Security Basics mailing list archives
RE: Possible PayPal security problem
From: "Ric Messier" <kilroy () WasHere COM>
Date: Wed, 19 Dec 2007 14:41:00 -0700
$ host www.paypal.com www.paypal.com has address 66.211.168.65 www.paypal.com has address 66.211.168.97 www.paypal.com has address 66.211.168.193 www.paypal.com has address 66.211.168.209
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bob Dienhart Sent: Wednesday, December 19, 2007 11:21 AM To: 'Albert R. Campa'; 'Harry Henry Gebel' Cc: security-basics () securityfocus com Subject: RE: Possible PayPal security problem Flush your DNS cache and any browser history. Then try connecting via IP rather than url. I just ping'd "www/paypal.com" and that url resolved to 66.211.168.209 from where I sit, which is in snowy Milwaukee. Can anybody collaborate that address as a valid one for PayPal? Bob Dienhart -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Albert R. Campa Sent: Wednesday, December 19, 2007 9:44 AM To: Harry Henry Gebel Cc: security-basics () securityfocus com Subject: Re: Possible paypal security problem I just logged into my paypal and didnt get that form. You may want to verify from paypal that this form is new practice on their part. Worst case, they dont know what it is. Saludos Albert On Dec 18, 2007 5:31 PM, Harry Henry Gebel <hgebel () fusemail com> wrote:I tried to log in to paypal about half an hour ago. I manually typed www.paypal.com to login. I got the normal paypal login page, andafterentering my password I got the following message: --------------------- Security Measures Help with this page ? We are currently performing regular maintenance of our security measures. Your account has been randomly selected for thismaintenance,and you will now be taken through a series of identity verificationpages.Protecting the security of your PayPal account is our primaryconcern,and we apologize for any inconvenience this may cause. --------------------- It then had a dropdown box listing the last two digits of the cards I had registered with paypal and asking me to pick one and type in the full number associated with that card. This looked extremely phishytome, so the first thing I did was look at the url to make sure I was actually at paypal, then I checked the security certificate and itsaysit is verified to be associated with www.paypal.com by verisign (The certificate's serial number is 6E:6B:9C:A3:F7:52:35:B4:95:37:86:D4:E5:13:54:A9 if anyone knowspaypal'sactual serial number.) I checked what ip address my computer thinks www.paypal.com is and used several web dns reverse lookups to verify that it really belongs to www.paypal.com. Then I closed Firefox and tried to log in with Internet Explorer and it brought me to the same page (I also verified the certificate with IE). Then I rebooted the computer in Linux and tried to log in again and it brought me to the same page and I was able to verify the security certificate.. Isearchedon the internet to see if this message was associated with phishing,andfound several phishing emails with the same or similar text but no reference to any man-in-the-middle type attacks using this text.Duringall this I also shut down my router's wireless capabilities in case someone was doing anything strange with the wireless network. I looked at the page source and it was a straightforward web page without frames or anything that might disguise where parts of thepagewere coming from. It pulled some stylesheet information and imagesfrompaypalobjects.com, but they are registered with paypal, and in anycasethe form was sending it's results going to paypal.com. I was still afraid that someone could be between me and paypal, but I picked a card with a very small dollar amount available and tried toseewhat would happen. If they were in the middle they already had my password and I figured I could cancel that card if this turned out tobefake. When I submitted the information I just got a screen asking to retry. Now I was really nervous. I picked a card from a company I no longer have an account with and tried that, I got the retry screen again. Finally, I tried the first card again and got the retry screenathird time. I then looked at my e-mail and every time I had tried to log in I had gotten an e-mail from paypal warning that someone had tried to logintomy account from a foriegn IP address and urging me to change mypasswordif it wasn't me. EMAIL BEGINS: Dear Harry Henry Gebel, We recently noticed one or more attempts to log in to your PayPalaccount from a foreign IP address.If you recently accessed your account while traveling, the unusuallog in attempts may have been initiated by you. However, if you did not initiate the log ins, please visit PayPal as soon as possible to change your password:https://www.paypal.com/us/cgi-bin/?cmd=_login-run Changing your password is a security measure that will ensure thatyou are the only person with access to the account.Thanks for your patience as we work together to protect your account. Sincerely, PayPal ---------------------------------------------------------------- PROTECT YOUR PASSWORD NEVER give your password to anyone, including PayPal employees.Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account.---------------------------------------------------------------- Please do not reply to this email. This mailbox is not monitored andyou will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.---------------------------------------------------------------- :EMAIL ENDS The email had was pure text with no links or images so I'm fairlysureit's genuine. This makes me even more nervous that there is a man-in-the-middle attack going on. I can't change my password since there is no way for me to finish logging in (it just keeps saying retry). Can anyone figure out what is going on here, and what Ishoulddo to fix it? It is also occurring to me that maybe paypal thinksthatmy IP address (68.205.xxx.xxx, Brighthouse Cable in Orange County, Florida) is foreign for some reason and that that misconception is causing all of these problems. If anyone can help or at least explaintome what's going on I would appreciate it. -Harry
Current thread:
- RE: Possible PayPal security problem, (continued)
- RE: Possible PayPal security problem Bob Dienhart (Dec 19)
- RE: Possible PayPal security problem Weir, Jason (Dec 19)
- Re: Possible PayPal security problem Rene Borchers (Dec 20)
- Re: Possible PayPal security problem tony barry (Dec 20)
- Re: Possible PayPal security problem Larry Offley (Dec 20)
- cache snooping attacks Corben Dallas (Dec 26)
- RE: Possible PayPal security problem Bob Dienhart (Dec 19)
- Re: Possible PayPal security problem Michael Painter (Dec 19)
- [Suspected Spam]Re: Possible PayPal security problem Michael R. Martinez (Dec 19)
- Re: Possible PayPal security problem Fabio Fagundes (Dec 19)
- Re: Possible PayPal security problem zelyah zub (Dec 20)
- RE: Possible PayPal security problem Ric Messier (Dec 19)
- Re: Possible PayPal security problem Harry Henry Gebel (Dec 20)