Ironworks Gaming Forum - View Single Post - RE: Fake Paypal E-mail

Thoran · 03-23-2004, 11:34 AM

Quote:

Originally posted by Dundee Slaytern:
Sorry, Thoran; but the e-mail is a fraud. I didn't reply back here, but I got back a reply from Paypal yesterday and they confirmed my suspicion.

Clicking on a link with a valid URL is NO guarantee that it is geniune, and even if you go to the site and still see the correct URL in your address bar, it is still no guarantee. An URL is no more than a mask for the underlying IP address.

Ahh... I think I know what happened... you didn't copy the email directly so the link created in your post is based on the text of the email not the underlying html.

Basically, the only possibility for faking would be at the source or at the dns server. I'm sure paypal's site wasn't hijacked so the dns lookup ain't the problem, the other possibility is that the "link" had "www.paypal.com" as the html tag text and a different url as the target of the link... this is the likely scenario and if you look at the REAL text of the email (which I'll bet was an html email or had html embedded) then I bet you'll find an embedded url that's different. I always have all emails displayed as text not html... so that sort of stuff is pretty obvious. You (wisely) didn't duplicate the email's html in the post above, which is why the above link is valid while the link in the email wasn't.

There is no way to intercept and redirect a dns request unless you've compromised the users computer. The underlying IP returned by a dns lookup is safe (as I said... unless the hacker already has control of the users system or the entire paypal site has been hijacked). There is no magic hacker tool that can hijack the entire internet name resolution architecture and change ip resolution... that means the ONLY possibilities are to hijack the destination web site (either by replacing their domain's ip with yours or by hacking into their web servers and adding your own code) or fake the user into going to a different url.

I always recommend users view emails ONLY as plain text, never allow people to send you html encoded emails that are displayed as html. It's pretty easy to hide things in html, even if your email program doesn't automatically execute scripts (I don't think any of them do that anymore).

[ 03-23-2004, 11:35 AM: Message edited by: Thoran ]