Slashdot

What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.

Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.

... Oh my God! How will the masses be able to buy gold for Wold of Warcraft? Something has to be done... GonzoTech

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?

What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.

"by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?

This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.

Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is. ... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.

The server currently running the scam is hosted in Korea

North? South?

As I post this, 6 out of 8 top level posts have a '?' in the subject,
now 7 out of 9.

I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.

Never follow a link in an email.

It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

I rarely use paypal, checked my bank statement one day, and realized 2k was missing from my bank courtesy of paypal. I have never clicked on a paypal email, and so the only explaination I could think of is either gross incompetance at paypal, or a keylogger was on my system (which was doubtful). Of course, I run all the major spyware/adware/virus/rootkit detectors and nothing (and yes, I do have a firewall, do not use wireless on this computer, and have a good password).

So, no more paypal for me. Of course I eventually got my money back, but it was a major hassle. For now on I am creating accounts using temp credit card numbers.

This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.

First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.

I don't know how people fall for these scams. PayPal tells you exactly how to avoid them:

• PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
• PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/ [paypal.com]

Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.

http://www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com]

Um where in the article did it say it was another email scam? Oh wait it didn't It has nothing to do with email it has to do with "They are presented with a message that has been 'injected' onto the genuine PayPal site" "via a cross-site scripting technique." It has nothing to do with email. RTFA

I hardly ever use it and PayPal is too big a target with too poor security, and almost nonexistent procedures for recovery after fraud.

Paypal's main site (http://www.paypal.com) does *NOT* do a permanent redirect to https://www.paypal.com, so if you hit www.paypal.com you give your paypal login and password in the clear. I've emailed them several times on this and have finally given up, as they don't bother to respond.

So if you can get inbetween Paypal and your target, you don't even need to fool anybody.

Never. If it's important, you can go to PayPal's website manually, through a different tab or browser window, and check for yourself.

If the email doesn't give you instructions on how to NAVIGATE to a section of their webpage then don't follow the link. No matter how smart we all think we are, we can be tricked. The best thing to do is always start from the company's main page, then browse from there. That way if anything happens, you can blame it on their site.

That's what I tell my wife, who gets lots of phishing emails, and it seems to work. It doesn't matter if your bank says they're going to shutdown your account, if they can't take the time to call you personally, have you call them personally, have you visit personally, or tell you how to navigate to a portion of their site then it isn't that important.

I tell people the same thing with scam emails that purport to be from the police/FBI/etc. I figure if the authorities really need to get a hold of me they can to do it in person.

it's a feature.

Seriously, it is. Look it up. It's unfortunate that the programmers down at PayPal don't have enough wisdom, foresight, and intuition to see that it could be used in such a way.

inject.

by sending the full headers and links to spoof@paypal.com

It's important to educate oneself about basic security. Don't click a link in any email that refers to PayPal. As a matter of fact, there are few reasons to click links in any emails.

Just as important, seriously, educate others. Don't mumble "Darwin" or "figure it out yourself" when you can help someone else protect themselves or educate themselves about security threats.

Always report PayPal phish attempts to spam@paypal.com.

There's an excellent set of resources about phishing in general - and you can report phishing attempts at: antiphishing.org [antiphishing.org].

Not to be repetitive, but the best way to make a difference (in this case) is to help others and help yourself with education.

in their attempt to break into the on-line payments business?

I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.

Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.

OK, I am stupid. If the "hackers" can present a legit SSL certificate, what good is it? The whole point (at least my dumb ass thought) of an SSL certificate was to provide assurance that you are dealing with a legit vender. I thought the exact domain name was encoded with the URL so that an SSL certificate could not be used with a bogus URL? Is it just that these hackers used a valid sub-page off PayPal's website?

Bottom line, what does one do to prevent this as a web host and what does one look for (aside from the obvious be weary of the website asking you about your personal info) to know its a scam?

The Netcraft anti-phishing Toolbar already protects PayPal users by blocking access to this site. IE and firefox users can download the toolbar as an extension to the browser and install it.

http://toolbar.netcraft.com/ [netcraft.com]

I guess Netcraft has confirmed then, that PayPal is dying.

Next expect scammers to use Skype to phone you for your password, PayPal to empty your bank account, and eBay to sell the goods they steal from you. eBay is offering crooks one stop shopping to rip you off.

...why it is that whenever I log into PayPal, the number of PayPal-phishing e-mails suddenly increases over the next few minutes? It's as if something is monitoring traffic destined for PayPal (a compromised router, perhaps?) and is automatically triggering phishing e-mails to the originating IP.

Has anyone else seen this?

Apparently Netcraft confirmed it.

--Rob

If I see anything notifying me of an account issue, if it looks like it could be legit, I go directly to the site by typing in the URL.

