lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: exibar at thelair.com (Exibar)
Subject: PayPal issues another blow to user security

yes, it is a valid link, but the whole thing started because PayPal, in
their own security advisory message, states never to click on any link that
claims to be from PayPal unless it is https://www.paypal.com   And they
usually state that any other link is bogus, even if it states that it is an
"official PayPal site".

  Exibar

----- Original Message ----- 
From: "Seth Fogie" <seth@...ieonline.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, December 17, 2003 3:22 PM
Subject: Re: [Full-Disclosure] PayPal issues another blow to user security


> If you enter the official https://www.paypal.com site and click on the
> Paypal credit card link, you will be directed to
www.paypalcreditcard.com...
>
> So, it is most likely a valid link...
>
>
>
> Exibar wrote:
>
> >The e-mail response from PayPal sounded more like a "canned" response
than
> >an actual human response.  I would image that they simply have a rule
setup
> >that looks for links within a message and if it doesn't have
> >https://www.paypal.com then it spits back that canned message.  On the
other
> >hand, it could simply be a college kid that is working at PayPal to make
a
> >few extra bucks and just saw that the link didn't point to
> >https://www.paypal.com and hit the "send canned response" button.
> >
> >  Either way, PayPal should mention something about it on their site's
> >homepage.  It is very irresponsible of them not to.
> >
> >  Exibar
> >
> >----- Original Message ----- 
> >From: "Mary Landesman" <mlande@...lsouth.net>
> >To: "Rob Adams" <rob@...ep.org>; "Aaron Horst" <anthrax101@...oo.com>
> >Cc: <full-disclosure@...ts.netsys.com>
> >Sent: Wednesday, December 17, 2003 1:23 PM
> >Subject: Re: [Full-Disclosure] PayPal issues another blow to user
security
> >
> >
> >
> >
> >>I think the response speaks more of the tunnel vision of the person
> >>answering the email. PayPal and Providian entered a partnership in Feb
> >>
> >>
> >2001.
> >
> >
> >>At the time, Providian apparently took a huge stake in PayPal equity
> >>(estimates placed it at between $100 - $200 million) and the two
companies
> >>agreed to co-brand the credit cards. See Forbes for details:
> >>http://www.forbes.com/2001/02/07/0207eccommerce.html
> >>
> >>The legal agreement between the two parties, dated March 2002, can be
> >>
> >>
> >found
> >
> >
> >>here:
> >>
> >>
> >>
>
>http://techdeals.startup.findlaw.com/agreements/paypal/providian.card.2002.
03.01.html
> >
> >
> >>The June 2001 press release announcing the site, and sponsored by both
> >>parties, can be found here:
> >>
> >>
> >>
>
>http://www.findarticles.com/cf_dls/m4PRN/2001_June_18/75602419/p1/article.j
html
> >
> >
> >>Perhaps PayPal might wish to take the opportunity to ensure the folks
> >>answering email at spoof@...pal.com are versed in company partnerships
and
> >>policies.
> >>
> >>Regards,
> >>Mary Landesman
> >>Antivirus About.com Guide
> >>http://antivirus.about.com
> >>
> >>----- Original Message ----- 
> >>From: "Rob Adams" <rob@...ep.org>
> >>To: "Aaron Horst" <anthrax101@...oo.com>
> >>Cc: <full-disclosure@...ts.netsys.com>
> >>Sent: Wednesday, December 17, 2003 12:09 PM
> >>Subject: Re: [Full-Disclosure] PayPal issues another blow to user
security
> >>
> >>
> >>[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
> >>
> >>Aaron Horst reported earlier this week that Paypal violates their own
> >>anti-phish policy. He received an official email that included a
> >>clickable link to "paypalcreditcard.com." Their stated policy is that
> >>they will only ever link to "paypal.com." Paypalcreditcard.com appears
> >>to be a legitimate web site operated by Paypal's business partner,
> >>Providian Financial Corporation.
> >>
> >>I received a similar solicitation. I forwarded it to the
> >>"spoof@...pal.com." I think you'll enjoy the response:
> >>
> >>=================
> >>
> >>Dear Rob Adams,
> >>
> >>Thank you for contacting PayPal.
> >>
> >>Thank you for bringing this suspicious email to our attention. We can
> >>confirm that the email you received; was not sent to you by PayPal. The
> >>website linked to this email is not a registered URL authorized or used
> >>by PayPal. We are currently investigating this incident fully. Please
> >>do not enter any personal or financial information into this website.
> >>
> >>If you have surrendered any personal or financial information to this
> >>fraudulent website, you should immediately log into your PayPal Account
> >>and change your password and secret question and answer information.
> >>Any compromised financial information should be reported to the
> >>appropriate parties.
> >>
> >>If you notice any unauthorized activity associated with your PayPal
> >>transaction history, please immediately report this to PayPal by
> >>following the instructions below:
> >>
> >>1.  Go to https://www.paypal.com/
> >>2.  Click on the Security Center at the bottom of the page
> >>3.  Click on "Report a Problem"
> >>4.  Select the Topic: Report Fraud
> >>5:  Select the Subtopic: Unauthorized use of my PayPal Account, and
> >>click Continue.
> >>6.  Follow the instructions to access the appropriate form
> >>
> >>If you have any further questions, please feel free to contact us
> >>again.
> >>
> >>=======================
> >>
> >>_______________________________________________
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >>
> >>
> >>
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