Can VE help me to prevent giving out infos to fake paypal pages?

[Guest]

[Arkangyal]

This is not the first time i met with fake PayPal page, here's the letter i just got:

-[ START OF SOURCE ]-
X-Message-Status: s3:0
X-SID-PRA: PayPal <paypal-account@paypal.com>
X-SID-Result: SoftFail
X-Message-Info: txF49lGdW43nC1NXcRqIm5P58J7eJTyosfg34G30957gmEoKhdnj90oxy1yD0edd
Received: from smtp.ilimburg.nl ([195.35.190.136]) by bay0-mc7-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
    Tue, 17 Apr 2007 09:31:43 -0700
Received: from technomed.nl (client213.169.ilimburgdsl.nl [212.26.213.169])
   by smtp.ilimburg.nl (8.11.6/8.11.6) with ESMTP id l3HGVl302601;
   Tue, 17 Apr 2007 18:31:47 +0200
Received: from User ([189.130.226.133]) by technomed.nl with Microsoft SMTPSVC(6.0.3790.211);
    Tue, 17 Apr 2007 18:27:45 +0200
From: "PayPal"<paypal-account@paypal.com>
Subject: Dispute Transaction
Date: Tue, 17 Apr 2007 10:26:45 -0600
MIME-Version: 1.0
Content-Type: text/html;
   charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <TMEXCHANGE01iMCIqtQ00000591@technomed.nl>
X-OriginalArrivalTime: 17 Apr 2007 16:27:45.0500 (UTC) FILETIME=[547721C0:01C7810D]
Return-Path: paypal-account@paypal.com

<html>
</font>
&nbsp;</div>
         <div id="message5">
            

<tt>Dear PayPal Member</font>[/url],


This email confirms that you have sent an eBay payment of $47.85 USD to 
[email]harris2727@aol.com[/email] for an eBay item. 



-----------------------------------
Payment Details
-----------------------------------


Amount: $47.85 USD

Transaction ID: 2LC956793J776333Y

Subject: Digimax 130





Note:
<span class="style5">If you haven't authorized this charge ,click the link below to dispute transaction 
and get full refund</span>

<a target="_blank" href="http://www.teamyukon.ca/login/">Dispute transaction[/url] (Encrypted Link )

<span class="style5">*SSL connection:
PayPal automatically encrypts your confidential information
in transit from your computer to ours using the Secure 
Sockets Layer protocol (SSL) with an encryption key length 
of 128-bits (the highest level commercially available)
</span>
-----------------------------------
Item Information
-----------------------------------


eBay User ID: scratchandgnaw2
   

----------------------------------------------------------------
Edward Harrell's UNCONFIRMED Address
----------------------------------------------------------------

Edward Harrell
211 David St. 
Springtown, TX 76082
United States

Important Note: Edward Harrell has provided an Unconfirmed Address. If 
you are planning on shipping items to Edward Harrell, please check the 
Transaction Details page of this payment to find out whether you will 
be covered by the PayPal Seller Protection Policy. 




----------------------------------------------------------------
This payment was sent using your bank account. 

By using your bank account to send money, you just:

- Paid easily and securely

- Sent money faster than writing and mailing paper checks
- Paid instantly -- your purchase won't show up on bills at the end of 
the month. 

Thanks for using your bank account!



----------------------------------------------------------------

Thank you for using PayPal!
The PayPal Team
PayPal Email ID PP118
<html>

-[

END OF SOURCE ]-

[Quwen]

Yes. Just hold your mouse over the logo - if it doesn't go green, it isn't Paypal.

[Arkangyal]

Thanks  !

[Chappy]

It's also fairly easy to read the header info and see right away that this is NOT Paypal
technomed.nl (client213.169.ilimburgdsl.nl [212.26.213.169]) - is not paypal

A better understanding of how to (first) get the entire header information to show (usually called "blah-blah), and then of how to find where the REAL sender info is, will go a long way in helping you figure out what's legit and what isn't.

Dave

[Toxteth O'Grady]

Why on earth would spammers send emails containing links to the real Paypal website?


The message:
-------------------------------------------------------------
Dear PayPal Customer,

This email is to inform you, that we had to block your PayPal Account
access because we had to upgrade our servers in order to remove online
fraud.

Our terms and conditions you agreed to state that your account must
always
be under your control or those you designate at all times. We have
noticed
some unusual activity related to our servers that indicates that other
parties may have access and, or control of your informations in your
account.

Please follow this link to confirm your account access information :

https://www.paypal.com/us/cgi-bin/webscr?_cmd=login-run

Please be aware that until we can verify your identity no further access
to
your account will be allowed and we will have no other liability for
your
account or any transactions that may have occurred as a result of your
failure to upgrade your account as instructed above.

    Thank you for your time and consideration in this matter .


        Sincerely,
    PayPal Account Departement.
----------------------------------------------------------------------------------------------------


It was clearly not the real thing, which was confirmed by Paypal after I forwarded the message to them:
"Thank you for taking the time to contact spoof@paypal.com. The email you
reported was not sent by PayPal and is a phishing (fraudulent) email."

Isn't it odd that the link in this spam points to the genuine Paypal website (confirmed by VEngine)?

[Little Mac]

One of three things I can think of, user4 ~

1.  The phishers are idiots and don't understand what it is they're actually hoping to accomplish
2.  The phishers have/had hijacked the legit site in some way to capture login information
3.  The phishers are so darn good that they recreated a fake version of paypal's site down to authentication factors

Given the stereotypical email message, I'd have to think that #3 is out of the running, thus leaving us with #1 or 2.

Maybe there's a #4.  The phishers are so cunning and devious that what they're trying to accomplish is something that is beyond comprehension...

LM

[Toxteth O'Grady]

I don't think it is option 1.
These guys may be crazy, but they are not stupid.   

In case option 2 applies, VEngine should have detected that... at least I hope so.
In general, would\could VEngine detect a hacked or perfectly imitated\copied website?


It must be option 4.

[Little Mac]

In my limited knowledge, I don't see how a false paypal website could be so well duplicated that the authentication (ie, the Certificate) could get past VE.  Since VE looks at site's Certificate and verifies that; it's not based on who the website say it is, but the actual SSL Cert.  Maybe it's possible; I don't know how, though.

If it was option 2, I don't think there's a way for VE to tell.  I know there have been a number of security stories recently about the number of legit sites that are compromised daily, and running false content.  So the site's still legit, but the content is not.  Could be illegitimate scripts running, etc.  I know I've read that this has happened to a number of big-name sites, so I guess it's possible with paypal as well.  From major companies, I would expect them to catch and resolve it quickly; maybe in the meantime the scammers are hoping to catch a few suckers...

LM

[~cat~]

Why on earth would spammers send emails containing links to the real Paypal website?

Is that the message source or what you've copied from the user interface?
Usually, if users make the mistake of reading email in html, the actual destination url is "hidden" by the html code.
For instance, from one I caught today, you'd have to be watching the url display at the bottom on mouse over to see the real url:
"h**p://securelogin-77570268.moneymanagergps.com.skm64.com/Online_Form.htm".

[Tags:]