If there is a real account issue, and it's a company worth doing business with, I'll be able to find out how to resolve it without clicking on any external links to get there.

Now, if they have a way to crack into PayPals website and insert the dangerous link... thats a problem

Or Pray Pal

Maybe both.

This is not new. Legitimate sites are hacked more often than anyone cares to admit, and end up hosting fraudulent pages that indeed link to an outside page, often with the domain in the web bar masked. Everyone should know by now to go directly to a page, and those who chose to ignore this should either be banned from the internet as their falling for these scams encourages crooks, or else they deserve what they get.

Something else not knew is domain masking, which I am sure you all know about.

*sigh* When your ID is stolen, as mine was the "good old-fashioned way" when I was 18 (25 now), it sets you up for years of frustration, thousands you can't recoup, and makes you wonder why the hell people aren't more vigilant about protecting their identity. Once it's lost, you've got no hope, and dozens of police reports are no longer enough to get a new social to get your life back on track. Finding another ding on your report, another credit card in your name, a speeding ticket in a state you've never been to...it all becomes just something you accept, though no less frustrating. And these is no end in sight, not until people wise up and uard themselves to discourage people from even trying. And even that won't be enough.

Why can't people understand this!?!?!

There is NO identity theft. It is all identity FRAUD. F-R-A-U-D!

It's the same copyright theft vs copyright infringment argument.

Geeze people are retarded.

Please don't tell me I have to reset my password and re-enter all my credit card information for the fourth time this month!

Well, a first for me... they got me.Iopened a new paypal account on Monday, and by Wednesday, my credit card was being fleeced. Worst of all, there is no way these guys get caught based on the following actions by the involved entities: Paypal: Classic, I contacted Paypal on Wednesday, "we have had no security problems.... Don't reply to phishing scams." (no shit sherlock, i just figured I was safe entering information directly into your website using SSL). When elevated up the customer support retard chain, I was then lectured on phishing scams (damn these people are bright), and told to contact my local authorities. Unreal... my local authorities... I wonder how many local reports are taken nationally due to these wankers. Follow up today (Friday), "you should contact our security" [by filling out our webform that warns you incessently about phishing scams and that tells you after you fill out the form that they will get back to you in about 10 days... nice]. Mastercard: I contacted my credit card company, they cancelled the card but will not investigate until I fill out an affidavit, "which will take about 14 days to arrive." Kmart: I contacted Kmart, being one of the companies that put through charges to my credit card. "We cannot give you any information without your purchase number" (unreal, my credit card is used for illicit purchases, and I cannot find out where they are shipping the goods). They were nice though, and suggested I fax information to them if I wanted to speak to a security person, and they also suggested I have my local police contact them. Frederick's of Hollywood: Another company that put charges on my card- "We don't have a security department, call your credit card company." Will someone please shoot that g-string wearing cow. Local Police - I filled out an online complaint on Wednesday with the financial fraud division of my local police department. Still haven't heard a thing. I went the extra mile and filed a complaint with the FBI's Internet Crime Complaint Center: Classic moment in law enforcement... after filling out the extensive affidavit, I received a generated email that read in part, "The IC3 receives thousands of complaints each month and does not have the resources to respond to inquiries regarding the status of complaints. It is the IC3's intention to review all complaints and refer them to law enforcement and regulatory agencies having jurisdiction. Ultimately, investigation and prosecution are at the discretion of the receiving agencies." [in other words, we really don't do anything, best of luck old chap]. I wish the crew working this scam the best, they are truly disgusting, but ingenious. As for the entities above, the next time I hear a news report where they are whining about credit card fraud costing consumers and businesses millions, I'll just chuckle at how pathetic the reaction was to my inquiries. They really don't care. Finally, some have posted that it won't cost me anything.... they are wrong. Some credit cards require the user to pay the first $50 of such fraud. And what about the people who just don't catch the credit card fraudulent uses. If you do not challenge the charge within 90 days, in most cases, you own the debt. Finally, by having my credit card cancelled for fraudulent purposes, I am the lucky recipient of a fraud alert on my credit statements with the credit reporting agencies for at least the next thirty days (I think 60). This means that I am barred from gaining any instant credit during this time period. Several years ago I had fraud on another credit card (authorities believed that the info was lifted from the card while I was on vacation when I paid for something at a restaurant). I cancelled the card, but a couple weeks later there I was buying $2,000 worth of lumber at home depot for a home project. The clerk says to me, hey if you open up a home depot card, I can discount your purchase by 10%. Hey, I don't need a home depot card, but 200 bucks is nothing to sneeze at. After filling out the form, I was reject

I got a reply from Paypal's security today, basically a form note telling me the horrors of phishing and noting that "the email was not sent by paypal." I sort of wonder if they realize they have this security problem. These people kill me.

From the article:

"... are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN."

