Second Life Forums Archive - Serious Paypal flaw found

Cristiano Midnight

Evil Snapshot Baron

Join date: 17 May 2003

Posts: 8,616

06-16-2006 10:35

I am posting this here since so many SL users rely on Paypal.

http://www.betanews.com/article/Serious_PayPal_Flaw_Disclosed/1150476019

Highlight from the article:

From: someone

A security flaw within the PayPal Web site is posing a serious threat to its users, security firm Netcraft said Friday. The credit card numbers and personal information of those duped by attackers is at risk through a cross-site scripting attack.

A fraudster tricks the user into divulging information by asking them to visit an actual PayPal URL. Since this is hosted by the company, it would appear as if information is encrypted through the company's own SSL certificates. However, through cross-site scripting, some of the information on the accessed page has been modified.

_____________________

Cristiano

ANOmations - huge selection of high quality, low priced animations all $100L or less.

~SLUniverse.com~ SL's oldest and largest community site, featuring Snapzilla image sharing, forums, and much more.

Melonie Giles

Lala Land Lover

Join date: 7 Dec 2005

Posts: 101

06-16-2006 10:39

Good thing to always remeber is paypal emails will always address you by name and generally they won't email you. I have had so many problems with recieving phishing emails its pathetic. So I wont ever click a link on any paypal email. If it looks suspect always forward it to [email]spoof@paypal.com[/email]. I have recieved many many many of these emails.

Cristiano Midnight

Evil Snapshot Baron

Join date: 17 May 2003

Posts: 8,616

06-16-2006 10:48

From: Melonie Giles

Good thing to always remeber is paypal emails will always address you by name and generally they won't email you. I have had so many problems with recieving phishing emails its pathetic. So I wont ever click a link on any paypal email. If it looks suspect always forward it to [email]spoof@paypal.com[/email]. I have recieved many many many of these emails.

Yeah I get them all the time too (most often at email addresses not even associated with my Paypal account). The thing that is concerning about this is that it does involve the actual Paypal.com site.

_____________________

Cristiano

ANOmations - huge selection of high quality, low priced animations all $100L or less.

~SLUniverse.com~ SL's oldest and largest community site, featuring Snapzilla image sharing, forums, and much more.

Selador Cellardoor

Registered User

Join date: 16 Nov 2003

Posts: 3,082

06-16-2006 11:28

Yes, I received one of these, and out of curiosity followed the link, which seemed to take me to a genuine Paypal URL.

Of course, users should follow Paypal's advice of never following a link to their site, and then they will be ok.

_____________________

JamesMichael Clifton

Registered User

Join date: 14 Jun 2006

Posts: 1

06-16-2006 14:08

As with the rest of you I've gotten tons of emails that are spoofs. The first time I got one, out of curiosity I compared the two sites, one from the link and one from manually typing out paypal.com. They looked very similair but you could tell by the little things that the spoof was in fact... a spoof.

Karsten Rutledge

Linux User

Join date: 8 Feb 2005

Posts: 841

06-16-2006 14:13

From: Cristiano Midnight

Yeah I get them all the time too (most often at email addresses not even associated with my Paypal account). The thing that is concerning about this is that it does involve the actual Paypal.com site.

When it comes to things like protecting my PayPal account that's linked to my bank and credit cards, I take PayPal's own advice to heart: Don't ever click links in your email, ever, even if it is from them. Open a new browser tab and type in paypal.com.

And yeah, the amount of PayPal related phishing attempts I get is crazy too.

_____________________

New products, updates, rants, randomness.
Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.

Vares Solvang

It's all Relative

Join date: 26 Jan 2005

Posts: 2,235

06-16-2006 16:05

I received a phishing email trying to get my PayPal account info. It was easy to spot for many reasons, the biggest being that I didn't have a PayPal account under that particular email address. I forwarded it to the PayPal fraud dept and they verified that it was a scam and not from them. So be careful and always send any suspicious emails to their fraud dept so they can put a warning out.

Cristiano Midnight

Evil Snapshot Baron

Join date: 17 May 2003

Posts: 8,616

06-16-2006 17:34

It seems that Paypal has moved quickly to close up this flaw:

http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html?tag=nefd.top

_____________________

Cristiano

ANOmations - huge selection of high quality, low priced animations all $100L or less.

~SLUniverse.com~ SL's oldest and largest community site, featuring Snapzilla image sharing, forums, and much more.

