[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] PayPal issues another blow to user security
- To: "Rob Adams" <rob@ebeep.org>, "Dom Gallagher" <dgallagher@starnetusa.net>
- Subject: Re: [Full-Disclosure] PayPal issues another blow to user security
- From: "Exibar" <exibar@thelair.com>
- Date: Wed, 17 Dec 2003 15:00:01 -0500
Heck, I wonder how many people actually clicked on www.paypalcreditcard.com
after PayPal stating never, ever to click on a site other than
https://www.paypal.com ..... I'm sure a few did, but what a really foolish
marketing decision they made to use www.paypalcreditcard.com ...
Exibar
----- Original Message -----
From: "Dom Gallagher" <dgallagher@starnetusa.net>
To: "Rob Adams" <rob@ebeep.org>
Cc: "Aaron Horst" <anthrax101@yahoo.com>; <full-disclosure@lists.netsys.com>
Sent: Wednesday, December 17, 2003 2:22 PM
Subject: Re: [Full-Disclosure] PayPal issues another blow to user security
> At 11:09 AM 12/17/2003, Rob Adams wrote:
> >[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
> >
> >Aaron Horst reported earlier this week that Paypal violates their own
> >anti-phish policy. He received an official email that included a
clickable
> >link to "paypalcreditcard.com." Their stated policy is that they will
only
> >ever link to "paypal.com." Paypalcreditcard.com appears to be a
legitimate
> >web site operated by Paypal's business partner, Providian Financial
> >Corporation.
> >
> >I received a similar solicitation. I forwarded it to the
> >"spoof@paypal.com." I think you'll enjoy the response:
> >
> >=================
> >
> >Dear Rob Adams,
> >
> >Thank you for contacting PayPal.
> >
> >Thank you for bringing this suspicious email to our attention. We can
> >confirm that the email you received; was not sent to you by PayPal. The
> >website linked to this email is not a registered URL authorized or used
by
> >PayPal. We are currently investigating this incident fully. Please do not
> >enter any personal or financial information into this website.
> >If you have surrendered any personal or financial information to this
> >fraudulent website, you should immediately log into your PayPal Account
> >and change your password and secret question and answer information. Any
> >compromised financial information should be reported to the appropriate
> >parties.
> >If you notice any unauthorized activity associated with your PayPal
> >transaction history, please immediately report this to PayPal by
following
> >the instructions below:
> >1. Go to https://www.paypal.com/ 2. Click on the Security Center at the
> >bottom of the page
> >3. Click on "Report a Problem"
> >4. Select the Topic: Report Fraud
> >5: Select the Subtopic: Unauthorized use of my PayPal Account, and click
> >Continue.
> >6. Follow the instructions to access the appropriate form
> >
> >If you have any further questions, please feel free to contact us again.
>
> Form letter. eBay loves 'em, and now Paypal seem to have jumped on the
> bandwagon.
>
> If you check the original report, Paypal itself links to the so-called
> phishing site:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782
>
> Assuming the URLs were not spoofed with any of the usual fun tricks to
> catch the point-and-droolers, Paypal are either totally ignoring the
actual
> content of abuse complaints or deliberately trying to blame the phishers
> for a poorly thought out marketing effort.
>
> D.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html