you that the email: paypal AT mail.paypal.co.uk and the link h t t p s ://epl.paypal-communication.com do not belong to PayPal."

 

Needless to say, mail.paypal.co.uk does have a DNS MX Record so it can receive email and being a child domain of paypal.co.uk must by definition be their responsibility!!

 

epl.paypal-communication.com still has a SSL certificate issued to "PayPal, Inc. [US]".

 

 ...

Login to Me Too

Cantoris
Contributor
Contributor

The MX record for the mail.paypal.co.uk domain points to "pmx1.epsl1.com".

 

The following link

www.paypal.com/gp/webapps/mpp/ua/third-parties-list

mentions the company:

 

"Alliance Data FHC, Inc., trading as Epsilon International and/or Epsilon Communication Solutions, S.L" are involved with PayPal to "execute outbound communication campaigns including, but not limited to, email and push notifications."

 

If you do a SmartWHOIS on the domain that is the subject of this thread, you will see that its IP is on a range owned by ... "Epsilon Data Management"!

 

This all backs up the emails being officially sent on behalf of PayPal, despite their repeated attemps to deny them!

Login to Me Too

romelec
Contributor
Contributor

I've also just got the same email in French with similar link.

 

Thanks for your investigations, so if we consider it as an official email it is the first time they use another email address and domain name.

 

Can it be from a subcontractor(not sure if it is the correct term) (Epsilon ?) that wanted to use new methods without the Paypal customer support knowing it ?

 

The email address is a thing, but they really should not use another domain.

Login to Me Too

Cantoris
Contributor
Contributor

Once again, PayPal have sent me an email (entitled "Your March account update") that carries a "Log In Now" button that goes via this domain...

 

Are they trying to encourage users to be at risk of falling for phishing scams?!

 

I'm sending all of the emails related to this domain to their Spoof service on principle.  I got no response to the last one I sent...

Login to Me Too

Cantoris
Contributor
Contributor

The spoof service declared the latest email "likely fraudulent" too.

 

I've blogged this whole story now:

https://cantoriscomputing.wordpress.com/2017/03/04/paypals-emails-encourage-dangerous-habits/

 

Enjoy...

 

Login to Me Too

Shurreg
Contributor
Contributor

@Cantoris

Thank you for the investigation. Unfortunately, we deal with robots.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.