Normally I ignore emails from Paypal, but because my credit card is due to expire, this one caught my eye:

"Your credit card information has been changed!
On Apr. 28, 2008, your credit card was removed from your PayPal account.

Sincerely,
PayPal"

If I wasn't aware of phish attacks, I might have thought Paypal had a feature where credit cards that have just expired are automatically removed from their system, and logged into the fake site thinking I was about to update my details. I wonder how many people have been caught out by this? Of course, hovering over the supposed Paypal URL reveals a somewhat different final destination:

A main site (in the URL above) redirects you to a fake Paypal website at a second domain, which would be this:

The site hosting the Paypal phish has possibly been hacked, and all content has been removed save for the Paypal page:

Shall we check out what lies on the first domain performing the redirects?

That doesn't look like a scammers website. In fact, it's an Indian company that (according to one of their other websites) "is India's leading manufacturer of oleochemicals and makes more than a hundred chemicals for use in over two dozen industries."

Whoops.

Checking out the directory we're looking for gives us this:

Now, we've already seen that Redir1.html takes us to the above Paypal phish. Where does "Redir.html" take us?

Well would you look at that, another Phish page. Like the other site hosting the Paypal phish, this one seems to have been gutted too and no other content remains. The slow process of getting all these sites cleaned up now begins...