Full Disclosure mailing list archives
Re: PayPal issues another blow to user security
From: "Exibar" <exibar () thelair com>
Date: Wed, 17 Dec 2003 15:00:01 -0500
Heck, I wonder how many people actually clicked on www.paypalcreditcard.com after PayPal stating never, ever to click on a site other than https://www.paypal.com ..... I'm sure a few did, but what a really foolish marketing decision they made to use www.paypalcreditcard.com ... Exibar ----- Original Message ----- From: "Dom Gallagher" <dgallagher () starnetusa net> To: "Rob Adams" <rob () ebeep org> Cc: "Aaron Horst" <anthrax101 () yahoo com>; <full-disclosure () lists netsys com> Sent: Wednesday, December 17, 2003 2:22 PM Subject: Re: [Full-disclosure] PayPal issues another blow to user security
At 11:09 AM 12/17/2003, Rob Adams wrote:[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]] Aaron Horst reported earlier this week that Paypal violates their own anti-phish policy. He received an official email that included a
clickable
link to "paypalcreditcard.com." Their stated policy is that they will
only
ever link to "paypal.com." Paypalcreditcard.com appears to be a
legitimate
web site operated by Paypal's business partner, Providian Financial Corporation. I received a similar solicitation. I forwarded it to the "spoof () paypal com." I think you'll enjoy the response: ================= Dear Rob Adams, Thank you for contacting PayPal. Thank you for bringing this suspicious email to our attention. We can confirm that the email you received; was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used
by
PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. If you have surrendered any personal or financial information to this fraudulent website, you should immediately log into your PayPal Account and change your password and secret question and answer information. Any compromised financial information should be reported to the appropriate parties. If you notice any unauthorized activity associated with your PayPal transaction history, please immediately report this to PayPal by
following
the instructions below: 1. Go to https://www.paypal.com/ 2. Click on the Security Center at the bottom of the page 3. Click on "Report a Problem" 4. Select the Topic: Report Fraud 5: Select the Subtopic: Unauthorized use of my PayPal Account, and click Continue. 6. Follow the instructions to access the appropriate form If you have any further questions, please feel free to contact us again.Form letter. eBay loves 'em, and now Paypal seem to have jumped on the bandwagon. If you check the original report, Paypal itself links to the so-called phishing site:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782
Assuming the URLs were not spoofed with any of the usual fun tricks to catch the point-and-droolers, Paypal are either totally ignoring the
actual
content of abuse complaints or deliberately trying to blame the phishers for a poorly thought out marketing effort. D. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PayPal issues another blow to user security Aaron Horst (Dec 15)
- Re: PayPal issues another blow to user security Exibar (Dec 16)
- Re: PayPal issues another blow to user security Rob Adams (Dec 17)
- Re: PayPal issues another blow to user security Mary Landesman (Dec 17)
- Re: PayPal issues another blow to user security Exibar (Dec 17)
- Re: PayPal issues another blow to user security Seth Fogie (Dec 17)
- Re: PayPal issues another blow to user security Exibar (Dec 17)
- Re: PayPal issues another blow to user security Mary Landesman (Dec 17)
- Re: PayPal issues another blow to user security Dom Gallagher (Dec 17)
- Re: PayPal issues another blow to user security Exibar (Dec 17)