Androclese Torgeson

I've got nothin'

Join date: 11 May 2004

Posts: 144

06-16-2006 17:46

(This is the UNIX Admin / Tech Support guy in me speaking, pardon the geekyness)

1) If anybody is silly enough to click on *any* links they receive via email about a financial matter or account issue from *anybody*, they are only digging their own grave.

2) Go to Mozilla.org and download the Thunderbird email client. All those phishing and spam emails will go away in short order.

_____________________

Androclese Torgeson

Real Life, also known as "that big room with the ceiling that is sometimes blue and sometimes black with little lights"

Astrid Ophelia

Registered User

Join date: 2 Mar 2006

Posts: 42

06-16-2006 17:47

I run a subscription based service in RL and the majority of our payments come through Paypal. The best advice I can give people is:

1) Legitimate PayPal emails will address you by your first and last name. If you are a business they will address you by the business name you have registered. If it says Dear Paypal Member or anything of that ilk it is a spoof

2) PayPal will rarely (if ever now a days) send an email that contains a link to their site no matter what the subject matter is. If you need to login to your account, answer a dispute, etc a legitimate email from PayPal will provide directions on what you need to do to proceed. It will not contain a link to any page on PayPal.

3) Message headers are worthless; it is far too easy to spoof headers to make them look legitimate. So even if you have your email set up to view full headers don't take what you see as gospel.

4) If you get an email purportedly from PayPal that has you concerned login to PayPal directly to check your account. If something is wrong you generally should have a message, highlighted in pink, at the top of the main Paypal page.

5) When going directly to PayPal make sure to use HTTPS://www.paypal.com so you know for sure you are on their secure server.

Newfie Pendragon

Crusty and proud of it

Join date: 19 Dec 2003

Posts: 1,025

06-16-2006 20:10

I follow a very simple rule whenever I get an email from PayPal - or actually any company I deal with that I have a financial relationship with. If I get an email that asks me to do something, I:

1) Open a browser window.
2) Type the address in directly, skipping the link in the email.

That's it. I go with the assumption that all links I get via email are suspect, unless it's from a source I trust completely.

- Newfie

_____________________

Bizzy Weeks

Registered User

Join date: 23 May 2006

Posts: 46

06-16-2006 23:47

I still get tons of 'BECOME A GOLD STAR MEMBER' ebay spams. Almost filled one out way back and if my brother didnt point out that the url was like ef24y9http.298317213ebay.com. Scammers will try anything... Its always french sites too, when I track em.

