« Birthday | Main | Last chance for cute hamster T-shirt »

PayPal phishing

| 8 Comments

I get a whole lot of spam that claims to be from PayPal and says my account has been blocked and I need to go to URL such-and-such and re-enter my personal information so they can unblock me.

At least 99% of that mail presumably consists of "phishing" attacks--some bad person who puts up a fake PayPal-looking website and sends out a fake PayPal-looking URL (disguised using a variety of techniques) in hopes of snaring unwary users. (Many of those phishing attacks consist of saying that some random email address has been added to my account, and that if that wasn't supposed to happen, I should click this link immediately. Pretty clever attack; every time I get one of those, I get the tiniest bit nervous that it could be true.)

I'm always nervous about just deleting such emails as spam, because on several occasions in the past few months, when I've gone to log in to PayPal I've been told that my password has been reset and I need to provide a new one. Which makes me suspect that a few of those emails might be legitimate.

But in the process of corresponding with PayPal support last week, I found out one very important/useful fact:

PayPal will never send you an email with the greeting "Dear PayPal User" or "Dear PayPal Member". Emails initiated by PayPal will address you by your first and last name, or the business name associated with your PayPal account.

That's made me a whole lot more relaxed about all the alleged PayPal spam I get. If it doesn't have my name on the top (and none of the spam does, so far), I can junk it without a second thought.

So figured it was worth sharing that info in case others of you are in the same boat.

8 Comments

Thanks for the tip. I got a PayPal phish the other day that made me look twice: it very clearly featured boilerplate about how PayPal will never ask you to provide such-and-such information in an e-mail message, etc., disguising itself as a public-service announcement from PayPal about phishing. Then near the bottom, here was a message about a random security check thrown in that included, you guessed it, numerical links pretending in the link text to be paypal.com.


If you're using web mail, and your browser shows destination HTML in the lower margin (or anywhere else), you can always roll over the links that such emails provide. Even if they appear in the email as a PayPal URL, they're usually coded in such a way that the links actually point somewhere else.


Re: Dave's comment, note that at least in some cases even rolling over the link is not sufficient; at least a while ago there was a vulnerability in some browsers whereby a link to "paypal.com" didn't go to the "paypal.com" you thought it did -- because that first "A" wasn't regular english a but some other Unicode character that looked the same.

They patched that problem:
http://www.boingboing.net/2005/02/08/mozilla_and_firefox_.html

But there can be similar attacks (e.g. registering paypa1.com)

The safest thing is always to type the URL yourself!


Interesting. I've had the same trouble with PayPal login. I'm pretty sure that my account hasn't been compromised because there are no mysterious transactions, but I am getting tired of having to set up a new password. Anyone else?


Oh my god, yes. EVERY TIME I try to use PayPal, the stupid thing tells me I need to re-set my password.


I'm glad to hear it's not just me who has this problem. I got a further response from PayPal support: they claim that usually when this happens it's because your browser is storing your password.

Their "explanation" is cryptic and confusing. I think that what they're saying is that a lot of people have their browser store their passwords and somehow they store the wrong password. That's silly, and it's not what's happening in my case; I'm pretty sure I don't let my browser store my PayPal password. And their explanatory note consisted mostly of instructions on how to disable the password-memory system in IE, rather than (say) clear explanations of why/how this could possibly cause the problem at hand. And it's ridiculous anyway: I can't believe that they would reset your password if you enter the wrong password one single time.

So I'll write back to them and tell them it's not just me. Susan, you use Safari, right? What browser do you use, Cheryl? I don't know if the browser has anything to do with it, but it might.


Firefox, actually. And I cull my cookies every week, and PayPal cookies get cut with the rest, so I'm not sure that's it. (Unless password-storing doesn't happen in cookies?)


Firefox. And passwords to banking systems are one thing that I make damn sure are not stored in cookies on my hard drive. I do have good spyware protection, but I'm still not taking any chances. I type banking passwords in by hand every time I visit the site. I guess I might typo them once, but when I get the "wrong password" message I always make sure I get them right the second time.

What does occur to me is that PayPal might reset the password every time an incorrect one is entered. That is the sort of daft "security" precaution I can see being implemented.


Post a comment