MX Lab, http://www.mxlab.eu, intercepted a series of Paypal phishing emails with the subject “Your PayPal account has been limited” sent from the spoofed email address “Paypal <firstname.lastname@example.org>”.
The phish looks very good and is well designed. The spoofed emailaddress, the logo, layout and even the footer matches. Images are taken from the web server http://pics.ebaystatic.com/. One small thing to notice is that in the footer the word “Unsubscribe” doesn’t have an unsubscribe option but apart from that, this phish scores.
The URL points to hxxp://www.mittemaedchen.de/twg176/admin/www.paypal.co.uk/details.php?cmd=_login-done&login_access=1193476743.
At this form, the phishers will take over the filled in details and redirect you to a new screen.
The form does warn you when some fields are not filled in but doesn’t check if the VISA card number matches with the verification number to validate the card number.
After this screen you are redirected to the official PayPal web sites at the login screen.
Note: at the time of writing Firefox did not issue a warning regarding this phishing site.