PayPal Scam/Hacked

So I wake up this morning and go through my normal routine of checking email, Facebook, Blogs and PayPal.

I notice in my emails that I had a charge for $10.17 for "Domain Names/ Hosting Services". It had been set up as a Recurring Charge. What tipped me off was the fact that it wasn't my ISP, which regularly sends me notices prior to billing my PayPal.

The email I got from PayPal that the payment was going to be deducted was legitimate. It was not a spoofed page requiring me to log in.

I did a bit of investigating and noticed that there was a phone number on the Recurring Charge page, so I called it. They wanted my Transaction ID, which I gave them. Then they asked for my first and last name to which I was hesitant to give. I explained why I was calling and they seemed professional. I didn't give my name in any case.

They were hestitant to give me their corporate name, but did however surrender that they were a payment processing center for GoDaddy. I asked exactly what services I was being billed for and they told me it was for the domain registration of "Biosim.org".

I immediately did a Whois on them and found some company from Mississippi. I will call their IT Dept on monday to see if they are aware of this issue. They are most likely unwitting victims IMO.

Here's the thing...

Someone hacked my PayPal password and set up a recurring charge for this, not once, but TWO recurring charge accounts. They did it at 5:30 a.m. PDT on saturday, which was 8:30 a.m. my time. I rarely get up at 8:30 on saturday. Now that takes some guts to go in..set up the account..not once..but twice and NOT wipe out the account. I had more than the $10.17 in there. I was fortunate that I had transferred the majority of the balance to my bank the night before.

Obviously, this scammer/thief was hoping I wouldn't recognize the charge. I called PayPal immediately and they walked me through changing all my passwords/security questions and cancelling both recurrings. They didn't seem suprised and weren't very forthcoming as to how this could happen. They were very professional and empathetic however. I filed a fraud report as well.

Who knows, I may have had the thieves on the phone and they just picked a random IP addy to blame. Although, I doubt they would have put their phone number in the transaction ID.

Anyways, I am posting this to SL forums because I know many of us use PayPal as an exchange. My advice is to change your PayPal password regularly. Actually..do it NOW! Also, check your recurring charges for any suspicious "Domain / Hosting Services" entries.

FWIW Dept

biosim.org redirects to digiload.net. Digiload has a private domain hosted out of Amsterdam. digiload.net seems to be selling snake oil type products and seems pretty shady.

This sounds like one of the domain creation spam site setups from botnets. Once their domains are closed they get new ones and redirect the site to their snake oil site keeping them out of the spotlight. This payment center for Godaddy maybe their partner in crime. They may get some good kickbacks. Maybe worth contacting Godaddy also with the phone number you have and all the other information.

All conspiracy theory here but something is fishy about all that.

EDIT: On digiload.net site it has a contact information of
"If your question was not covered, please contact [email]support@unexplainable.net[/email]

Our Physical Address is:

Unexplainable.Net
178 Glade Dr.
Long Pond, PA 18334"


Unexplainable.net whois info:

Registrant:
none
178 Glade Dr.
Long Pond, PA 18334
US
484-560-0817

Domain Name: UNEXPLAINABLE.NET

Administrative Contact:
Mcelwee, James
178 Glade Dr.
Long Pond, PA 18334
US
484-560-0817

Technical Contact:
Mcelwee, James
178 Glade Dr.
Long Pond, PA 18334
US
484-560-0817


All these sites are tied together somehow.

Great work Becka!

I did call back to the payment processor and filed a fraud report. They did give me their company name this time. They seem to be a legitimate hosting company.

I also talked to my local FBI Cyber Crimes Division. We have one here in Tampa. They took all the info but admitted that they only use the information to cross reference.

What was so scary about all of this is that it was done at 5:30 a.m. PDT while I was asleep. Someone obviously acquired my PP password to set up the "Recurring Account"

I have since done a deep bot/keylogger/malware scan of my PC.

CHANGE YOUR PASSWORDS PEOPLE!

(Why did they have to be hosted out of Amsterdam? *sigh*)

Thanks for the "heads-up" Stroker.

Just a bit of extra advice...

unless your password was insanely easy to crack, it is likely that they got it from some other method, including phishing (you got tricked into going to what you thought was a Paypal page, and entered your username/password unaware of what was going on), trojan infection on your computer (keyloggers, XSS attack on some webpage you visited that exploited a browser vulnerability, etc), or through some other method, like someone attacking your router/firewall/network.

I would IMMEDIATELY do a scan for any malware, clear your cookies and browser cache, make sure your browser (and any add-ons) and mail program is up-to-date. In addition, make sure you have all the latest security patches for your OS, and also update any program which works with the browser to display/play content from the web; that includes Adobe Acrobat, Flash, Shockwave, any/all multimedia plugins, WinAmp, Windows Media Player (should be updated through OS updates above), and any others.

