Tag: paypal

Paypal Phishing Spam with a twist…

This post was inspired by some work on one of my other sites but made me laugh so much it was worthy of being discussed here to.

We all get them, Paypal phishing emails that look like a mail from Paypal. When you click on them, they then take you to a site that looks like Paypal and when you enter your Paypal information, it gives you an error and redirects you back to the real Paypal site with you hopefully none the wiser… Except that you’ve now given the Phisher’s your Paypal details…

So before I go any further, never ever click on a link in an email that subsequently is going to ask you to log in.

1. You get en email from "Company ABC".
2. Open your browser of choice.
3. Navigate to "Company ABC’s" website.
4. Log in.
And you’re done.

If you get into the habit of doing this, you can never ever fall prey to a phishing email.   
I’ll say it once more just for effect, Never ever log in to a site that you have arrived from after clicking a link in an email.

Ok, warning out of the way, back to the main point for this post.
Earlier on today, I got a new format of Paypal phishing email.
The contents of which are quoted below:

Due to our recent database update we require that you confirm your PayPal account. The confirmation process takes 3-5 days.

So far, nothing new I thought…Here we go again and I look down for the usual phishing link, except I couldn’t see one, so I read on.

We have taken this measure to reduce the number of the unused PayPal accounts in our database.

To confirm your PayPal account you must make a deposit in the bank account of our PayPal agent in charge with account management. The deposit amount of  $ 50.00 USD will be uploaded into your PayPal account.

So hold up…They want me to deposit $50.00 USD into their account and then they will pay it back to me.
hmmm, I’m starting to see a slight flaw in their plan already…

The details needed for the deposit are:

Amount to deposit: $50.00 USD
PayPal agent name: <details deleted>
Bank name: <details deleted>
Bank address: <details deleted>
IBAN: <details deleted>
SWIFT/BIO: <details deleted>

For security reasons, I’ve deleted various details from above, but in this case, they were all valid and did point to an existing foreign bank account with a valid name.

So just how exactly do the phishers collect their money?
Either someone else has been scammed and the bank account details belong to someone who has had them stolen or, the details actually belong to the phisher.

Now I know these people can be stupid, but I can’t believe they would openly send out their own bank account details. Or are they that stupid? I’d like to think so, because that means by the time you read this, they are already hopefully locked up in some Gulag camp (now there is a clue as to where the bank account details were based which shouldn’t surprise most of you).

But even if they weren’t that stupid and the bank account belonged to some other poor soul who was totally unaware, surely there aren’t enough people in the world dumb enough to fall for this for them to get enough money before the account was shut down.
The account is also in a country where I don’t know what sort of relations the authorities in the west has.

Unfortunately, a great number of people do fall for these types of scams.It just beggars belief at the number of different methods that spammers and phishers will try in order to extort money from people.  What is more disheartening is that real people will fall for tricks like this.
So never ever click on a link from an email that subsequently wants you to log in.

For the techies out there: The email was sent using a compromised computer based in the US and the phishing website was being hosted on a Spanish server in Madrid. (They were probably distracted watching Spain at Euro 2008 or Nedal at Wimbledon).

Victim of an eBay Scam

BBC NEWS | UK | eBay urged to tackle fraud better

Internet auction site eBay should do more to tackle fraudsters targeting the site, a consumer magazine has said.
Computing Which? called on the site to be more active in identifying its fraudulent users.

Have you Been a Victim of eBay Fraud?

A few weeks ago I was caught out in an eBay/Paypal Scam and lost just under £150. Not much you say, but it was part of a scam collecting just over £7500.

And it was not so much the money that wound me up, it was the attitude of eBay and Paypal. (Both are really the same company, even though they deny it, and legally I suppose they are not, but one owns the other, and they each do an awful lot of business between themselves. But there is more on that below).

The BBC article above talks about how Which! (the consumer group/online magazine) are suggesting to eBay that they need to do a lot more to protect its users, or at least make them aware of the possibilities of fraud.
If you knew the values of fraud going on right now, it would probably deter most people from going near the site, but then eBay and Paypal won’t disclose it.

My Story

I had obtained a spare Pentium processor and placed it online for sale at a price of just under £150 if you used the ‘Purchase Now’ button and also allowed bidding on the items.
There were several enquiries on the item, but no bids in the first few days and I was helping one guy work out if it would work in a server that he had when I someone actually bought it at the higher price using the buy now feature. My first reaction was why would anyone want to pay what I had asked for, since there were already cheaper ones on sale at the same time. I expected a low bid to win the sale, but wasn’t going to turn down someone paying full price. But that was the first time I became skeptic about the purchaser so I made sure that I authenticated the buyer.

I won’t name the buyer because at the moment I am discussing legal action. The buyer contacted me via eBay and Paypal, there was a few exchanges of emails via this and then I sent an email to her Yahoo account which is totally separate from her eBay and Paypal account.

