TCS - Confirm Your Information

Confirm Your Information

by Don Singleton
Tulsa Computer Society
From the April 2004 issue of the I/O Port Newsletter

I received an email, supposedly from service@paypal.com asking me to confirm my information with them

I had recently received a number of legitimate messages from PayPal, since I had used it to pay for some items I had purchased on eBay for HelpingTulsa. But I knew that Paypal's Security Tips say Don't share personal information via email: We will never ask you to enter your password or financial information in an email or send such information in an email. You should only share information about your account once you have logged in to https://www.paypal.com/.

Therefore I was suspicious. I looked a little harder at the How to Confirm area:

There were two hot links. The link this link would have taken me to http://202.133.229.231/web/verify.html while the link Login would have taken me to https://www.paypal.com/, just like PayPal says.

Visual Route tells me that http://202.133.229.231 is in Taiwan. Interestingly there is something strange in the server there (which is running Apache/1.3.24 (Unix) PHP/4.2.0) that prevents me from getting Visual Route to give me a graphical file of the route to that server,

but I have Print Key and it gave me:

It also gave me a map, showing the server is in Taipei, Taiwan:

The Taiwan server apparently has some security features which try to prevent it from being traced. I indicated above that I had trouble getting VisualRoute to save the route as a graphical file. I also found that I could not get Internet Explorer to save the page at http://202.133.229.231/web/verify.html to my hard disk (I got an error from IE), but I know other ways to capture the HTML code of a reluctant website, and was able to capture it. There are a few things I don't understand. For example the website provides a file called bug.cgi which appears to have come from http://127.0.0.1:1026/bug.cgi 127.0.0.1 is a loopback network connection, i.e. it is my own machine. As ThinkGeek says There's no place like 127.0.0.1 I suspect that things like this "CGI script" are part of the security tricks that try to block you from tracing down the server in Taiwan, but they were not very successful.

In any event, here is the information the people in Taiwan hoped I would be foolish enough to enter into their computer in Step 1, before I took the Step 2 link to the real PayPal site to "confirm the information that I submitted". Needless to say, I was not that foolish, and I hope you won't be either.

  Sign Up | Log Out | Help

Welcome Send Money Request Money Merchant Tools Auction Tools

Personal Account Identity Verification   

Your Profile Information - Enter your name as it appears on your credit card or bank account.  








 (5 digits)
Country:

   

   

Enter Your Bank Account Information.

Debit Card Number:
Expiration Date:

Month:    Year:







Enter Your Personal Infromation.

Social Security Number:
Card PIN Number:

4 or 6 Digit code used in ATMs.


(mm/dd/yyyy)

Your Email Address and Password - Your email address will be used as your PayPal login. Your password must be at least 8 characters and is case sensitive.  

Email Address:
Re-enter Email Address:



Security Questions - If you forget your password, you will be asked for the answers to your 2 Security Questions. You must select 2 different questions.  






- This test prevents automated registrations. Enter the characters in the yellow grid into the empty box. Do not enter any spaces between the characters.   Help  




User Agreement and Privacy Policy - Please read and agree to the information below. The User Agreement and Privacy Policy are designed to protect and inform you of your rights within the PayPal service.  

User Agreement
Printer Friendly User Agreement
 
Privacy Policy
Printer Friendly Privacy Policy
 

 



About Us | Accounts | Fees | Privacy | Security Center | User Agreement | Developers | Referrals | Help



Copyright © 1999-2003 PayPal. All rights reserved.
Information about FDIC pass-through insurance

I reported this message to PayPal, and here was their response:

Dear Don Singleton,

Thank you for contacting PayPal with your concern.

We appreciate you bringing this suspicious activity to our attention. Please follow the instructions below on how to report any suspicious or unauthorized activity involving your PayPal Account. If your email program does not support embedded hyperlinks listed in this email, you must copy and paste the entire link into the address bar.

To report a suspicious email:

If you have the original suspicious email, please forward the entire email to spoof@paypal.com and then delete it.

