.
WARNING: Paypal fraud! - Grin with cat attached
Previous Entry Next Entry
WARNING: Paypal fraud! Jul. 7th, 2003 10:29 am
I've just received the following fraudulent email claiming to be from PayPal. The URL included DOES NOT POINT TO THEIR SERVERS. Do not under any circumstances give your password at the site behind the URL!

This is a very clever forgery and neatly sidesteps PayPal's security advice. Please be aware!




Subject: PAYPAL - VERIFY AND UPDATE YOUR ACCOUNT

Dear PayPal Member,

This email was sent by the PayPal server to re-verify your e-mail address
and to update your profile information on PayPal. You must complete
this process by clicking on the link below and entering the information
from your profile. This is done for your protection --- becaurse some of our
members no longer have access to their email addresses and we must verify it.

To update your profile information and access your account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL), copy and paste the link into the address bar of
your web browser.

htt ps://www.paypal.com:ac=AwWI5HUK5eOcxVMEFYT5SSGH984XvzwHSTKMe2C9@oRaNgE.SRv2.cOm/~l45sd7o/aC.cGi?richard@cyclists.org.uk
(URL broken, highlighted by wechsler)

The link will take you to our Verify Your Identity page. Fill in the
appropriate fields to update your profile information and Security
Questions, and click Submit. You will then be able to access your account.


Thanks for using PayPal!


Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the footer of any page.

----------------------------------------------------------------
PROTECT YOUR PASSWORD

NEVER give your password to anyone and ONLY log in at
https://www.paypal.com. Protect yourself against fraudulent
websites by checking the URL/Address bar every time you log in.
----------------------------------------------------------------

From: ciphergoth
Date: July 7th, 2003 - 05:55 am (Link)
From: wechsler
Date: July 7th, 2003 - 06:01 am (Link)
I know - I first saw it on a fake news article years back, and wasn't claiming the attack to be new, just this particular use of it. I doubt all that many PayPal users read Counterpane ;) , and many will not be aware of the possibility of the attach (since PayPal reassure people "It's fine if it starts with https://www.paypal.com").

This attack is quite neatly crafted (if not spell-checked) and is bound to catch a few people less paranoid than I.
From: nevla
Date: July 7th, 2003 - 07:23 am (Link)
i thought things are fine if they start with https://www.paypal..etc.
What does all that extra gumf do then?
*intrigued by the mystical properties of the URL*
From: wechsler
Date: July 7th, 2003 - 07:58 am (Link)
Note to pedants: the below is approximated for simplicity.

Full form of the URL:

? = previous item optional
'x' = literal 'x'

[PROTOCOL]([USERNAME](':'[PASSWORD])?'@')?[HOSTNAME]('/'[PATH])?

eg: https://www.paypal.com

PROTOCOL: 'https://'
USERNAME: n/a
PASSWORD: n/a
HOSTNAME: 'www.paypal.com'
PATH: n/a, defaults to '/'

eg: ftp://user:password@ftp.somedomain.dom/pub/uploads

PROTOCOL: 'ftp://'
USERNAME: 'user'
PASSWORD: 'password'
HOSTNAME: 'ftp.somedomain.com'
PATH: '/pub/uploads'

eg: https://www.paypal.com:reallylongthingyouassumeisanauthtoken@X.y.CoM/scripts/passwordthief.pl

PROTOCOL: 'https://'
USERNAME: 'www.paypal.com'
PASSWORD: 'reallylongthingyouassumeisanauthtoken'
HOSTNAME: 'X.y.CoM'
PATH: '/scripts/passwordthief.pl'

Re:

From: nevla
Date: July 7th, 2003 - 08:01 am (Link)
*mental note*
thanks - i understand now.
From: wechsler
Date: July 7th, 2003 - 08:02 am (Link)
Oh, and just for fun, HOSTNAME can be any of:

unqualified host name, eg 'intranet'
fully qualified host name, eg 'www.romeburns.co.uk'
IP address as 4x8 bits, eg: 127.0.0.1
IP address as 32 bits, eg: 11287882

Would you recognise this last as a hostname?
From: nevla
Date: July 7th, 2003 - 08:05 am (Link)
Would you recognise this last as a hostname?
no sir.
hows does one go from 4x8bits to 32bits?

I suddenly feel both vunerable, and so amateurish.
From: wechsler
Date: July 7th, 2003 - 08:13 am (Link)
Very few people online actually know how URLs are really composed, so you're neither particularly amateurish, nor alone.

I'm no expert on this lot myself, and the next bit may well be corrected:

AFAIK, 8x4 to 32 is simply done by upshifting.

Eg, w.x.y.z (4x8) = (w<<24 + x<<16 + y<<8 +z) (32)

ie 127.0.0.1 ('cos I hate that bloke) => 127<<24 +1 = 2130706433

Re:

From: nevla
Date: July 7th, 2003 - 08:46 am (Link)
i've figured it out, but in your notation what is "<<"?
From: wechsler
Date: July 7th, 2003 - 08:48 am (Link)
'left shift by'
From: nevla
Date: July 7th, 2003 - 08:58 am (Link)
Ah - now i see. It's binary.
the fourth part is on ones. The third part is left-shifted 8 places, giving a binary 100000000, or 256.
the second part is left shifted 16 places to give 10000000000000000, or 65536, or 256^2.
Never could get my head around other bases very well.

Re:

From: nevla
Date: July 7th, 2003 - 08:09 am (Link)
ignore my last question - i've been reading on the web about IPs, and frankly it's above me ATM.
One day i will learn all this weird IT stuff, but not today... :)