Now who in their right mind would ever enter their SSN or especially ATM PIN into such a web based form? The only place I have ever been asked to use my ATM PIN online is my banks login, and I whined and cried to the bank about that. The bank now has a password feature that does not use the ATM PIN which I feel much better with. My main problems with using the ATM PIN as a IP transmitted login password were A: It made my account less secure if my PIN was stolen via a store spycam or similar non IP "over the shoulder" type exploit. B: The PIN length the bank used (4 char) was too short for a decently secure transmitted password. C: Simple separation of risk. D: The only way I could change my PIN and thus IP login was via a bank visit and physical note to a cashier. My bank now allows for an 8-16 character login password that I can change over IP.

Other notes on these issues. I recently backed out of a credit report service signup form because I was uncomfortable with the information they wanted. These credit reporting agency's and the information they want make me nervous. I have used one of the big three a couple of times before and guess I will probably just stick with the expensive services they offer. I ALWAYS do my banking with a single session of Firefox or Mozilla, clear the cache and kill the session when I am done, then start a new instance BEFORE I browse anything else. Of course this is pretty much not possible with Paypal and eBay. However I typically only use the eBay provided "Pay Now" button in "My eBay" instead of one provided by a vendor, even if I have to use their checkout service to process my shipping address and such.

It is unfortunate that it does seem to require more than just "a little common sense" to use such online services safely. The be any kind of safe one it seems one needs to be almost pathologically paranoid. The silver lining is at least I guess that part of my sometimes warped psyche finally might work for my benefit.

Matthew

My bank has switched to using website messages due to the fact of the spamming emails I love the ones I get for chase when I have never had an account with chase

Interesting points... I don't think "Identity Infringement" has that same scary ring to it though.

You're right; it's not identity theft, it's identity fraud. Which, guess what, has its victims [privacyrights.org].

Is this some sort of natural outgrowth of MP3 downloading and software piracy? What are we going to pretend is "victimless" next?

You have to understand.... in this society, in this day and age, people DO define (identify) themselves by the things they own, the money they have in their bank account, and their credit rating. Sad, really.

Not only did you not RTFM, you didn't even read the fucking summary... it was a valid PayPal site with elements from a different site that recorded what you did on the legit site.

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

It's a semantic point and one not even worth making. If you think that there are no victims when people's identities are assumed by others for nefarious purposes, then it has clearly never happened to you. I'd be curious to see how you felt when you had to spend countless hours of your life in aggrevation trying (perhaps futilely) to restore your credit and repair the possible damage to your reputation when some asshat overseas assumes your identity to purchase $100,000 worth of electronics and registers a kiddie-porn site in your name. These things do happen and are not at all uncommon.

In short, using the word 'theft' to describe copyright infringement is misleading, but using the word 'theft' to describe those things that are deprived to the victims of identity theft is perfectly acceptable. In the latter case there are often very real victims with very real things that are deprived them.

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

'Identify Theft' is not a victimless crime (you've obviously never had your identity stolen).

How in the heck did they forge a 256 bit SSL certificate?!

Can't this just be revoked or traced back to the owner?

They didn't forge it. They used cross-site scripting to inject malicious code into the real Paypal page - in other words there is a vulnerability in the scripting used that takes information probably encoded in the URL and displays it on the page as the Netcraft write-up shows. This is then used to redirect the unsuspecting user to the fake page.

It really grinds my gears when industry lobbyists and shills use inflammatory rhetoric to exaggerate the impact of mundane, victimless crimes.

First a little definition for you:
victim |?vikt?m| noun a person harmed, injured, or killed as a result of a crime, accident, or other event or action.
a person who is tricked or duped : the victim of a hoax. a living creature killed as a religious sacrifice.

It would seem these folks are most definately victims even if you don't consider having to clean your credit record up, dispute charges, and the general headache of canceling cards and waiting for new ones a "harm".

Just because something is stolen doesn't require tht the person no longer has access to it. A number isn't some physical thing to be stolen and never returned to the world. . . "I'm sorry but all mathematics have halted, '2' was stolen years ago and no one ever caught the perpetrator". But don't be an idiot by somehow making a direct correlation between physical theft and the theft of a unique sequence of numbers allowing access to certain private information. Identity theft is the same concept, someone has stolen the necessary information to pretend to be someoen they are not.

I agree the terminology uses terms popularized by media and designed to frighten the general public; but these crimes are hardly mundane or victimless.

I almost lost the house my wife and I were buying due to so-called "identity theft". How? One part stupidity on my part (using a linked check-card/bank account to make online purchases), on part large MasterCard database hack.

Thousands and thousands of dollars of Google AdWords purchased on my card; draining my bank account completely, and into the negative even with overdraught protection. When that money goes missing days before you have to cut a certified check to the bank for your final closing costs the results are anything but mundane.

That's just a stolen credit card; you c