Can VE help me to prevent giving out infos to fake paypal pages?

Discontinued Products Verification Engine - CVE
#1

This is not the first time i met with fake PayPal page, here’s the letter i just got:

-[ START OF SOURCE ]-
X-Message-Status: s3:0
X-SID-PRA: PayPal paypal-account@paypal.com
X-SID-Result: SoftFail
X-Message-Info: txF49lGdW43nC1NXcRqIm5P58J7eJTyosfg34G30957gmEoKhdnj90oxy1yD0edd
Received: from smtp.ilimburg.nl ([195.35.190.136]) by bay0-mc7-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Tue, 17 Apr 2007 09:31:43 -0700
Received: from technomed.nl (client213.169.ilimburgdsl.nl [212.26.213.169])
by smtp.ilimburg.nl (8.11.6/8.11.6) with ESMTP id l3HGVl302601;
Tue, 17 Apr 2007 18:31:47 +0200
Received: from User ([189.130.226.133]) by technomed.nl with Microsoft SMTPSVC(6.0.3790.211);
Tue, 17 Apr 2007 18:27:45 +0200
From: "PayPal"paypal-account@paypal.com
Subject: Dispute Transaction
Date: Tue, 17 Apr 2007 10:26:45 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset=“Windows-1251”
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: TMEXCHANGE01iMCIqtQ00000591@technomed.nl
X-OriginalArrivalTime: 17 Apr 2007 16:27:45.0500 (UTC) FILETIME=[547721C0:01C7810D]
Return-Path: paypal-account@paypal.com

  
Dear PayPal Member,

This email confirms that you have sent an eBay payment of $47.85 USD to

harris2727@aol.com for an eBay item.





Payment Details


Amount: $47.85 USD


Transaction ID: 2LC956793J776333Y


Subject: Digimax 130


Note:

If you haven’t authorized this charge ,click the link below to dispute transaction

and get full refund


Dispute transaction (Encrypted Link )



*SSL connection:

PayPal automatically encrypts your confidential information

in transit from your computer to ours using the Secure

Sockets Layer protocol (SSL) with an encryption key length

of 128-bits (the highest level commercially available)






Item Information


eBay User ID: scratchandgnaw2





Edward Harrell’s UNCONFIRMED Address


Edward Harrell

211 David St.

Springtown, TX 76082

United States


Important Note: Edward Harrell has provided an Unconfirmed Address. If

you are planning on shipping items to Edward Harrell, please check the

Transaction Details page of this payment to find out whether you will

be covered by the PayPal Seller Protection Policy.




This payment was sent using your bank account.


By using your bank account to send money, you just:

  • Paid easily and securely

  • Sent money faster than writing and mailing paper checks

  • Paid instantly – your purchase won’t show up on bills at the end of
    the month.

Thanks for using your bank account!

Thank you for using PayPal!
The PayPal Team
PayPal Email ID PP118

-[ END OF SOURCE ]-

#2

Yes. Just hold your mouse over the logo - if it doesn’t go green, it isn’t Paypal.

#3

Thanks :■■■■!

#4

It’s also fairly easy to read the header info and see right away that this is NOT Paypal
technomed.nl (client213.169.ilimburgdsl.nl [212.26.213.169]) - is not paypal

A better understanding of how to (first) get the entire header information to show (usually called "blah-blah), and then of how to find where the REAL sender info is, will go a long way in helping you figure out what’s legit and what isn’t.

Dave

#5

Why on earth would spammers send emails containing links to the real Paypal website?

The message:

Dear PayPal Customer,

This email is to inform you, that we had to block your PayPal Account
access because we had to upgrade our servers in order to remove online
fraud.

Our terms and conditions you agreed to state that your account must
always
be under your control or those you designate at all times. We have
noticed
some unusual activity related to our servers that indicates that other
parties may have access and, or control of your informations in your
account.

Please follow this link to confirm your account access information :

https://www.paypal.com/us/cgi-bin/webscr?_cmd=login-run

Please be aware that until we can verify your identity no further access
to
your account will be allowed and we will have no other liability for
your
account or any transactions that may have occurred as a result of your
failure to upgrade your account as instructed above.

Thank you for your time and consideration in this matter .


    Sincerely,
PayPal Account Departement.

It was clearly not the real thing, which was confirmed by Paypal after I forwarded the message to them:
“Thank you for taking the time to contact spoof@paypal.com. The email you
reported was not sent by PayPal and is a phishing (fraudulent) email.”

Isn’t it odd that the link in this spam points to the genuine Paypal website (confirmed by VEngine)?

#6

One of three things I can think of, user4 ~

  1. The phishers are idiots and don’t understand what it is they’re actually hoping to accomplish
  2. The phishers have/had hijacked the legit site in some way to capture login information
  3. The phishers are so darn good that they recreated a fake version of paypal’s site down to authentication factors

Given the stereotypical email message, I’d have to think that #3 is out of the running, thus leaving us with #1 or 2.

Maybe there’s a #4. The phishers are so cunning and devious that what they’re trying to accomplish is something that is beyond comprehension… ;D

LM

#7

I don’t think it is option 1.
These guys may be crazy, but they are not stupid. :smiley:

In case option 2 applies, VEngine should have detected that… at least I hope so.
In general, would\could VEngine detect a hacked or perfectly imitated\copied website?

It must be option 4. (:LGH)

#8

In my limited knowledge, I don’t see how a false paypal website could be so well duplicated that the authentication (ie, the Certificate) could get past VE. Since VE looks at site’s Certificate and verifies that; it’s not based on who the website say it is, but the actual SSL Cert. Maybe it’s possible; I don’t know how, though.

If it was option 2, I don’t think there’s a way for VE to tell. I know there have been a number of security stories recently about the number of legit sites that are compromised daily, and running false content. So the site’s still legit, but the content is not. Could be illegitimate scripts running, etc. I know I’ve read that this has happened to a number of big-name sites, so I guess it’s possible with paypal as well. From major companies, I would expect them to catch and resolve it quickly; maybe in the meantime the scammers are hoping to catch a few suckers…

LM

#9

Is that the message source or what you’ve copied from the user interface?
Usually, if users make the mistake of reading email in html, the actual destination url is “hidden” by the html code.
For instance, from one I caught today, you’d have to be watching the url display at the bottom on mouse over to see the real url:
“h**p://securelogin-77570268.moneymanagergps.com.skm64.com/Online_Form.htm”.

[attachment deleted by admin]