John Topley’s Weblog

No Pal Of Mine

This morning. 7:15 a.m. Bleary-eyed and reading my e-mails. An e-mail from PayPal asking me to verify my account:

“We recently have determined that different computers have logged onto your PayPal account, and multiple password failures were present before the login. One of our Customer Service employees has already tryed to telephonically reach you. As our employee did not manage to reach you, this email has been sent to your notice. Therefore your account has been temporarily suspended. We need you to confirm your identity in order to regain full privileges of your account. If this is not completed by April 13, 2005, we reserve the right to terminate all privileges of your account indefinitly, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your identity please follow the link below:

https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thank you for your patience in this matter.

PayPal - Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.”

—Different computers have logged into my PayPal account? I think about the fact that I’ve just bought another computer and the complicated steps I had to go through before to verify myself to PayPal, so I click the hyperlink in the e-mail and get taken to the PayPal login screen. And then I pause in my tracks and read the e-mail properly.

“One of our Customer Service employees has already tryed [sic] to telephonically [sic] reach you.” I hover the mouse over the hyperlink in the e-mail and look at the Thunderbird status bar. It tells me that the hyperlink actually goes to:

http://www.paypal.com.login-user43.info/webscr.php?cmd=LogIn

…which when clicked on, takes you to a passable clone of the genuine PayPal login screen.

Another giveaway: I actually received two of these e-mails, one sent to the editor address for my domain and the other to the webmaster address. Neither of which are the e-mail address that I use for PayPal.

Finally, I view the message source. The Return-Path is set to an account at lil.univ-littoral.fr, which turns out to be a French university. If this is the genuine account from which the e-mails were sent, then the sender was extremely naïve, or else some poor student has been set up to appear as the sender. I fire off an e-mail to abuse@lil.univ-littoral.fr and postmaster@lil.univ-littoral.fr so that they can investigate.

I’m horrified that I came quite close to divulving my PayPal credentials, but in the end the worse that happened was that I clicked on a dodgy hyperlink and maybe verified that the e-mail had got through to me. If there’s a moral to this story then it’s that in an Internet age when everybody seems to be out to get you, you have to make sure you’re fully awake when you read your e-mail.

Comments

There are 5 comments on this post. Comments are closed.

  • avatar JD
    06 April 2005 at 21:23

    Hey John, I blogged about this on my post about GMail and Phishing.

  • avatar JD
    06 April 2005 at 21:23

    Oops, you stripped the link. Here it goes: http://jdk.phpkid.org/index.php?p=1196

  • avatar John Topley
    07 April 2005 at 07:17

    Thanks JD. I've commented over on your blog!

  • avatar Vinnie
    11 June 2005 at 17:47

    This is still going around and its getting harder to differentiate what is real anymore. I wonder how many people have actually given away their details. Thanks for posting I find this by Googling it to see if mine was real or not.

  • avatar Ben Atkin
    05 February 2006 at 08:39

    In all of the ones I've got so far, the address in the status bar when hovering over the link is different from the address in the link itself. This is a dead giveaway. I've heard about ones that play a trick on the User Interface by adding whitespace, making it hard to tell the difference between them. But I think that's been patched. Even if it hasn't, my skepticism about e-mails asking to update passwords would help prevent myself from being tricked in case of this whitespace trick being used.

You have to make sure you’re fully awake when you read your e-mail.


Archives

  • Jan
  • Feb
  • Mar
  • Apr
  • May
  • Jun
  • Jul
  • Aug
  • Sep
  • Oct
  • Nov
  • Dec
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013
  • 2012

More Archives


Sign In