PayPal phishing scams are nothing new, but this one is rather interesting as it uses 3 different hosts for a single phish. One for the e-mail, the second loaded both via an iFrame AND via the LINK tag normally used for the shortcut icon;
0xa68e24 is a hex encoded IP and decodes to 22.214.171.124, which resolves to infosec.hanyang.ac.kr. When you click the link in the e-mail, it redirects to;
Finally it uses a Form Mail script at abiedanter.co.uk (126.96.36.199 - orion.wyehosts.net) to send the victims details to the phisher (in this case firstname.lastname@example.org);
So what of the e-mail itself? Well since I don't use HTML e-mail (and neither should you!), I can only show it in plain text form. The following is an export of the entire e-mail, including headers.
abiedanter.co.uk is a legit website. The only thing they're guilty of here is being silly enough not to lock down their form mail scripts to prevent third party use. The owner information for the other two involved are;
As always, don't blindly click on links in e-mails. The only reason these phishing scams are successful is because people don't actually look at where the link is going to take them, nor do they look at the URL in the address bar!. You need to start taking notice and actually type the websites address into the browsers address bar (irrespective of where the link is going to take you, or claims it is going to take you).