Spoofed Paypal email

[ibe98765]

So I received this email today that was a spoofed Paypal email trying to get me to fill in account information. Looking at the HTML, the form gets processed by this line:<form action="http://www.paypal.com@ronaldhomepage.port5.com/post.php" method="get">Just curious. Can anyone detail how this statement works? How does the information get to the right place? What is the logic?

[Guest ThunderRiver]

The logic is simple. Everything you put before @ is normally user name and password..and thus web server (normally not like secure web server) will take in the whole address, but ignore the part before @Now in your example.. whatever you put before @ will be ignored.. and the only part that actually loads is ronaldhomepage.port5.com/post.phpWell, you can have things like http://www.cnn.com@www-personal.umich.edu/~cperpich and end up crash Internet Explorer...because it is not CNN.comTypical secure server have address like ftp or http://johndoe:password@www.johndoe.com:81 where johndoe is the user name, and password..is password.. www.johndoe.com is the server url, and 81 is the port number

[ibe98765]

The logic is simple. Everything you put before @ is normally user name and password..and thus web server (normally not like secure web server) will take in the whole address, but ignore the part before @Now in your example.. whatever you put before @ will be ignored.. and the only part that actually loads is ronaldhomepage.port5.com/post.phpWell, you can have things like http://www.cnn.com@www-personal.umich.edu/~cperpich and end up crash Internet Explorer...because it is not CNN.comTypical secure server have address like ftp or http://johndoe:password@www.johndoe.com:81 where johndoe is the user name, and password..is password.. www.johndoe.com is the server url, and 81 is the port number

So the PHP program at ronaldhomepage.port5.com grabs the information. I assume that the PHP program stores the data somewhere. Is it possible to grab this program and see where the data is being stored at (and who the person might be)?

[Guest ThunderRiver]

No you can't. PHP is server side code.. you can't see anything unless you are on that server reading the PHP code. Besides, when you run the url address. ronaldhomepage.port5.com/post.php, it actually lead you to paypal.comSo perhaps, it is just another address that PayPal registered to themselves.. Nonetheless, PayPal will never ask you to enter your personal info via email.. thus, you should ignore these emails at all cost

[ibe98765]

I forwarded the email onto PayPal. Let them deal with it...

[Jeber]

Typical secure server have address like ftp or http://johndoe:password@www.johndoe.com:81 where johndoe is the user name, and password..is password.. www.johndoe.com is the server url, and 81 is the port number

Don't secure servers use "https://"?

[Peachy]

Yes, they should!And if they don't and use an uncommon port number and you don't see the secured lock icon in your browser, be very suspicious.

[ibe98765]

Got this from PayPal in response to my feed to them of the email:---------------------------------------------Thank you for contacting PayPal.Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. If you have surrendered any personal or financial information to this fraudulent website, you should immediately log into your PayPal Account and change your password and secret question and answer information. Any compromised financial information should be reported to the appropriate parties. If you notice any unauthorized activity associated with your PayPal transaction history, please immediately report this to PayPal by following the instructions below: 1. Go to https://www.paypal.com/ 2. Click on the Security Center at the bottom of the page 3. Click on "Report a Problem"4. Select the Topic: Report Fraud5: Select the Subtopic: Unauthorized use of my PayPal Account, and click Continue.6. Follow the instructions to access the appropriate form If you have any further questions, please feel free to contact us again.Sincerely,PayPal Account Review Department

[Scot]

Fwiw, I got a very similar email related to eBay about six months ago, and then I got a very similar form email when I reported it to eBay the way you did, IBE. It doesn't sound to me like eBay or PayPal (same company) are really trying to do anything about these messages. I got another one recently related to eBay asking me to click this link to update my eBay information. I fell for this one, stupidly. It was just a spammer trying to validate my email address. I hate this stuff.-- Scot

[Guest LilBambi]

On each transaction message from PayPal they add the following to the bottom of the messages:

----------------------------------------------------------------                    PROTECT YOUR PASSWORD    NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by checking the URL/Address bar every time you log in.----------------------------------------------------------------

When you click on http://www.paypal.com it actually takes you to: https://www.paypal.com/They kinda make it hard (to know if there is a wrong address because their main link doesn't have https) and easy (because www.paypal.com is easy to remember) at the same time...LOL!

