This morning. 7:15 a.m. Bleary-eyed and reading my e-mails. An e-mail from PayPal asking me to verify my account:
“We recently have determined that different computers have logged onto your PayPal account, and multiple password failures were present before the login. One of our Customer Service employees has already tryed to telephonically reach you. As our employee did not manage to reach you, this email has been sent to your notice. Therefore your account has been temporarily suspended. We need you to confirm your identity in order to regain full privileges of your account. If this is not completed by April 13, 2005, we reserve the right to terminate all privileges of your account indefinitly, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your identity please follow the link below:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Thank you for your patience in this matter.
PayPal - Customer Service
Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.”
—Different computers have logged into my PayPal account? I think about the fact that I’ve just bought another computer and the complicated steps I had to go through before to verify myself to PayPal, so I click the hyperlink in the e-mail and get taken to the PayPal login screen. And then I pause in my tracks and read the e-mail properly.
“One of our Customer Service employees has already tryed [sic] to telephonically [sic] reach you.” I hover the mouse over the hyperlink in the e-mail and look at the Thunderbird status bar. It tells me that the hyperlink actually goes to:
http://www.paypal.com.login-user43.info/webscr.php?cmd=LogIn
…which when clicked on, takes you to a passable clone of the genuine PayPal login screen.
Another giveaway: I actually received two of these e-mails, one sent to the editor address for my domain and the other to the webmaster address. Neither of which are the e-mail address that I use for PayPal.
Finally, I view the message source. The Return-Path is set to an account at lil.univ-littoral.fr, which turns out to be a French university. If this is the genuine account from which the e-mails were sent, then the sender was extremely naïve, or else some poor student has been set up to appear as the sender. I fire off an e-mail to abuse@lil.univ-littoral.fr and postmaster@lil.univ-littoral.fr so that they can investigate.
I’m horrified that I came quite close to divulving my PayPal credentials, but in the end the worse that happened was that I clicked on a dodgy hyperlink and maybe verified that the e-mail had got through to me. If there’s a moral to this story then it’s that in an Internet age when everybody seems to be out to get you, you have to make sure you’re fully awake when you read your e-mail.
2003–2024 John Topley
Comments
There are 5 comments on this post. Comments are closed.
Hey John, I blogged about this on my post about GMail and Phishing.
Oops, you stripped the link. Here it goes: http://jdk.phpkid.org/index.php?p=1196
Thanks JD. I've commented over on your blog!
This is still going around and its getting harder to differentiate what is real anymore. I wonder how many people have actually given away their details. Thanks for posting I find this by Googling it to see if mine was real or not.
In all of the ones I've got so far, the address in the status bar when hovering over the link is different from the address in the link itself. This is a dead giveaway. I've heard about ones that play a trick on the User Interface by adding whitespace, making it hard to tell the difference between them. But I think that's been patched. Even if it hasn't, my skepticism about e-mails asking to update passwords would help prevent myself from being tricked in case of this whitespace trick being used.