Old tricks, new language: “Paypai” in German

It has been a while since I last saw this old trick using the resemblance between capital letter “i” and small letter “l”. This time, however, the web page is no longer active as in the past, being only used as the FROM domain in the email. The mail text looks translated by a machine again, but I have to admit that the translation is somehow better than others we’ve seen.

Looking at the source code of the email, we find another old trick, similar to the one described in the Spammer’s Compendium: Hypertextus Interruptus (BWO!Interruptus!HTML).

The trick used is that each letter is separated by a HTML comment. This makes this trick work with any email client, not only with those of Microsoft – the only ones which are able to understand the <comment> tag.

Fortunately, most spam filters these days are able to remove the comments and analyze the text. Avira users are protected as usual because this type of emails is detected as Phishing and the URL is blocked.

Sorin Mustaca
Data Security Expert