[FuzzButt]

There was something going around that changed the address at www.paypal.com to paipal.com but they capitalized the i so it looked like paypaI.com and was hardly noticed.Anyway you cut it it is shady.Chris

[Ragnar Paulson]

Shady perhaps, but a certain amount of common sense (or extrapolation from known behaviour) should be expected. If someone phoned you at home and said "This is your bank calling, we need to verify your account information, please give me your credit card number and expiry date" ... you'd be suspicious right.But the exact same scam in e-mail about PayPal is suddenly sophisticated and tricky? Is it just the fact a computer is involved?Ragnar

[Cluttermagnet]

There was something going around that changed the address at www.paypal.com to paipal.com but they capitalized the i so it looked like paypaI.com and was hardly noticed.Anyway you cut it it is shady.Chris

I must say, "paypaI.com" (pai with the i capitalized = paI) is a really tricky trick. What will they think of next? PayPal was getting considerable bad press right around the time Ebay bought them. I hope that, for the sake of their users, they get better quickly under Ebay. I always resisted using such services, and have never regretted it. Some sellers, through no fault of their own, have had their funds frozen for lengthy periods of time. There were some bitter recriminations. It is likely that some of those who got fooled by the phoney emails and gave up their passwords and account names to imposter websites will have their accounts frozen until PayPal can get it all sorted out. This can cause major hardships for larger volume sellers who are counting on online auction proceeds for a living! I have always seen these 'billpayer' services as unnecessary middlemen, sort of like the 'AOL method' of payment collection for Ebay buyers and sellers.BTW a while back, I too received one of those bogus emails that try to hijack Ebay accounts. I didn't find it very convincing, but I could see how it might fool some newbies, and indeed, a reading of the Ebay forums at that time turned up a number of panickey posts by unfortunates who had taken the bait. Some had already been locked out of their own accounts and were frantically trying to set things right again as the crooks ran major ripoffs in their names.Regarding Scot's comments:

It doesn't sound to me like eBay or PayPal (same company) are really trying to do anything about these messages. I got another one recently related to eBay asking me to click this link to update my eBay information. I fell for this one, stupidly. It was just a spammer trying to validate my email address. I hate this stuff.

Some of these ripoff artists have gotten pretty clever and are doing these ripoffs from offshore, often 'twice removed' in the sense that they are also working with stolen email IDs to perform their other ripoffs. I read an article recently in one of my industry magazines entitled "Cyber Sleaze" where an editor who really should know better got suckered and failed to verify an offshore seller's identity independently before sending funds. His money disappeared down one of many such ratholes in Europe. He had allowed himself to become overly invested in 'not letting a really good deal get away'. I felt really sorry for him, and I believe he is no dummy, either. The sad truth is that just about any of us are susceptible to these sorts of things if we let our guard down. Pretty much anyone can be had eventually by someone skillful enough and patient enough to run just the right confidence game. I know I am no exception to this risk, and I always try to keep my guard up. FWIW, Ebay tells its users as often as they can about these risks and what to watch out for, but there are nevertheless always some gullible souls who are easily tricked by anyone posing as an authority figure. Don't let it be you! Many may disagree with Ebay's approach "...we are a venue, not an auctioneer..." but it actually makes good business sense. They do offer some limited protections to buyers and sellers in certain circumstances, but otherwise have disavowed responsibility for all the ripoffs. I don't think they would have lasted even one year if they had not indemnified themselves in that way. As it is, they are at some risk if their own servers get hacked and info gets stolen directly from them.