Serious Paypal flaw found
Cristiano Midnight Evil Snapshot Baron Join date: 17 May 2003 Posts: 8,616	06-16-2006 10:35 I am posting this here since so many SL users rely on Paypal. http://www.betanews.com/article/Serious_PayPal_Flaw_Disclosed/1150476019 Highlight from the article: From: someone A security flaw within the PayPal Web site is posing a serious threat to its users, security firm Netcraft said Friday. The credit card numbers and personal information of those duped by attackers is at risk through a cross-site scripting attack. A fraudster tricks the user into divulging information by asking them to visit an actual PayPal URL. Since this is hosted by the company, it would appear as if information is encrypted through the company's own SSL certificates. However, through cross-site scripting, some of the information on the accessed page has been modified. _____________________ Cristiano ANOmations - huge selection of high quality, low priced animations all $100L or less. ~SLUniverse.com~ SL's oldest and largest community site, featuring Snapzilla image sharing, forums, and much more.
Melonie Giles Lala Land Lover Join date: 7 Dec 2005 Posts: 101	06-16-2006 10:39 Good thing to always remeber is paypal emails will always address you by name and generally they won't email you. I have had so many problems with recieving phishing emails its pathetic. So I wont ever click a link on any paypal email. If it looks suspect always forward it to [email]spoof@paypal.com[/email]. I have recieved many many many of these emails.
Cristiano Midnight Evil Snapshot Baron Join date: 17 May 2003 Posts: 8,616	06-16-2006 10:48 From: Melonie Giles Good thing to always remeber is paypal emails will always address you by name and generally they won't email you. I have had so many problems with recieving phishing emails its pathetic. So I wont ever click a link on any paypal email. If it looks suspect always forward it to [email]spoof@paypal.com[/email]. I have recieved many many many of these emails. Yeah I get them all the time too (most often at email addresses not even associated with my Paypal account). The thing that is concerning about this is that it does involve the actual Paypal.com site. _____________________ Cristiano ANOmations - huge selection of high quality, low priced animations all $100L or less. ~SLUniverse.com~ SL's oldest and largest community site, featuring Snapzilla image sharing, forums, and much more.
Selador Cellardoor Registered User Join date: 16 Nov 2003 Posts: 3,082	06-16-2006 11:28 Yes, I received one of these, and out of curiosity followed the link, which seemed to take me to a genuine Paypal URL. Of course, users should follow Paypal's advice of never following a link to their site, and then they will be ok. _____________________
JamesMichael Clifton Registered User Join date: 14 Jun 2006 Posts: 1	06-16-2006 14:08 As with the rest of you I've gotten tons of emails that are spoofs. The first time I got one, out of curiosity I compared the two sites, one from the link and one from manually typing out paypal.com. They looked very similair but you could tell by the little things that the spoof was in fact... a spoof.
Karsten Rutledge Linux User Join date: 8 Feb 2005 Posts: 841	06-16-2006 14:13 From: Cristiano Midnight Yeah I get them all the time too (most often at email addresses not even associated with my Paypal account). The thing that is concerning about this is that it does involve the actual Paypal.com site. When it comes to things like protecting my PayPal account that's linked to my bank and credit cards, I take PayPal's own advice to heart: Don't ever click links in your email, ever, even if it is from them. Open a new browser tab and type in paypal.com. And yeah, the amount of PayPal related phishing attempts I get is crazy too. _____________________ New products, updates, rants, randomness. Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.
Vares Solvang It's all Relative Join date: 26 Jan 2005 Posts: 2,235	06-16-2006 16:05 I received a phishing email trying to get my PayPal account info. It was easy to spot for many reasons, the biggest being that I didn't have a PayPal account under that particular email address. I forwarded it to the PayPal fraud dept and they verified that it was a scam and not from them. So be careful and always send any suspicious emails to their fraud dept so they can put a warning out.
Cristiano Midnight Evil Snapshot Baron Join date: 17 May 2003 Posts: 8,616	06-16-2006 17:34 It seems that Paypal has moved quickly to close up this flaw: http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html?tag=nefd.top _____________________ Cristiano ANOmations - huge selection of high quality, low priced animations all $100L or less. ~SLUniverse.com~ SL's oldest and largest community site, featuring Snapzilla image sharing, forums, and much more.
Androclese Torgeson I've got nothin' Join date: 11 May 2004 Posts: 144	06-16-2006 17:46 (This is the UNIX Admin / Tech Support guy in me speaking, pardon the geekyness) 1) If anybody is silly enough to click on any links they receive via email about a financial matter or account issue from anybody, they are only digging their own grave. 2) Go to Mozilla.org and download the Thunderbird email client. All those phishing and spam emails will go away in short order. _____________________ Androclese Torgeson Real Life, also known as "that big room with the ceiling that is sometimes blue and sometimes black with little lights"
Astrid Ophelia Registered User Join date: 2 Mar 2006 Posts: 42	06-16-2006 17:47 I run a subscription based service in RL and the majority of our payments come through Paypal. The best advice I can give people is: 1) Legitimate PayPal emails will address you by your first and last name. If you are a business they will address you by the business name you have registered. If it says Dear Paypal Member or anything of that ilk it is a spoof 2) PayPal will rarely (if ever now a days) send an email that contains a link to their site no matter what the subject matter is. If you need to login to your account, answer a dispute, etc a legitimate email from PayPal will provide directions on what you need to do to proceed. It will not contain a link to any page on PayPal. 3) Message headers are worthless; it is far too easy to spoof headers to make them look legitimate. So even if you have your email set up to view full headers don't take what you see as gospel. 4) If you get an email purportedly from PayPal that has you concerned login to PayPal directly to check your account. If something is wrong you generally should have a message, highlighted in pink, at the top of the main Paypal page. 5) When going directly to PayPal make sure to use HTTPS://www.paypal.com so you know for sure you are on their secure server.
Newfie Pendragon Crusty and proud of it Join date: 19 Dec 2003 Posts: 1,025	06-16-2006 20:10 I follow a very simple rule whenever I get an email from PayPal - or actually any company I deal with that I have a financial relationship with. If I get an email that asks me to do something, I: 1) Open a browser window. 2) Type the address in directly, skipping the link in the email. That's it. I go with the assumption that all links I get via email are suspect, unless it's from a source I trust completely. - Newfie _____________________
Bizzy Weeks Registered User Join date: 23 May 2006 Posts: 46	06-16-2006 23:47 I still get tons of 'BECOME A GOLD STAR MEMBER' ebay spams. Almost filled one out way back and if my brother didnt point out that the url was like ef24y9http.298317213ebay.com. Scammers will try anything... Its always french sites too, when I track em.

Welcome to the Second Life Forums Archive

Serious Paypal flaw found