As it turns out, the buyer had allowed their PC to be hacked, and the thieves had retrieved full control and access to the buyers PC, stealing ALL of her passwords to ALL of the accounts that she had access to. Or that is what she told Paypal investigation.

There had been 4 or 5 purchases made by the ‘buyer’ of the same types as she had previously made, so nothing stood out there. I waited a day before shipping the item and sent it off. Later that evening I received an email from eBay telling me that the ‘buyers’ account was suspended and was being investigated for potential fraudulent activity. They also advised me NOT to ship the item, (great timing).
I replied to their email with the tracking details of the item, the destination address, and other details. I’ve never heard anything back on that part. The only confirmation I received from them amounted to a "Sorry, you’ve been done and lost out" email and confirmation that the ‘buyers’ account had been hacked. (It wasn’t just their account, the user had given away every password she owned).

Paypal immediately took the money that was paid to me by ‘the user’, (albeit by the fraudsters) and put it in a holding account. Two weeks later they confirmed that the users account had been hacked and told me that they were returning the money back to the ‘purchaser’.

So hold up, the owner of the computer gives away the passwords to all of her accounts, someone makes fraudulent use of the machine and her accounts, and it is the seller that gets penalised.
When I asked eBay and Paypal about the insurance for items under £500, they replied it wasn’t covered as it was not the ‘type of sale’ they covered.

When I have tried to contact both fraud departments of eBay and Paypal, they gave me a list of FBI/Interpol and told me to contact the Internet Fraud Group to take any further action.

eBay & Paypal Helping the Fraudsters

For a long time now I have been receiving ‘Phishing’ emails reportedly sent from eBay and Paypal, asking me to log into my account and sort something out.
Well, I am not not that of a numpty that I would fall for such a scam (via this method, when it comes to shipping goods to someone who isn’t who they are, now that’s a different matter, 10 out of 10 on the numpty scale).
You might have seen a few of the emails, they look very convincing. They even have all the eBay and Paypal graphics. You see that is because those images are hosted on eBay and Paypal Servers, and all the "phishers’ do, is Hotlink those images in their mass emails. Well that for one could be sorted out in the time it takes to make a config change to their servers. You can stop other servers from using images and then the emails would not look the same. Usually, the only difference in the ‘Phishing’ email is that the login part of the email is based on a scammers server and all it does it record your details and then forwards you to some other part of eBay’s site. Well they could stop that too, but they don’t (well they shut down the site, but they could also detect referrals from non-eBay/Paypal sites and display a message to say you have just been scammed, you need to do this or that. But they don’t.

Why don’t they do this? Because it will cost money and time. That eats in to profits and in the end, that is all they are concerned about.

How do they Protect Sellers/Buyers ?

Basically nothing. You have about as much protection as the Iraqi National Guard did in the Gulf War (1 or 2, take your pick).

Take this scenario: I place an advert in a newsgroup that my eBay and Paypal Username is for sale. Someone contacts me, pays me a few thousand pounds and then they go use my account and buy lots of goods and have them shipped to various places. Chances are, most of the goods will get through.
I then log in a few days later and "Oh, shock and horror", and off I run to eBay and Paypal. They have no way of proving that I ‘sold’ my passwords, you see I also installed a ‘Keylogger’ trojan application on my PC just to make it look convincing. It even connected to a real server someone in Pakistan that can’t be traced now because its down. The group who bought my password told me about that when I set up the selling of my passwords.
So all the people selling stuff have now shipped their goods and had the money they were paid taken back.
Paypal have now refunded all the money to my account, and I have the couple of thousand from the ‘thieves’ in my other account.

The main threat to buyers is people shipping goods and not receiving payment. They always advise using Paypal, as you are ‘covered’ by insurance. Complete trash. You are lucky if you are covered. The best protection is to use VISA or MASTERCARD which has some level of coverage automatically for online fraud.

NEVER pay through a 3rd party Escrow fund as they are fraught with danger in themselves.

Have you been caught out?

I want to hear from you if you have been caught out by an eBay scam. My email is on this page somewhere, if not leave me a comment and I will get back to you.

Legal Action

At the moment myself and a number of the other people caught out in this scam are taking legal action against the owner of the account for failing to keep her PC safe and secure from hackers whilst using it for online purchasing/selling. It’s an angle that has not been tried before, and is quite complicated and taking some time to sort out, since we are based in 4 different countries. The good thing is that the owner of the PC is in the states and they will sue the arse off anything that moves out there and they are keen to proceed (more money grabbing probably).
The basic premise of the argument is that she failed to maintain her computer and is therefore liable for the fraudulent activity. We already have the records we need to prove the incompetence, and because of the laws in the state where she lives, obtaining the records from the ISP will be easy enough to sort out.


Continue reading