Re: Would you trust these Emails (EBAY & PAYPAL)

[Tobias Weisserth <tobias () weisserth de>]

Hi,

Am Sa, den 21.02.2004 schrieb partysan_FFF () gmx net um 13:20:
...
> Hi,
> the site looks exactly like the site at www.paypal.com, however, there
> is no verify.html at the "real" paypal site.  This smells very much
> like a scam to get people's billing information.  Also, note that
> the "help" (and all other) buttons are linked to www.paypal.com,not
> the site from the email.

To the non suspicious and technically impaired everyday Ebay or PayPal
customer these recent mails actually are quite dangerous. Dangerous not
only because they look real enough for those people but because they
contain a clever element of social engineering. By stating in the fake
Ebay mail that the "customer" is supposed to be owing 15$ for a recent
transaction this raises a *quiet threat* which chews away at the
receivers determination. Of course most people know whether they have
done transactions on Ebay or PayPal and most can probably exactly
remember what amounts of money are involved.

The "accusation" of still owing 15$ however alerts customers since
a) they actually don't know about all transactions at second thought
("Better to check that again! Maybe they'll send something nasty if I
don't follow their instructions.")
b) they suspect someone has stolen their Ebay identity and has been
using it ("I'd better correct this immediately. How convenient they
placed a link to the form.") This second motive plays on numerous media
reports that doing business on Ebay can be risky.

Psychologically speaking this may be named a *quiet threat* since it
chews away at the determination quietly in a very subtle manner. There
are no instant alarm bells ringing "FAKE" as long as the person is
generally trusting mails from companies.

> You can report this to paypal (They actually have a "suspicios email"
> Category) here:
> http://www.paypal.com/cgi-bin/webscr?cmd=_contact-general.
>
> I strongly advise against filling out those forms, and to contact the
> paypal people.

I received A LOT of those Ebay mails lately and I bothered to send them
the first to examine. They answered within several hours, warning me
about the fake origin. In the meantime I have received more than 15
identical Ebay fakes from different mail relays.

As a consequence I'd suggest to any serious company doing business on
the Internet not to send any messages via email ("They normally don't
send mails at all. So I can't trust this one.") or only send messages as
non-formatted text, which raises the bar of fooling people (less people
will be fooled if the real link isn't hidden behind an image or a link
description.

I hate HTML mails anyway and don't let my mail client load images of the
Internet (thus HTML mails reach me in an ugly, naked form).

kind regards,
Tobias Weisserth

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html