Re: PayPal issues another blow to user security

["Exibar" <exibar () thelair com>]

Heck, I wonder how many people actually clicked on www.paypalcreditcard.com
after PayPal stating never, ever to click on a site other than
https://www.paypal.com .....   I'm sure a few did, but what a really foolish
marketing decision they made to use www.paypalcreditcard.com ...


  Exibar

----- Original Message ----- 
From: "Dom Gallagher" <dgallagher () starnetusa net>
To: "Rob Adams" <rob () ebeep org>
Cc: "Aaron Horst" <anthrax101 () yahoo com>; <full-disclosure () lists netsys com>
Sent: Wednesday, December 17, 2003 2:22 PM
Subject: Re: [Full-disclosure] PayPal issues another blow to user security


> At 11:09 AM 12/17/2003, Rob Adams wrote:
> > [[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
> >
> > Aaron Horst reported earlier this week that Paypal violates their own
> > anti-phish policy. He received an official email that included a
clickable
> > link to "paypalcreditcard.com." Their stated policy is that they will
only
> > ever link to "paypal.com." Paypalcreditcard.com appears to be a
legitimate
> > web site operated by Paypal's business partner, Providian Financial
> > Corporation.
> >
> > I received a similar solicitation. I forwarded it to the
> > "spoof () paypal com." I think you'll enjoy the response:
> >
> > =================
> >
> > Dear Rob Adams,
> >
> > Thank you for contacting PayPal.
> >
> > Thank you for bringing this suspicious email to our attention. We can
> > confirm that the email you received; was not sent to you by PayPal. The
> > website linked to this email is not a registered URL authorized or used
by
> > PayPal. We are currently investigating this incident fully. Please do not
> > enter any personal or financial information into this website.
> > If you have surrendered any personal or financial information to this
> > fraudulent website, you should immediately log into your PayPal Account
> > and change your password and secret question and answer information. Any
> > compromised financial information should be reported to the appropriate
> > parties.
> > If you notice any unauthorized activity associated with your PayPal
> > transaction history, please immediately report this to PayPal by
following
> > the instructions below:
> > 1.  Go to https://www.paypal.com/ 2.  Click on the Security Center at the
> > bottom of the page
> > 3.  Click on "Report a Problem"
> > 4.  Select the Topic: Report Fraud
> > 5:  Select the Subtopic: Unauthorized use of my PayPal Account, and click
> > Continue.
> > 6.  Follow the instructions to access the appropriate form
> >
> > If you have any further questions, please feel free to contact us again.
>
> Form letter.  eBay loves 'em, and now Paypal seem to have jumped on the
> bandwagon.
>
> If you check the original report, Paypal itself links to the so-called
> phishing site:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782
> Assuming the URLs were not spoofed with any of the usual fun tricks to
> catch the point-and-droolers, Paypal are either totally ignoring the
actual
> content of abuse complaints or deliberately trying to blame the phishers
> for a poorly thought out marketing effort.
>
> D.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html