To report a fraudulent website:

**PLEASE NOTE** If you have surrendered financial or password information to the suspicious website or email, promptly report this to the issuing institution as well as change your passwords and secret answers on your PayPal Account. If any unauthorized changes appear on your account, report this activity immediately!

To file a claim of Unauthorized Use of Your PayPal Account:

Other Scenarios to report:

If you have sent a payment, but believe the seller to be fraudulent, or have not received product, click here to file a complaint against the seller: https://www.paypal.com/cgi-bin/webscr?cmd=_contact-submit&flow=md_buyer

If this is a PayPal transaction showing up on your Credit Card or Bank Statement that is NOT on your PayPal Account, please call 1-888-221-1161 and request to be transferred to the Stolen Credit Card/Stolen Bank Account Department. Only reports of stolen Credit Cards and stolen Bank Accounts will be handled by phone.

If your problem is not one of the above scenarios, then please contact us at https://www.paypal.com/ewf/f=default

If we require information from you, we will notify you in an email and request that you enter the information only after you have safely and securely logged in to your PayPal Account. To log in to your PayPal Account or access the PayPal website, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following: https://www.paypal.com/ . If anyone claiming to work for PayPal asks for your password under any circumstances, by email or by phone, please refuse and immediately contact us via webform at https://www.paypal.com/wf/f=sa_pass

Please remember these steps to help protect your PayPal Account from Unauthorized Account Access.

Emails - Make sure they are sent from PayPal

  1. If you receive an email and are unsure whether it is from PayPal, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following: https://www.paypal.com/. Don't click on any link in an email which seems suspicious to you.

  2. Some spoof websites will send emails that pretend to come from PayPal to entice you to log in at the spoof URL. Be extremely cautious of emails that directs you to a website that asks for sensitive information.

  3. Stay safe; don't respond to emails asking for any of the following:
    • Your password and email address combination
    • Credit card numbers
    • Bank account numbers
    • Social security numbers
    • Drivers license number
    • First and Last Names

Email Greeting -

Always log into the PayPal site

Website pages - make sure that they are hosted by PayPal

  1. When using the PayPal service, always ensure that the url address listed at the top of the browser is https://www.paypal.com/ The 's' ensures that the website is secure. Even if the URL contains the word 'PayPal', it may not be a PayPal webpage.

  2. Look for the 'lock' symbol that appears in the lower right hand corner of the browser. This symbol indicates that it is a secure site

Do not download attachments, software updates, or any application to your computer via a link you received in an email. PayPal will not ask you to download anything for your account to work.

Passwords - keep it on PayPal

  1. Use a unique password for the PayPal account and change it every 30-60 days
  2. The password should be one that is not used on any other site, service, or login

If you think you have received a fraudulent email, please forward the original email to spoof@paypal.com and then delete the email from your mailbox. Never click any links or attachments in a suspicious email.

If you have any further questions, please feel free to contact us again.

Sincerely,
LuShawn
PayPal Customer Service
PayPal, an eBay Company

This was not the only PayPal Scam that I received this month. I received another one, supposedly sent from user-billing03@paypal.com and which seems to have originated in Mexico. It has the subject PayPal official updates, and an attachment which appears to be a GIF file named message.gif, but I suspect it is a virus. I did NOT click on it.

Also:

It appears to have a legitimate PayPal URL, but actually the entire email message is a graphic file, embedded in a very small web page, and clicking on the graphic will send you to http://%75%73%65%72%64%6C%6C%2E%69%6E%66%6F which is an encrypted way of saying http://userdll.info/ which is a server in Austin Texas

(which strangly has both name servers on the same machine as the website), and according to Whois the domain is owned by an unnamed person in Watertown, Wisconsin, but is paid for by someone in Paris, France. It appears to be a server run by someone with a cable modem provided by Road Runner.

I also got a message from noreply@paypal.com with a subject Congratulations! and a body which said Your bill is attached to this mail and the attachment is the Netsky.P Worm



For more information on the Tulsa Computer Society click here




Tulsa Computer Society 4/01/2004
Don Singleton, President