Impressive how phisers have been constantly evolving the tools and approaches to scam people over.
Usually, they resort to replicating a page of a bank, PayPal, whatever, and put it on a different URL. People are lead to believe that they’re actually logging in to the target website and they capture your authentication information.
This can be easily overcome with a little bit of precaution — make sure you’re buying the milk from the milkman, i.e., reassure you’re logging on the right website.
The newest approach, that I’ve just witnessed through the means of an email inbox assault, goes a little bit further in order to outcome this smartness one might use to unveil the scam. They exploit the original website to their benefit.
On this case, I received an email proclaiming to be from Paypal that said my account had limited access and I had to login. I wondered about it being a scam attempt but, nonetheless, checked the URL. Guess what? It started with https://www.paypal.com. It was even on an SSL encrypted HTTP channel. What could it be?
Now, if you’ve used Paypal before, you’d notice that many redirects occur between sign in and landing pages and also from external websites. They could have taken two approaches to pass the landing page around: by the means of a cookie or passing in directly on the URI. They took the second option. What happened was that the attacker simply replaced the redirect parameter with his own target website, misleading people into believing that everything should be fine.
The URL looks like this (if you haven’t read the whole post, please realize this URL is a phishing attempt! Be careful).
https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssr&return=http%3A%2F%2Fpaypal-us.6s.pl/?cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.CaseIDNumberPP-046-631-789
As one can see, Paypal will freely redirect to the attacker’s website.
Be careful.
Source