A fake PayPal phishing website is using "Let's Encrypt" certificate


#1

I just received a phishing scam email that pretends to be from PayPal. And the hyperlink in the email leads to a phishing site has SSL certificate. And it seems the certificate is issued by “Let’s Encrypt”.

The URL is: “paypal.com.webapps-mpp-accounts.com”. Add https will display the SSL certificate.

Of course the site’s login page cannot verify your login credential. But if you happened to entered your real login credential, they will keep the record and they’ll have access to your PayPal account later.

I figure I should warn you guys incase you haven’t noticed this. I’ve sent an email to your security@letsencrypt.org but it bounced back. So I registered and posted here.

best regards,

C6, a random web dev


#2

Let’s Encrypt has a dedicated email address (cert-prob-reports@letsencrypt.org) for these reports. Might get handled faster that way. (Hopefully, that one doesn’t bounce. :smile:)

I went ahead and reported the site to Google’s Safe Browsing as a phishing site, which should eventually prevent them from getting additional certificates for that domain (as well as block access in many browsers).


#3

Hi @cycle6

Thanks for bringing this to our attention. I appreciate it.

Could you share the bounce message & the full raw email headers from when you tried to unsuccessfully email security@letsencrypt.org ? I just tested delivery to that address and it seemed to work, perhaps your message was itself flagged as a phishing attempt?

Thanks again!


#4

That’s a hostname. And yes, the certificate will happily certify that you are indeed talking to the right criminal and not some other criminal.

Maybe you are making assumptions about what a SSL cert certifies? It’s not supposed to certify a “safe” website for whatever values of “safe” may be appropriate.


#5

Oh thx for the tip :slight_smile:
Yeah I sent to Google as well. But doesn’t look like Google’s doing anything.

The reason I feel need to make a post is because the SSL certificate almost fooled me. Cus I thought if the website has ssl certificate it should be kinda legit. But that URL does look “phishy”, so I compared the live PayPal URL with the phishing site URL, looks different. Also the SSL certificates are different. Then I entered some fake login credential to the phishing site, it accepted without any problem.

Anyway, lesson for me is: from now on, any website send me email ask me to login to do something. With SSL or not I’m gonna try enter some fake certificates to test it first. XD


#6

That is a major mistake you must not make.


#7

Yes I thought that was the case too. Next time maybe I’ll not use the full URL.
Also if you have a report section for reporting miss use of your certificate, I’ll use that next time. I guess "cert-prob-reports@letsencrypt.org" should the one?

Thanks a lot, here’s the message raw header from the email I sent:

From: Paul Z CYCLE6@hotmail.com
To: "security@letsencrypt.org" security@letsencrypt.org
Subject: You have issued certificate to a fake PayPal Phishing scams website
Thread-Topic: You have issued certificate to a fake PayPal Phishing scams
website
Thread-Index: AQHSH/VYEcqg4/Crs0+GZaBLFf7u2A==
Date: Thu, 6 Oct 2016 11:28:08 -0600
Message-ID:
YTXPR01MB01431EE41074BD667FB9EC9489C70@YTXPR01MB0143.CANPRD01.PROD.OUTLOOK.COM
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
boundary="000_YTXPR01MB01431EE41074BD667FB9EC9489C70YTXPR01MB0143CANP"
MIME-Version: 1.0

000_YTXPR01MB01431EE41074BD667FB9EC9489C70YTXPR01MB0143CANP
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


#8

Yup :thumbsup: - thanks!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.