lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3FE0BB11.3030804@fogieonline.com>
From: seth at fogieonline.com (Seth Fogie)
Subject: PayPal issues another blow to user security

If you enter the official https://www.paypal.com site and click on the 
Paypal credit card link, you will be directed to www.paypalcreditcard.com...

So, it is most likely a valid link...



Exibar wrote:

>The e-mail response from PayPal sounded more like a "canned" response than
>an actual human response.  I would image that they simply have a rule setup
>that looks for links within a message and if it doesn't have
>https://www.paypal.com then it spits back that canned message.  On the other
>hand, it could simply be a college kid that is working at PayPal to make a
>few extra bucks and just saw that the link didn't point to
>https://www.paypal.com and hit the "send canned response" button.
>
>  Either way, PayPal should mention something about it on their site's
>homepage.  It is very irresponsible of them not to.
>
>  Exibar
>
>----- Original Message ----- 
>From: "Mary Landesman" <mlande@...lsouth.net>
>To: "Rob Adams" <rob@...ep.org>; "Aaron Horst" <anthrax101@...oo.com>
>Cc: <full-disclosure@...ts.netsys.com>
>Sent: Wednesday, December 17, 2003 1:23 PM
>Subject: Re: [Full-Disclosure] PayPal issues another blow to user security
>
>
>  
>
>>I think the response speaks more of the tunnel vision of the person
>>answering the email. PayPal and Providian entered a partnership in Feb
>>    
>>
>2001.
>  
>
>>At the time, Providian apparently took a huge stake in PayPal equity
>>(estimates placed it at between $100 - $200 million) and the two companies
>>agreed to co-brand the credit cards. See Forbes for details:
>>http://www.forbes.com/2001/02/07/0207eccommerce.html
>>
>>The legal agreement between the two parties, dated March 2002, can be
>>    
>>
>found
>  
>
>>here:
>>
>>    
>>
>http://techdeals.startup.findlaw.com/agreements/paypal/providian.card.2002.03.01.html
>  
>
>>The June 2001 press release announcing the site, and sponsored by both
>>parties, can be found here:
>>
>>    
>>
>http://www.findarticles.com/cf_dls/m4PRN/2001_June_18/75602419/p1/article.jhtml
>  
>
>>Perhaps PayPal might wish to take the opportunity to ensure the folks
>>answering email at spoof@...pal.com are versed in company partnerships and
>>policies.
>>
>>Regards,
>>Mary Landesman
>>Antivirus About.com Guide
>>http://antivirus.about.com
>>
>>----- Original Message ----- 
>>From: "Rob Adams" <rob@...ep.org>
>>To: "Aaron Horst" <anthrax101@...oo.com>
>>Cc: <full-disclosure@...ts.netsys.com>
>>Sent: Wednesday, December 17, 2003 12:09 PM
>>Subject: Re: [Full-Disclosure] PayPal issues another blow to user security
>>
>>
>>[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
>>
>>Aaron Horst reported earlier this week that Paypal violates their own
>>anti-phish policy. He received an official email that included a
>>clickable link to "paypalcreditcard.com." Their stated policy is that
>>they will only ever link to "paypal.com." Paypalcreditcard.com appears
>>to be a legitimate web site operated by Paypal's business partner,
>>Providian Financial Corporation.
>>
>>I received a similar solicitation. I forwarded it to the
>>"spoof@...pal.com." I think you'll enjoy the response:
>>
>>=================
>>
>>Dear Rob Adams,
>>
>>Thank you for contacting PayPal.
>>
>>Thank you for bringing this suspicious email to our attention. We can
>>confirm that the email you received; was not sent to you by PayPal. The
>>website linked to this email is not a registered URL authorized or used
>>by PayPal. We are currently investigating this incident fully. Please
>>do not enter any personal or financial information into this website.
>>
>>If you have surrendered any personal or financial information to this
>>fraudulent website, you should immediately log into your PayPal Account
>>and change your password and secret question and answer information.
>>Any compromised financial information should be reported to the
>>appropriate parties.
>>
>>If you notice any unauthorized activity associated with your PayPal
>>transaction history, please immediately report this to PayPal by
>>following the instructions below:
>>
>>1.  Go to https://www.paypal.com/
>>2.  Click on the Security Center at the bottom of the page
>>3.  Click on "Report a Problem"
>>4.  Select the Topic: Report Fraud
>>5:  Select the Subtopic: Unauthorized use of my PayPal Account, and
>>click Continue.
>>6.  Follow the instructions to access the appropriate form
>>
>>If you have any further questions, please feel free to contact us
>>again.
>>
>>=======================
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>>    
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