03-22-2004, 02:13 PM | #11 |
Galvatron
Join Date: January 10, 2002
Location: Upstate NY
Age: 56
Posts: 2,109
|
One little problem here guys...
https://www.paypal.com/accountcleanup/ is a valid paypal site... unless someone has hijacked paypal's domain name and duplicated it exactly (pretty darn unlikely). Either that or they've got a keylogger or somthing running on your system and they've sent the email to get you to enter your paypal info (also very unlikely). HOWEVER, I'm as cynical as the rest of you and trust NOTHING I get by email. If I were you I'd call paypal and ask them about the mail... as a way to verify it's validity. My gut feel is that this is valid. As I said above, unless the entire domain has been hijacked there is no way for anyone outside of paypal to profit from you going to the paypal site and logging in. Since it's a secure connection there's no way to intercept the data sent either (except at your machine). Even if the hacker was sophisticated enough to pull this off, it doesn't make much sense to me, he's not going to get a better hit rate than using a run of the mill almost the same dn type attack. (www.paypals.com or something along those lines... changing one letter) [ 03-22-2004, 02:23 PM: Message edited by: Thoran ] |
03-22-2004, 02:26 PM | #12 | |
Knight of the Rose
|
Here's something direct from the paypal site:
Quote:
That is, the legitimate site, the one I got to by typing in the name of the site myself not off of a link. [ 03-22-2004, 02:30 PM: Message edited by: Firestormalpha ]
__________________
"When you start with a presupposition, it's hard to arrive at any other conclusion." "We are never to judge a philosophy by its abuse." - Augustine "If you're wondering if God has a sense of humor, consider the platypus." http://www.greaterthings.cbglades.com |
|
03-23-2004, 09:04 AM | #13 |
Ironworks Moderator
Join Date: March 1, 2001
Location: Midlands, South Carolina
Age: 48
Posts: 14,759
|
__________________
|
03-23-2004, 09:56 AM | #14 |
Ironworks Moderator
Join Date: June 10, 2001
Location: Pasir Ris, Singapore
Age: 41
Posts: 11,063
|
Sorry, Thoran; but the e-mail is a fraud. I didn't reply back here, but I got back a reply from Paypal yesterday and they confirmed my suspicion.
Clicking on a link with a valid URL is NO guarantee that it is geniune, and even if you go to the site and still see the correct URL in your address bar, it is still no guarantee. An URL is no more than a mask for the underlying IP address. |
03-23-2004, 10:01 AM | #15 | |
Ironworks Moderator
Join Date: June 10, 2001
Location: Pasir Ris, Singapore
Age: 41
Posts: 11,063
|
Quote:
|
|
03-23-2004, 11:34 AM | #16 | |
Galvatron
Join Date: January 10, 2002
Location: Upstate NY
Age: 56
Posts: 2,109
|
Quote:
Basically, the only possibility for faking would be at the source or at the dns server. I'm sure paypal's site wasn't hijacked so the dns lookup ain't the problem, the other possibility is that the "link" had "www.paypal.com" as the html tag text and a different url as the target of the link... this is the likely scenario and if you look at the REAL text of the email (which I'll bet was an html email or had html embedded) then I bet you'll find an embedded url that's different. I always have all emails displayed as text not html... so that sort of stuff is pretty obvious. You (wisely) didn't duplicate the email's html in the post above, which is why the above link is valid while the link in the email wasn't. There is no way to intercept and redirect a dns request unless you've compromised the users computer. The underlying IP returned by a dns lookup is safe (as I said... unless the hacker already has control of the users system or the entire paypal site has been hijacked). There is no magic hacker tool that can hijack the entire internet name resolution architecture and change ip resolution... that means the ONLY possibilities are to hijack the destination web site (either by replacing their domain's ip with yours or by hacking into their web servers and adding your own code) or fake the user into going to a different url. I always recommend users view emails ONLY as plain text, never allow people to send you html encoded emails that are displayed as html. It's pretty easy to hide things in html, even if your email program doesn't automatically execute scripts (I don't think any of them do that anymore). [ 03-23-2004, 11:35 AM: Message edited by: Thoran ] |
|
03-23-2004, 11:44 AM | #17 | |
Jack Burton
Join Date: July 19, 2003
Location: an expat living in France
Age: 39
Posts: 5,577
|
Quote:
__________________
|
|
03-23-2004, 11:47 AM | #18 |
40th Level Warrior
Join Date: July 11, 2002
Location: Chicago, IL
Posts: 11,916
|
I'm a PayPal member and didn't get the email.
|
03-23-2004, 04:25 PM | #19 |
Fzoul Chembryl
Join Date: August 30, 2001
Location: somewhere
Age: 54
Posts: 1,785
|
I get a feeling part of that link was lost in the cut and paste to this board. You can make the text of a link anything you want. The actual web link associated with the text can be completely different. The fact that the email wants you to read the text of the link specifically and not check the address bar or hyperlink preview at the bottom of the page leads me to believe this is the case. At any rate, you can prevent being taken by "phishing" bait such as this by logging into sensitive sites using only your own shortcuts or typing the site in the addy bar yourself. Another method I like is to put a false password in the page. Spoof pages will let you in regardless of what password you use.
__________________
Master Barbsman and wielder of the razor wit!<br /><br />There are dark angels among us. They present themselves in shining raiment but there is, in their hearts, the blackness of the abyss. |
03-23-2004, 04:39 PM | #20 |
Lord Ao
Join Date: June 24, 2002
Location: Nevernever Land
Age: 50
Posts: 2,002
|
The email is a fraud. It takes advantage of a known security bug in IE where formating a hyperlink in a particular way will spoof the user into thinking they are on one site (address bar and status bar report the expected URL) but they are actually on another.
So, while https ://paypal.com/whatever may look like a real paypal page, you are nowhere near the paypal domain. An example link is here: Ironworks Homepage Milage of this link may vary .... but the status and address bars should report the URL as http://www.ironworksforum.com but the link takes you to a Google query with news articles about this flaw ..... I mean - feature! [ 03-23-2004, 04:49 PM: Message edited by: Night Stalker ]
__________________
[url]\"http://www.duryea.org/pinky/gurkin.wav\" target=\"_blank\">AYPWIP?</a> .... <img border=\"0\" alt=\"[1ponder]\" title=\"\" src=\"graemlins/1ponder.gif\" /> <br />\"I think so Brain, but isn\'t a cucumber that small called a gherkin?\"<br /><br />Shut UP! Pinky! |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Paypal | lost prophet | General Discussion | 6 | 06-28-2006 04:38 PM |
Warning: New PayPal e-mail fraud | Jorath Calar | General Discussion | 6 | 07-15-2005 01:01 PM |
Since this site uses Paypal... | Jorath Calar | General Conversation Archives (11/2000 - 01/2005) | 6 | 05-22-2004 08:57 PM |
How secure is PayPal? | Hayashi | General Conversation Archives (11/2000 - 01/2005) | 17 | 02-06-2004 09:16 AM |
Paypal | Zero Alpha | General Conversation Archives (11/2000 - 01/2005) | 8 | 11-06-2003 05:21 PM |