RE: Possible PayPal security problem

["Ric Messier" <kilroy () WasHere COM>]

$ host www.paypal.com
www.paypal.com has address 66.211.168.65
www.paypal.com has address 66.211.168.97
www.paypal.com has address 66.211.168.193
www.paypal.com has address 66.211.168.209



> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Bob Dienhart
> Sent: Wednesday, December 19, 2007 11:21 AM
> To: 'Albert R. Campa'; 'Harry Henry Gebel'
> Cc: security-basics () securityfocus com
> Subject: RE: Possible PayPal security problem
>
> Flush your DNS cache and any browser history.  Then try connecting via
> IP
> rather than url.  I just ping'd "www/paypal.com" and that url resolved
> to
> 66.211.168.209 from where I sit, which is in snowy Milwaukee.  Can
> anybody
> collaborate that address as a valid one for PayPal?
>
> Bob Dienhart
>
> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On
> Behalf Of Albert R. Campa
> Sent: Wednesday, December 19, 2007 9:44 AM
> To: Harry Henry Gebel
> Cc: security-basics () securityfocus com
> Subject: Re: Possible paypal security problem
>
> I just logged into my paypal and didnt get that form.
> You may want to verify from paypal that this form is new practice on
> their part. Worst case, they dont know what it is.
>
> Saludos
>
> Albert
>
> On Dec 18, 2007 5:31 PM, Harry Henry Gebel <hgebel () fusemail com> wrote:
> > I tried to log in to paypal about half an hour ago. I manually typed
> > www.paypal.com to login. I got the normal paypal login page, and
> after
> > entering my password I got the following message:
> >
> > ---------------------
> > Security Measures
> >
> > Help with this page ?
> >
> > We are currently performing regular maintenance of our security
> > measures. Your account has been randomly selected for this
> maintenance,
> > and you will now be taken through a series of identity verification
> pages.
> > Protecting the security of your PayPal account is our primary
> concern,
> > and we apologize for any inconvenience this may cause.
> > ---------------------
> >
> > It then had a dropdown box listing the last two digits of the cards I
> > had registered with paypal and asking me to pick one and type in the
> > full number associated with that card. This looked extremely phishy
> to
> > me, so the first thing I did was look at the url to make sure I was
> > actually at paypal, then I checked the security certificate and it
> says
> > it is verified to be associated with www.paypal.com by verisign (The
> > certificate's serial number is
> > 6E:6B:9C:A3:F7:52:35:B4:95:37:86:D4:E5:13:54:A9 if anyone knows
> paypal's
> > actual serial number.) I checked what ip address my computer thinks
> > www.paypal.com is and used several web dns reverse lookups to verify
> > that it really belongs to www.paypal.com. Then I closed Firefox and
> > tried to log in with Internet Explorer and it brought me to the same
> > page (I also verified the certificate with IE). Then I rebooted the
> > computer in Linux and tried to log in again and it brought me to the
> > same page and I was able to verify the security certificate.. I
> searched
> > on the internet to see if this message was associated with phishing,
> and
> > found several phishing emails with the same or similar text but no
> > reference to any man-in-the-middle type attacks using this text.
> During
> > all this I also shut down my router's wireless capabilities in case
> > someone was doing anything strange with the wireless network.
> >
> > I looked at the page source and it was a straightforward web page
> > without frames or anything that might disguise where parts of the
> page
> > were coming from. It pulled some stylesheet information and images
> from
> > paypalobjects.com, but they are registered with paypal, and in any
> case
> > the form was sending it's results going to paypal.com.
> >
> > I was still afraid that someone could be between me and paypal, but I
> > picked a card with a very small dollar amount available and tried to
> see
> > what would happen. If they were in the middle they already had my
> > password and I figured I could cancel that card if this turned out to
> be
> > fake. When I submitted the information I just got a screen asking to
> > retry. Now I was really nervous. I picked a card from a company I no
> > longer have an account with and tried that, I got the retry screen
> > again. Finally, I tried the first card again and got the retry screen
> a
> > third time.
> >
> > I then looked at my e-mail and every time I had tried to log in I had
> > gotten an e-mail from paypal warning that someone had tried to log
> into
> > my account from a foriegn IP address and urging me to change my
> password
> > if it wasn't me.
> >
> > EMAIL BEGINS:
> >
> > Dear Harry Henry Gebel,
> >
> > We recently noticed one or more attempts to log in to your PayPal
> account
> from a foreign IP address.
> > If you recently accessed your account while traveling, the unusual
> log in
> attempts may have been initiated by you. However, if you did not
> initiate
> the log ins, please visit PayPal as soon as possible to change your
> password:
> > https://www.paypal.com/us/cgi-bin/?cmd=_login-run
> >
> > Changing your password is a security measure that will ensure that
> you are
> the only person with access to the account.
> > Thanks for your patience as we work together to protect your account.
> >
> > Sincerely,
> > PayPal
> >
> >
> > ----------------------------------------------------------------
> > PROTECT YOUR PASSWORD
> >
> > NEVER give your password to anyone, including PayPal employees.
> Protect
> yourself against fraudulent websites by opening a new web browser (e.g.
> Internet Explorer or Netscape) and typing in the PayPal URL every time
> you
> log in to your account.
> > ----------------------------------------------------------------
> >
> >
> > Please do not reply to this email. This mailbox is not monitored and
> you
> will not receive a response. For assistance, log in to your PayPal
> account
> and click the Help link located in the top right corner of any PayPal
> page.
> > ----------------------------------------------------------------
> >
> > :EMAIL ENDS
> >
> > The email had was pure text with no links or images so I'm fairly
> sure
> > it's genuine. This makes me even more nervous that there is a
> > man-in-the-middle attack going on. I can't change my password since
> > there is no way for me to finish logging in (it just keeps saying
> > retry). Can anyone figure out what is going on here, and what I
> should
> > do to fix it? It is also occurring to me that maybe paypal thinks
> that
> > my IP address (68.205.xxx.xxx, Brighthouse Cable in Orange County,
> > Florida) is foreign for some reason and that that misconception is
> > causing all of these problems. If anyone can help or at least explain
> to
> > me what's going on I would appreciate it.
> >
> > -Harry