lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: dgallagher at starnetusa.net (Dom Gallagher)
Subject: PayPal issues another blow to user
  security

At 11:09 AM 12/17/2003, Rob Adams wrote:
>[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
>
>Aaron Horst reported earlier this week that Paypal violates their own 
>anti-phish policy. He received an official email that included a clickable 
>link to "paypalcreditcard.com." Their stated policy is that they will only 
>ever link to "paypal.com." Paypalcreditcard.com appears to be a legitimate 
>web site operated by Paypal's business partner, Providian Financial 
>Corporation.
>
>I received a similar solicitation. I forwarded it to the 
>"spoof@...pal.com." I think you'll enjoy the response:
>
>=================
>
>Dear Rob Adams,
>
>Thank you for contacting PayPal.
>
>Thank you for bringing this suspicious email to our attention. We can 
>confirm that the email you received; was not sent to you by PayPal. The 
>website linked to this email is not a registered URL authorized or used by 
>PayPal. We are currently investigating this incident fully. Please do not 
>enter any personal or financial information into this website.
>If you have surrendered any personal or financial information to this 
>fraudulent website, you should immediately log into your PayPal Account 
>and change your password and secret question and answer information. Any 
>compromised financial information should be reported to the appropriate 
>parties.
>If you notice any unauthorized activity associated with your PayPal 
>transaction history, please immediately report this to PayPal by following 
>the instructions below:
>1.  Go to https://www.paypal.com/ 2.  Click on the Security Center at the 
>bottom of the page
>3.  Click on "Report a Problem"
>4.  Select the Topic: Report Fraud
>5:  Select the Subtopic: Unauthorized use of my PayPal Account, and click 
>Continue.
>6.  Follow the instructions to access the appropriate form
>
>If you have any further questions, please feel free to contact us again.

Form letter.  eBay loves 'em, and now Paypal seem to have jumped on the 
bandwagon.

If you check the original report, Paypal itself links to the so-called 
phishing site: https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782

Assuming the URLs were not spoofed with any of the usual fun tricks to 
catch the point-and-droolers, Paypal are either totally ignoring the actual 
content of abuse complaints or deliberately trying to blame the phishers 
for a poorly thought out marketing effort.

D. 



Powered by blists - more mailing lists