If you use a broadband router or firewall, or firewall software on your PC, make sure it is up-to-date and properly set up. Also, if you use a wireless router, make sure you lock it down to only the wireless devices you use (MAC address filter), and set up the best encryption it has for the wireless connection. You'd be surprised how many folks get cracked from wardriving attacks.

Our friend Google Maps can't find 178 Glade Drive; however, it does show that there's nothing but houses along the entire length of Glade Drive (i.e., no business or commercial buildings). It's blatant fraud. I strongly encourage you to get some authorities involved.

Probably unrelated, but worth noting:

http://blogs.channelinsider.com/secure_channel/content/network_security/network_solutions_suffers_large_data_breach.html#

If you use Network Solutions for your registrar, keep a close look on your credit card statements.

I can go pay them a visit if you need more info IM Consie as I am not in game atm

I'd get PayPal's SecureID fob also - nothing better than two factor authentication.

Stroker, I happen to be a credit card processing business with my 'real life' corporation, from waaaay back before Paypal bought out stuffy, somewhat reliable Verisign and turned it into this carnival like financial environment. It's never been worse.

Over the years I've seen it all, having had small time fraud committed against my real business in similar manner, though nobody has yet managed to get a password. There's plenty of other ways, and a few calls always clear it up. Also, I have a made a simple arrangement with Linden Research, which would make it quite difficult for anyone to cash out of my SL account even if they had my password. If you want to talk about either, email me at desmondshang 'at' gmail 'dot' com; I'm not foolish enough to discuss either in detail on a nearly public forum.

Having successfully fought this, I learned a few things. First, the reason they didn't empty you out, is that because over certain dollar amounts they risk deeply serious charges of grand theft and interstate wire fraud. Felonies that can get you locked up a looooong time. The amount that makes the difference is a few hundred dollars; I forget precisely how much.

Instead, they hit a dozen people instead for the same amount, and risk far smaller charges if caught for a few of them. They get a wrist slap, and go right back to doing it. All the major transaction processors are deeply, deeply aware of how all this goes down, if you pester them enough.

Most people do precisely what you and I did: fight it, get the charges recovered, report it and subsequently forget about it. There aren't enough funds allocated to the Feds (relatively speaking) to chase down *all* these crooks.

Like a roach infestation, only the slowest and stupidest criminals are effectively dealt with and the rest scuttle off. It's the "everybody's doing it" thing for small time internet criminals. They have little reason to stop. The cost of the fraud is casually passed on to consumers in the form of higher fees, which people pay like blind sheep.

Think of it as permissions system enforcement failure on that ultimate virtual item: your money.

* * * * *

As cheesy as this site looks, and in spite of the extraneous spurious nonsense a lot of people post to it like 'bad customer service', I've found this site actually pretty good with regard to identifying and aggregating perpetrators of fraud: http://www.ripoffreport.com/

Every smalltime fraud I've ever fought with my real life business was listed in there; many of them are 'at large' to this day. Simply not enough enforcement.

Of course, there are many who figure this is just the cost of doing business, and Stroker, you and I will garner *very* little sympathy from certain quarters.

Which is fine, but I never want to hear one squeak out of such folks about consumer prices. To the rest: obviously people like Stroker and I are doing all we can to deal with such situations, and will continue to do so to the very best of our ability. While people wait for the economic recovery, some of us are fighting to *be* that recovery every single day.

~ Des out.

It's irrelevant that it's a home. Many people operate internet service businesses out of their home.

Definitely this -- I have used it since it first became available.

Since at least one personal name has been posted, let me give the results of a bit more digging Most of the domain names involved have been around since 2000, with the exception of digiload.net. Furthermore, a search on Switchboard.com for name and town given in the earlier note turns up a hit at that street address, though with an unlisted phone number. Taken together, this also suggests that person is innocent. (Whether or not you agree with his new age paranormal business is a separate issue.)

The digiload.net site looks as though it's trying to be an affiliate of the unexplained.net site. It's been partially copied over, with the person info removed, but other links still going back to unexplained.net. One possibility is that the owner of digiload.net was just recently able to acquire the biosim.org domain, and the DNS servers have been updated before the WhoIs.

The biosim.org site is shown as being owned by the same company that owns biosim.com, but with different technical contacts. So another possibility is that the owner, Biological Simulators, Inc. started out with both domains, but essentially abandoned the biosim.org domain, and someone else has hacked into it.

Since at least one personal name has been posted, let me give the results of a bit more digging Most of the domain names involved have been around since 2000, with the exception of digiload.net. Furthermore, a search on Switchboard.com for name and town given in the earlier note turns up a hit at that street address, though with an unlisted phone number. Taken together, this also suggests that person is innocent. (Whether or not you agree with his new age paranormal business is a separate issue.)