[Senior Newbe]

Has anyone seen these Sites regarding Paypal?http://www.paypalsucks.com/http://www.paypalsuit.com/Sound like they have some disgruntled payees.

[Cluttermagnet]

Has anyone seen these Sites regarding Paypal?http://www.paypalsucks.com/http://www.paypalsuit.com/Sound like they have some disgruntled payees.

Yes, this is what I was alluding to in my previous post. I guess I figured I would try to cut Ebay some slack. I'm waiting to see if they can do anything positive about cleaning up the PayPal mess. It was a bad situation when they took over- perhaps in time they can improve it. I have always been skeptical about the business model of the 'billpayer' companies. Seems to put way too much power in their hands. Personally, I would never use them. I guess they do a good job of putting buyers more at ease, but they seem a bit unnecessarily rough on sellers at times. When viewing feedback such as this, it might be helpful to know the date of the takeover and to keep it in mind when reading complaints. I would not be surprised if the complaints were worse and more frequent prior to the takeover date.

[Guest ThunderRiver]

It is unfortunate that PayPal or Ebay won't do much about these issues, but people need to start develop some common senses regarding the cyber world. Read this article http://www.eweek.com/article2/0,3959,1115152,00.aspIt is a funny article, but you should see a different aspect of view that people often overlook.News media always say "More online scum stealing money in the name of PayPal!.."but they never say.. "More idiots are giving out credit cards number and SSN online without thinking!"need more to say? ..my two cents

[siebkens]

I got one of these today too in hotmail. Looked completely legitimate. I wasn't able to figure out where it actually came from - looked like service@paypal.com or something like that. I went through the paypal complaint form, pasted the body of the letter & filed a complaint. Have only received the automated response back from Paypal so far. It looked very legitimate, but I've been very conscious of these scams by reading forums (like this), newsletters & tech news. It came only after I'd made some paypal purchases - it was the only choice on the websites that I used. I think that it would be very easy for folks to fall for these.

[Guest ThunderRiver]

Alright, lets face it, it is not hard to spoof an email address and fake the identity in email. However, if it is something like service@paypal.com, would it just defeat the original purpose to steal user's info?

[siebkens]

I assume that the FROM address was either a fake address that sounded like a legitimate paypal address or if you click on SEND your information, then it goes to an address other than paypal - the person who is trying to get your username, password and credit card information.

[volunteer]

To be a verified payer you have to let PayPal draw the funds directly out of your checking account. BAD, that's worse than a debit card. I still use PayPal but only on a credit card which I monitor the transactions on-line with my bank.I use PayPal for eBay and to donate for some programs and websites that I use a lot. Using PayPal for these transactions makes good sense to me.Ken

[Guest ThunderRiver]

Up to this date, PayPal has never taken any money out of my checking account. Rather, it does transaction through my debit card, which is basically the same thing, but not quite.For verification process, PayPal gave me up to 25 cents for it Not bad after all heh

[siebkens]

My transactions did not go directly to my checking account, but through a credit (not debit) card that is guaranteed against fraud.edited by Sieb:Actually, I rechecked & 1 site went through my credit card, and another only gave me the option of withdrawing from my checking account.

[littlun]

While some of us recognize this as attempted theft, it is MUCH more convincing than most of the spam out there. There are only 2 ways to tell it is a scam:1 - Understand how to edit the email to tell that it doesn't end up at paypal. Since the from and replyto fields are at paypal, and they stole the paypal email format, some people don't think of this, and to be fair 98% of the population doesn't have the technical skills2 - (The preferred method) If anyone asks for any information whatsoever - don't give it. Easy as pie, but how many people do you know who can't make pastry The best way for them to track this is for the credit card companies to get involved. Answer the email with a planted number or 1000 and set an alarm on those numbers. If someone tries the card have the police (or a private force) alerted and on the way immediately without alerting the user. Until they are involved, nothing can be solved.Thanx,Littlun.