News Centre

What Exactly Does A Phishing Campaign Look Like?

Article by
May 21, 2019


Email Spam TECH PATROL - Cyber Security

Please note: For privacy reasons the identity of the hacked account in the example used for this blog has been changed.

In our previous email security education blog we reviewed trending email security threats. In this blog we’d like to show you what a phishing campaign looks like, and its scary consequences. 

Bad actors (hackers, spammers, scammers, etc.) care about the numbers—the more data they have the better the chances of success and financial gain.

They use a variety of methods to get your email address, from using “publicly available” cheap lists and exploiting websites to obtain data dumps to using scraping software to harvest email addresses from thousands of web pages.

Essentially, they can EASILY get a million email addresses to use their phishing campaigns.

So how do you spot this is a phishing email? 

In the “From” field notice that the sender is not a standard PayPal address, but: “servicems@xxx”. Clicking on the link takes you to the following site: 

While this may look like a PayPal page, notice the URL: “mk/ShadowZ118/public/myaccount/signin/?country.x=FR&locate.x=en_FR”. If this had been PayPal, you would have seen a legitimate PayPal URL. 

Looking at the email headers (view email headers) in the image on the right will also show telltale signs that this is not a legitimate PayPal website. For example, below: 

  • X-PHP script of “senddd.php” is not something that PayPal would ever use
  • X-PHP Filename would indicate that it’s a different PHP script that sent the actual email
  • X-Message ID does not show the typical “” part 
  • Received headers do not show the legitimate PayPal servers

Here is an example of what the “senddd.php” looks like. As you can see this is a standard PHP custom mailing script that comes in all shapes and sizes, where the bad actors are able to set the subject, from, and content fields to anything they desire. In the “Maillist” field the hacker will add an entire list of email addresses found using one of the methods mentioned above (e.g. scraping). Normally the email server does not belong to them, and hence they don’t care if it gets blacklisted.  

When users log in to the fake “PayPal site” and continue to complete all their account and personal information (see below screenshots) the bad actors get access to all their information, which is auto saved on the site the bad actors use. This is an example of an advanced phishing kit, where not only basic information is requested but also passwords, credit card information, and screenshots of passports.

As users complete their credit card information the bad actors save all the information in the back end with the help of a little PHP script. Looking closely at the script in the image below, we can see the scammers are saving all the vital information they need to commit fraud then simply sending all the information to their own email address.  

Finally, users receive a confirmation that their account has been successfully “verified,” and are automatically redirected to the PayPal official site. Meanwhile, the bad actors have saved their personal information, including credit card numbers, passport photos, and relevant passwords—all that is needed for the bad actors to inflict damage.

As seen in this blog, acting on phishing emails could have severe consequences. With that in mind, here are four steps you can take to help protect yourself: 

  • Always check the URL
    When in doubt, DO NOT click. Hover your mouse over the link to see where the link directs to. If the address showing in the hovered link is not the same as the address it says it is, DO NOT click on it. If you accidentally click on the link, don’t enter any information on the website; simply close the browser window.
  • Lookout for malicious email attachments
    Be careful when receiving email attachments. It is important to remember not to blindly open attachments; check the file first by saving it to your downloads folder. Next, make sure if you are using Windows to set your folder options to “show known file types” so you can view the file extension (e.g. the three letters at the end of the file name). Unzip the .zip file from your downloads and view the file extension. If it contains any of the following: .JS, .EXE, .COM, .PIF, .SCR, .HTA, .vbs, .wsf, .jse, or .jar at the end of the file name it is malicious and you should not click on it or try to open it. 
  • Add powerful email security 
    Solutions like SolarWinds® Mail Assure can help you safeguard your email from phishing attacks. Leveraging collective intelligence for inbound and outbound email security, Mail Assure uses data gleaned from monitoring more than 2 million domains under management. This data feeds into our intelligent protection engine to combine with near real-time, pattern-based threat recognition and a variety of filtering technologies to help protect against spam, viruses, ransomware, malware, phishing attacks, and other email-borne threats. 
  • Set-up SPF, DKIM, and DMARC
    As part of an email security solution, you can take additional steps and set up SPF, DKIM, and DMARC. SPF (Sender Policy Framework) is used to restrict which mail servers can send email for a specific domain name. This framework is designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP address authorized by that domain’s administrators. DKIM is a method used to sign your outgoing emails to allow the recipient to verify that the messages originated from the specified sender, and that the message content has not been altered. Finally, DMARC (Domain-Based Message Authentication, Reporting and Conformance) is an email protocol designed to help prevent email spoofing when used in conjunction with SPF and/or DKIM.  
<script async src=""></script>
<ins class="adsbygoogle"
     style="display:block; text-align:center;"
     (adsbygoogle = window.adsbygoogle || []).push({});

If you are looking to protect email against phishing attacks, including other email-borne threats, start a trial with SolarWinds Mail Assure today by contacting Tech Patrol and see how we can help keep your inboxes clean.

Would you like to know more?, DM us:


Other Articles You May Enjoy:

Via: SolarWinds by Mia Thompson.

Share your thoughts in the Comments section:

Subscribe For The Latest In Technology

Other Posts You May Like


Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.


Microsoft Azure

Introduction to Azure – A Core Cloud Service

Microsoft Responds to COVID-19

Microsoft Responds To COVID-19 By Offering E1 Licenses Free For The Next 6-Months


Microsoft Teams vs Zoom. What is right for your business?

Microsoft Azure

Azure Firewall Manager now supports virtual networks.

White Paper

Enjoy this free eBook

Tech Patrol - Microsoft Office 365

White Paper (Why businesses Are Migrating to Cloud)

  • This field is for validation purposes and should be left unchanged.
Scroll to Top