The digiload.net site looks as though it's trying to be an affiliate of the unexplained.net site. It's been partially copied over, with the person info removed, but other links still going back to unexplained.net. One possibility is that the owner of digiload.net was just recently able to acquire the biosim.org domain, and the DNS servers have been updated before the WhoIs.

The biosim.org site is shown as being owned by the same company that owns biosim.com, but with different technical contacts. So another possibility is that the owner, Biological Simulators, Inc. started out with both domains, but essentially abandoned the biosim.org domain, and someone else has hacked into it. It does seem unlikely, though possible, that Biological Simulators, Inc. is responsible for the fraudulent charge, even though they're currently listed as the owner of the domain for which which the charge was made.

And while we are on the subject. Stroker you are a business and businesses, unlike consumers, are not protected in the event that someone hacks your computer and initiates wire transfers from your bank account. Doing online banking is a necessary fact of life but if you do that you need to take even more precautions:

As in a dedicated computer which is not connected to your network, no browser plugins installed outside of what is necessary to connect to your bank. No unnecessary software on that computer, no email accounts, no one else has any access to it. Regular scans and religiously updating Windows. No browsing at all except to go straight to the bank sites. And finally only connecting to the internet for updates or banking and disconnecting when you are done. EDIT TO ADD: And this computer is setup only after an fdisk and complete reinstall of the OS system to ensure there are already no nasties hiding in it.

It may seem excessive but when you have several hundred thousand dollars at stake then it is a small price to pay.

http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html

Wouldn't it make more sense not to use Windows at all for this system?

I've never had any problems using those suggestions with XP Pro. Certainly might not hurt using an alternative, as long as that alternative came from a known, certified site or sealed install discs.

Throw some suggestions out on the table as I am only familiar with Linux at the hobbyist level and not at all familiar with Macs.

Well, I was thinking of something like a Mac mini, it's relatively cheap, compatible with windows hardware, and while it's not as popular as Windows there's more support for idiot websites that think everyone's using Internet Explorer 5.5. Just don't think that just because it's not Windows, it's immune to attack. Keep your system updated, use as unsophisticated a browser as you can (I like Camino myself), and don't use it for anything but the job... in particular don't use it for visiting porn sites that need you to "install special codecs".

When I need to run Windows stuff other than games, I run it in a VMware partition on my Mac, then roll back to the previous snapshot when I'm done, so even if Bank of America or whatever has been compromised the exploit code will vanish like the morning dew.

That might sound paranoid, but...

There was an article recently, I can't find it now, about a security researcher who does EVERYTHING in virtual machines, with a different OS for the host and the VM, and multiple levels of VMs that are each only EVER used for one purpose, so if her google VM is compromised it won't effect her banking VM. Serious overkill, I think. Well, I hope.

Which is why I refuse to link a bank account, any bank account, with paypal.

Joanna Rutkowska

http://theinvisiblethings.blogspot.com/

WOW!! Some great ideas! I believe I will set up a "sterile" PC as suggested. Thanks =D

If you are familiar with Linux then a little $300 netbook that has been stripped down would probably do the job.

And that overly paranoid security analyst? Hey I can sympathize, although I setup our companies system the old school way. On top of the afore mentioned stripped computer for the online banking, our bookkeeper/accountant also has one other computer setup with nothing but the accounting software and the network card has been removed. Whenever we get ready to upgrade then I will probably virtualize the banking computer. Have been playing with VM instances here on my computer for the last year or so.

Talarus, I would normally thank you for posting her name but I will probably have nightmares for a long time after reading her blog

Stroker, hope it helps. The part about a company not being covered in case their computer was hacked and their funds drained from a bank account never really has been broadcast for some reason. I found out a year or so ago and that was when I changed our setup at work. It just so happens that the Washington Post ran an article mentioning it last week. That was the link in my post.

It's definitely a thought. As much as OpenBSD is normally massive security overkill, for a high security system used just for browsing it might make sense. Other suggestions include getting a Linux live CD (Ubuntu does a perfectly good live CD as part of its installer) and boot off that. Really hard to infect write-once media

I'd be inclined to suggest paranoid, although if they're working with dangerous code it may also be primarily done as an effective manner to insure projects don't cross-contaminate...

I would even go so far as to NOT run Windows at all on that machine. This is not a knock on Windows; but, as a general-purpose operating system, there are far too many processes running that have nothing to do with a browser session but which are still inextricably tied to Windows' functionality in such a way that you can't just remove them or shut them off. The more processes you have running, the greater the chance of someone finding a flaw to exploit.

Your best bet, albeit a tad paranoid, is to run a small Linux distribution (Damn Small Linux would be a good candidate), add in a simple windowing system such as Xfce, and just enough functionality to initiate and maintain a secure connection via Firefox.

I suggest Linux because, even though there's still a lot of unnecessary stuff going on in the background in most distros, you can easily turn them all off or remove them completely, without breaking the OS.