Angry in the Great White North

I received this bit of phishing email today:

Please Update Your Billing Records!
Dear Member,

It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information.

Click here to update your account

Thank you for using PayPal!

Terms of Suspended

Please update your records in maximum 12 hours otherwise your account will be suspended.

Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.

"Terms of Suspended"? 

Bad grammar is a dead giveaway.  Phishing refers to an attempt to acquire userids and passwords fraudulently.  The classic form is the email message informing you that your account is about to be terminated unless you sign in right away.  A link is provided to a webpage mocked up to look legitimate.  You log in, and a message tells you your account is now OK.  What really has happened is that the criminals have recorded your userid and password.

Nothing new here, really, but on a whim, I checked on the address given for the fake login page:  http://darbypta.com/financials/cgi-bin/

Clearly not PayPal.

But interestingly, it is a legitimate domain, that is, it is not a porn site or a warez site.  It is the domain for the Darby Elementary School Parent-Teacher Association in Northbridge, California.  As for the "PayPal" link at financials/cgi-bin?  No page exists at this URL, so it doesn't seem like a well-executed phishing scam.

So I checked the domain of the sender of the email: email1.pay-pal.com.

   Registrant: 
      paypalsucks.com
      dk ruff
      Suite 500 1 N. Wacker Dr.
      Chicago, IL 60606
      US
      Email: buythem@keepstime.com

   Administrative Contact:
      pay-pal.com
      dk ruff
      17013 steeplechase pkwy 
      orland park, IL 60467
      US
      Phone: 708478-7834
      Email: keepstime@hotmail.com

PayPalSucks.com is a gripe site, dedicated to spreading the word about what a lousy service PayPal provides:

PayPal Sucks, aka No PayPal, is an anti paypal site to expose the nightmare of doing business "the paypal way." Post your complaints, troubles, fraud stories, lawsuits, and other dissatisfaction in the forums.

Here is the registration information for PayPalSucks.com:

Registrant Contact:
   PayPalSucks.com
   Marshall Golub (admin@paypalsucks.com)
   +1.9548069308
   Fax: 
   3850 E Coquina Way
   Weston, FL 33332
   US

Not "dk ruff".  Marshall Golub is also the name of the National Sales Director for Charge.com, a PayPal competitor, but that might be a coincidence.  The address given for the pay-pal.com registration, Wacker Drive in Chicago, is actually the address for the office of The Options Clearing Corporation:

The Options Clearing Corporation
One North Wacker Drive, Suite 500
Chicago IL 60606

The Options Clearing Corporation (OCC), founded in 1973, is the world's largest equity derivatives clearing organization. We are dedicated to promoting stability and financial integrity in the marketplaces that we serve by focusing on sound risk management principles. By acting as guarantor, we ensure that the obligations of the contracts we clear are fulfilled.

Basically, OCC issues and clears all US exchange-listed securities.  Interesting.

So is PayPalSucks.com behind the phishing email that seemed incapable of collecting any information?  Perhaps, and you could imagine the goal for PayPalSucks.com was to irritate potential PayPal users by reminding them of the phishing efforts directed at PayPal.

But then why make it so easy to trace it back to PayPalSucks.com?  Why give a fake address to the OCC but still provide the name PayPalSucks.com?  And why the address for the OCC, of all places to pick from?

My theory is that this is an attempt to make PayPalSucks.com look bad.  Again, we have a phishing email that is not actually capable of phishing.  And then we have a registration record that names PayPalSucks.com.  Now it looks like PayPalSucks.com is trying to smear PayPal by sending spam, and crappy spam at that.  As a result, I'm upset at PayPalSucks.com for  playing these games instead of sticking to running a gripe site.

I can't explain why the address of the OCC shows up in this.  That's a headscratcher.  I can only assume that the people behind this email are familiar with the address.

The real question, though, is who benefits from making PayPalSucks.com look bad.  I leave that as an exercise for the reader.

There are other theories that fit the facts.  None of it really matters.  I just found it to be an interesting diversion for a half-hour, and learned about the OCC and PayPalSucks.com along the way.