lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1077401367.21958.14.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Would you trust these Emails (EBAY & PAYPAL)

Hi,

Am Sa, den 21.02.2004 schrieb partysan_FFF@....net um 13:20:
...
> Hi,
> the site looks exactly like the site at www.paypal.com, however, there
> is no verify.html at the "real" paypal site.  This smells very much
> like a scam to get people's billing information.  Also, note that
> the "help" (and all other) buttons are linked to www.paypal.com,not
> the site from the email.

To the non suspicious and technically impaired everyday Ebay or PayPal
customer these recent mails actually are quite dangerous. Dangerous not
only because they look real enough for those people but because they
contain a clever element of social engineering. By stating in the fake
Ebay mail that the "customer" is supposed to be owing 15$ for a recent
transaction this raises a *quiet threat* which chews away at the
receivers determination. Of course most people know whether they have
done transactions on Ebay or PayPal and most can probably exactly
remember what amounts of money are involved.

The "accusation" of still owing 15$ however alerts customers since
a) they actually don't know about all transactions at second thought
("Better to check that again! Maybe they'll send something nasty if I
don't follow their instructions.")
b) they suspect someone has stolen their Ebay identity and has been
using it ("I'd better correct this immediately. How convenient they
placed a link to the form.") This second motive plays on numerous media
reports that doing business on Ebay can be risky.

Psychologically speaking this may be named a *quiet threat* since it
chews away at the determination quietly in a very subtle manner. There
are no instant alarm bells ringing "FAKE" as long as the person is
generally trusting mails from companies.

> You can report this to paypal (They actually have a "suspicios email"
> Category) here:
> http://www.paypal.com/cgi-bin/webscr?cmd=_contact-general.
> 
> I strongly advise against filling out those forms, and to contact the
> paypal people.

I received A LOT of those Ebay mails lately and I bothered to send them
the first to examine. They answered within several hours, warning me
about the fake origin. In the meantime I have received more than 15
identical Ebay fakes from different mail relays.

As a consequence I'd suggest to any serious company doing business on
the Internet not to send any messages via email ("They normally don't
send mails at all. So I can't trust this one.") or only send messages as
non-formatted text, which raises the bar of fooling people (less people
will be fooled if the real link isn't hidden behind an image or a link
description.

I hate HTML mails anyway and don't let my mail client load images of the
Internet (thus HTML mails reach me in an ugly, naked form).

kind regards,
Tobias Weisserth


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