RE: Fake Paypal E-mail

[Thoran]

One little problem here guys...
https://www.paypal.com/accountcleanup/
is a valid paypal site... unless someone has hijacked paypal's domain name and duplicated it exactly (pretty darn unlikely). Either that or they've got a keylogger or somthing running on your system and they've sent the email to get you to enter your paypal info (also very unlikely).

HOWEVER, I'm as cynical as the rest of you and trust NOTHING I get by email. If I were you I'd call paypal and ask them about the mail... as a way to verify it's validity.

My gut feel is that this is valid. As I said above, unless the entire domain has been hijacked there is no way for anyone outside of paypal to profit from you going to the paypal site and logging in. Since it's a secure connection there's no way to intercept the data sent either (except at your machine). Even if the hacker was sophisticated enough to pull this off, it doesn't make much sense to me, he's not going to get a better hit rate than using a run of the mill almost the same dn type attack. (www.paypals.com or something along those lines... changing one letter)

[ 03-22-2004, 02:23 PM: Message edited by: Thoran ]

[Firestormalpha]

Here's something direct from the paypal site:

Quote:

Protect Yourself from Fraudulent Emails and Websites At PayPal, protecting your account's security is our top priority. Recently, PayPal members have reported suspicious-looking emails and fake websites. These emails are not from PayPal and responding to them may put your account at risk. Please protect your PayPal account by paying close attention to the emails you receive and the websites you visit. Please use the following tips to stay safe with PayPal: Safe Log In: To log in to your PayPal account or access the PayPal website, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following: https://www.paypal.com/ Greeting: Emails from PayPal will address you by your first and last name or the business name associated with your PayPal account. Fraudulent emails often include the salutation "Dear PayPal User" or "Dear PayPal Member". Email Attachments: PayPal emails will never ask you to download an attachment or a software program. Attachments contained in fraudulent emails often contain viruses that may harm your computer or compromise your PayPal account. Request for Personal Information: If we require information from you, we will notify you in an email and request that you enter the information only after you have safely and securely logged in to your PayPal account. Often, fraudulent emails will request details such as your full name, account password, credit card number, bank account, PIN number, Social Security Number, or mother's maiden name. If you think that you have received a fraudulent email (or fake website), please forward the email (or URL address) to spoof@paypal.com and then delete the email from your mailbox. Never click any links or attachments in a suspicious email.

End result? The email is a scam.

That is, the legitimate site, the one I got to by typing in the name of the site myself not off of a link.

[ 03-22-2004, 02:30 PM: Message edited by: Firestormalpha ]

[Larry_OHF]

http://www.cnn.com/2004/TECH/interne...eut/index.html

They got him.

[Dundee Slaytern]

Sorry, Thoran; but the e-mail is a fraud. I didn't reply back here, but I got back a reply from Paypal yesterday and they confirmed my suspicion.

Clicking on a link with a valid URL is NO guarantee that it is geniune, and even if you go to the site and still see the correct URL in your address bar, it is still no guarantee. An URL is no more than a mask for the underlying IP address.

[Dundee Slaytern]

Quote:

Originally posted by Larry_OHF: http://www.cnn.com/2004/TECH/interne...eut/index.html They got him.

Woot. May he burn in Hell. [img]tongue.gif[/img]

[Thoran]

Quote:

Originally posted by Dundee Slaytern: Sorry, Thoran; but the e-mail is a fraud. I didn't reply back here, but I got back a reply from Paypal yesterday and they confirmed my suspicion. Clicking on a link with a valid URL is NO guarantee that it is geniune, and even if you go to the site and still see the correct URL in your address bar, it is still no guarantee. An URL is no more than a mask for the underlying IP address.

Ahh... I think I know what happened... you didn't copy the email directly so the link created in your post is based on the text of the email not the underlying html.

Basically, the only possibility for faking would be at the source or at the dns server. I'm sure paypal's site wasn't hijacked so the dns lookup ain't the problem, the other possibility is that the "link" had "www.paypal.com" as the html tag text and a different url as the target of the link... this is the likely scenario and if you look at the REAL text of the email (which I'll bet was an html email or had html embedded) then I bet you'll find an embedded url that's different. I always have all emails displayed as text not html... so that sort of stuff is pretty obvious. You (wisely) didn't duplicate the email's html in the post above, which is why the above link is valid while the link in the email wasn't.

There is no way to intercept and redirect a dns request unless you've compromised the users computer. The underlying IP returned by a dns lookup is safe (as I said... unless the hacker already has control of the users system or the entire paypal site has been hijacked). There is no magic hacker tool that can hijack the entire internet name resolution architecture and change ip resolution... that means the ONLY possibilities are to hijack the destination web site (either by replacing their domain's ip with yours or by hacking into their web servers and adding your own code) or fake the user into going to a different url.

I always recommend users view emails ONLY as plain text, never allow people to send you html encoded emails that are displayed as html. It's pretty easy to hide things in html, even if your email program doesn't automatically execute scripts (I don't think any of them do that anymore).

[ 03-23-2004, 11:35 AM: Message edited by: Thoran ]

[dplax]

Quote:

Originally posted by dplax: Two mistakes jump out for me. The first is that the link they want to send you to starts with https and not http the second is that they say that all paypal members have to do this. Well I am a member, but I did not get the message.

I'd like to excuse myself for my mistake here. Obviously paypal is https as several of you have pointed out and it was my uninformedness which made me make the mistake. The second point is still valid though.

[Timber Loftis]

I'm a PayPal member and didn't get the email.

[Sir Kenyth]

I get a feeling part of that link was lost in the cut and paste to this board. You can make the text of a link anything you want. The actual web link associated with the text can be completely different. The fact that the email wants you to read the text of the link specifically and not check the address bar or hyperlink preview at the bottom of the page leads me to believe this is the case. At any rate, you can prevent being taken by "phishing" bait such as this by logging into sensitive sites using only your own shortcuts or typing the site in the addy bar yourself. Another method I like is to put a false password in the page. Spoof pages will let you in regardless of what password you use.

[Night Stalker]

The email is a fraud. It takes advantage of a known security bug in IE where formating a hyperlink in a particular way will spoof the user into thinking they are on one site (address bar and status bar report the expected URL) but they are actually on another.

So, while https ://paypal.com/whatever may look like a real paypal page, you are nowhere near the paypal domain.

An example link is here:

Ironworks Homepage

Milage of this link may vary .... but the status and address bars should report the URL as http://www.ironworksforum.com but the link takes you to a Google query with news articles about this flaw ..... I mean - feature!

[ 03-23-2004, 04:49 PM: Message edited by: Night Stalker ]