I had recently received a number of legitimate messages from PayPal, since I had used it to pay for some items I had purchased on eBay for HelpingTulsa. But I knew that Paypal's Security Tips say Don't share personal information via email: We will never ask you to enter your password or financial information in an email or send such information in an email. You should only share information about your account once you have logged in to https://www.paypal.com/.
Therefore I was suspicious. I looked a little harder at the How to Confirm area:
There were two hot links. The link this link would have taken me to http://18.104.22.168/web/verify.html while the link Login would have taken me to https://www.paypal.com/, just like PayPal says.
Visual Route tells me that http://22.214.171.124 is in Taiwan. Interestingly there is something strange in the server there (which is running Apache/1.3.24 (Unix) PHP/4.2.0) that prevents me from getting Visual Route to give me a graphical file of the route to that server,
but I have Print Key and it gave me:
It also gave me a map, showing the server is in Taipei, Taiwan:
The Taiwan server apparently has some security features which try to prevent it from being traced. I indicated above that I had trouble getting VisualRoute to save the route as a graphical file. I also found that I could not get Internet Explorer to save the page at http://126.96.36.199/web/verify.html to my hard disk (I got an error from IE), but I know other ways to capture the HTML code of a reluctant website, and was able to capture it. There are a few things I don't understand. For example the website provides a file called bug.cgi which appears to have come from http://127.0.0.1:1026/bug.cgi 127.0.0.1 is a loopback network connection, i.e. it is my own machine. As ThinkGeek says There's no place like 127.0.0.1 I suspect that things like this "CGI script" are part of the security tricks that try to block you from tracing down the server in Taiwan, but they were not very successful.
In any event, here is the information the people in Taiwan hoped I would be foolish enough to enter into their computer in Step 1, before I took the Step 2 link to the real PayPal site to "confirm the information that I submitted". Needless to say, I was not that foolish, and I hope you won't be either.
|Sign Up | Log Out | Help|
|Personal Account Identity Verification|
About Us | Accounts | Fees | Privacy | Security Center | User Agreement | Developers | Referrals | Help
Copyright © 1999-2003 PayPal. All rights reserved.
Information about FDIC pass-through insurance
I reported this message to PayPal, and here was their response:
Dear Don Singleton,
Thank you for contacting PayPal with your concern.
We appreciate you bringing this suspicious activity to our attention. Please follow the instructions below on how to report any suspicious or unauthorized activity involving your PayPal Account. If your email program does not support embedded hyperlinks listed in this email, you must copy and paste the entire link into the address bar.
To report a suspicious email:
- If you are able to access your PayPal Account, click here: https://www.paypal.com/wf/f=sa_email
- If you cannot access your PayPal Account, click here: https://www.paypal.com/ewf/f=sa_email
If you have the original suspicious email, please forward the entire email to firstname.lastname@example.org and then delete it.
To report a fraudulent website:
- If you are able to access your PayPal Account, click here: https://www.paypal.com/wf/f=sa_fake
- If you cannot access your PayPal Account, click here: https://www.paypal.com/ewf/f=sa_fake
**PLEASE NOTE** If you have surrendered financial or password information to the suspicious website or email, promptly report this to the issuing institution as well as change your passwords and secret answers on your PayPal Account. If any unauthorized changes appear on your account, report this activity immediately!
To file a claim of Unauthorized Use of Your PayPal Account:
- If you are able to access to your PayPal Account, click here: https://www.paypal.com/wf/f=sa_unauth
- If you cannot access your PayPal Account, click here to recover your password: https://www.paypal.com/ewf/f=prob_pswd
- If you still cannot access your PayPal Account after following the password recovery instructions, click here: https://www.paypal.com/ewf/f=sa_unauth
Other Scenarios to report:
If you have sent a payment, but believe the seller to be fraudulent, or have not received product, click here to file a complaint against the seller: https://www.paypal.com/cgi-bin/webscr?cmd=_contact-submit&flow=md_buyer
If this is a PayPal transaction showing up on your Credit Card or Bank Statement that is NOT on your PayPal Account, please call 1-888-221-1161 and request to be transferred to the Stolen Credit Card/Stolen Bank Account Department. Only reports of stolen Credit Cards and stolen Bank Accounts will be handled by phone.
If your problem is not one of the above scenarios, then please contact us at https://www.paypal.com/ewf/f=default
If we require information from you, we will notify you in an email and request that you enter the information only after you have safely and securely logged in to your PayPal Account. To log in to your PayPal Account or access the PayPal website, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following: https://www.paypal.com/ . If anyone claiming to work for PayPal asks for your password under any circumstances, by email or by phone, please refuse and immediately contact us via webform at https://www.paypal.com/wf/f=sa_pass
Please remember these steps to help protect your PayPal Account from Unauthorized Account Access.
Emails - Make sure they are sent from PayPal
- If you receive an email and are unsure whether it is from PayPal, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following: https://www.paypal.com/. Don't click on any link in an email which seems suspicious to you.
- Some spoof websites will send emails that pretend to come from PayPal to entice you to log in at the spoof URL. Be extremely cautious of emails that directs you to a website that asks for sensitive information.
- Stay safe; don't respond to emails asking for any of the following:
- Your password and email address combination
- Credit card numbers
- Bank account numbers
- Social security numbers
- Drivers license number
- First and Last Names
Email Greeting -
- PayPal will never send you an email with the greeting "Dear PayPal User" or "Dear PayPal Member". Real PayPal emails will address you by your first and last name, or the business name associated with your PayPal Account.
Always log into the PayPal site
- PayPal will only ask for information AFTER you have securely logged in.
Website pages - make sure that they are hosted by PayPal
- When using the PayPal service, always ensure that the url address listed at the top of the browser is https://www.paypal.com/ The 's' ensures that the website is secure. Even if the URL contains the word 'PayPal', it may not be a PayPal webpage.
- Look for the 'lock' symbol that appears in the lower right hand corner of the browser. This symbol indicates that it is a secure site
Do not download attachments, software updates, or any application to your computer via a link you received in an email. PayPal will not ask you to download anything for your account to work.
Passwords - keep it on PayPal
- Use a unique password for the PayPal account and change it every 30-60 days
- The password should be one that is not used on any other site, service, or login
If you think you have received a fraudulent email, please forward the original email to email@example.com and then delete the email from your mailbox. Never click any links or attachments in a suspicious email.
If you have any further questions, please feel free to contact us again.
PayPal Customer Service
PayPal, an eBay Company
This was not the only PayPal Scam that I received this month. I received another one, supposedly sent from firstname.lastname@example.org and which seems to have originated in Mexico. It has the subject PayPal official updates, and an attachment which appears to be a GIF file named message.gif, but I suspect it is a virus. I did NOT click on it.
It appears to have a legitimate PayPal URL, but actually the entire email message is a graphic file, embedded in a very small web page, and clicking on the graphic will send you to http://%75%73%65%72%64%6C%6C%2E%69%6E%66%6F which is an encrypted way of saying http://userdll.info/ which is a server in Austin Texas
I also got a message from email@example.com with a subject Congratulations! and a body which said Your bill is attached to this mail and the attachment is the Netsky.P Worm
For more information on the Tulsa Computer Society click here