Anatomy of a Scam

[Markll]

Anatomy of a scam

The other day a client of mine called and asked about an email they received from PayPal.

The email stated that PayPal had seen some unusual activity on their account and needed them to verify their information.

A link to a login page was given in the email. (Red Flag One - PayPal will never direct you to their site concerning sensitive information with a link. The will instruct you to manually go to www.paypal.com and login there.)

Upon clicking the email link you are taken to a page that uses javascript to remove the status bar of your browser

window.(Red Flag Two - hides the fact that you are not on a secure page.)

The page also contains code to alter the address bar to display what seems to be the PayPal address.(Red Flag Three - the address for the page begins with http:// instead of https:// as it should for an ssl page.)

Right click is disabled and displays a copyright warning. (Red Flag Four - The are attempting to hide their malicious code)

Many will not notice these discrepancies and enter their emaile address and password to login. They are then taken to a page requesting credit card and checking account information (Red Flage Five- your back button no longer works)

At this point they have your PayPal email address and password and can access your account.

If you go back to the original email and start over you will find that any email/password combination will work to login(Red Flag Six)

Upon further investigation, I was able to find the actual address of the scam and access the site and directory containg the scam. The site is located somewhere in Asia and the home page appears to be an Asian company. The directory also contained a similar Ebay scam all neatly packaged complete with graphics and server side scripts. There was even a zip file which containd all the necessary components to run the scam.

Believe it or not the form action in the initiating script sent the information to a site operated here in the US. The scary part is that it could be your neighbor running this type of scam and you wouldn't even know it.

Hope the has been enlightening for some.

http://mtheoryit.com

[McFox]

Of course, I had just made a payment via Paypal just before I read your post (very informative) and immediately proceeded to crap myself! LOL!

Ok, I didn't do that but I did immediately rush to the PayPal website to verify I had indeed been using PayPal and not a scam site. Whew! It was all above board.

Good post though. Maybe we should have a forum here devoted to Scams and Internet Frauds? Whad'ya think?

McF

[ldyguique]

This particular scam is called a "Phisher" email and the DOJ/FBI is prosecuting.

REPORT PHISHING ATTEMPTS Do not hesitate to telephone a company to ask if an e-mail is legitimate. Let any organization being impersonated know of the scam and alert the Anti-Phishing Working Group at reportphishing@antiphishing.org, the Federal Trade Commission (UCE@FTC.GOV) and the F.B.I.'s Internet Crime Complaint Center (www.ic3.gov).

[Blackicicle]

Good post!

[sovidiu]

To follow the trend, I'll say: "good post!" and let you take a look at my signature (eventually containing a link towards a web site = forum advertising).

Anyway, Paypal asks you to go to their web site and log into your account, if it happens to be anything wrong with it. A SSL gateway is provided by the merchant (e.g., you will see a yellow locker in the right corner of your web page). In addition, all web pages on Paypal relating to any account details are secured. The correct syntax for your account is https://www.paypal... The WWWs are optional.

There is a second method to check the authenticity of the e-mail sender:

1. Look into the message's header and find the IP of the sender.
If you are using a free e-mail provider like Yahoo, Hotmail, Mail.com etc. enable the "show full headers" options in your account). If you are using an e-mail client such as Outlook or Eudora are, click properties on a message.

2. Go to http://www.arin.net/whois and enter the IP in their database search. It will show you the IP owner and from there you'll be able to realize if the message is a fraud or not. More details about IP ownership are displayed on: http://www.iana.org/ipaddress/ip-addresses.htm

Etc. etc. etc. The main idea is that the correct Paypal web address for any private information (such as your account's history, personal info and so on) is https:// and that it is better to go manually to your account's web site, and not just follow an URL from an e-mail message.

[jdiben]

I protect myself by never clicking on an email link from a company. I recieved the same paypal email a couple of days ago. I assumed it was a scam email but instead of tearning the message and headers appart to figure it out I opened internet explorer and typed in paypal.com and checked from there.

My point is always assume that an email from a company requesting any information is a scam and dont click on the links in ANY message. If you need to goto their site type it in the address bar.

joe

[barnkin]

There is also one for Fleet Bank and Citi Bank...Please take notice if you use either one of these.

I have recieved both in my e-mail

Best Regards

[dmje]

I agree with the post. It should be obvious by now that the core piece of advice is don't give information if it is requested by email. Joe's point about not ever clicking on anything from an email is a little over the top, however. I wouldn't be here if I hadn't done so. Just like everything else in life, it takes a little common sense to know what has the hallmarks of a scam and what doesn't.

[reggiewjr1]

I get about 3-4 of these emails per week....I just forward them on to spoof@paypal.com .

I also get a few Ebay ones though not as many...

I personally don't have the time to bother with actually investigating these people...I just send it to the "impersonated" party's REAL Spoof Dept and let them handle it...

Call me lazy...

[hawkwind dave]

Good post!! (has somebody said this before?)

I got one this morning also, and, as usual ignored it. Jdiben, good advice and common practise for me.