Home page logo
/

basics logo Security Basics mailing list archives

Possible paypal security problem
From: Harry Henry Gebel <hgebel () fusemail com>
Date: Tue, 18 Dec 2007 18:31:02 -0500

I tried to log in to paypal about half an hour ago. I manually typed www.paypal.com to login. I got the normal paypal login page, and after entering my password I got the following message:

---------------------
Security Measures
Help with this page ?

We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.

Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.
---------------------

It then had a dropdown box listing the last two digits of the cards I had registered with paypal and asking me to pick one and type in the full number associated with that card. This looked extremely phishy to me, so the first thing I did was look at the url to make sure I was actually at paypal, then I checked the security certificate and it says it is verified to be associated with www.paypal.com by verisign (The certificate's serial number is 6E:6B:9C:A3:F7:52:35:B4:95:37:86:D4:E5:13:54:A9 if anyone knows paypal's actual serial number.) I checked what ip address my computer thinks www.paypal.com is and used several web dns reverse lookups to verify that it really belongs to www.paypal.com. Then I closed Firefox and tried to log in with Internet Explorer and it brought me to the same page (I also verified the certificate with IE). Then I rebooted the computer in Linux and tried to log in again and it brought me to the same page and I was able to verify the security certificate.. I searched on the internet to see if this message was associated with phishing, and found several phishing emails with the same or similar text but no reference to any man-in-the-middle type attacks using this text. During all this I also shut down my router's wireless capabilities in case someone was doing anything strange with the wireless network.

I looked at the page source and it was a straightforward web page without frames or anything that might disguise where parts of the page were coming from. It pulled some stylesheet information and images from paypalobjects.com, but they are registered with paypal, and in any case the form was sending it's results going to paypal.com.

I was still afraid that someone could be between me and paypal, but I picked a card with a very small dollar amount available and tried to see what would happen. If they were in the middle they already had my password and I figured I could cancel that card if this turned out to be fake. When I submitted the information I just got a screen asking to retry. Now I was really nervous. I picked a card from a company I no longer have an account with and tried that, I got the retry screen again. Finally, I tried the first card again and got the retry screen a third time.

I then looked at my e-mail and every time I had tried to log in I had gotten an e-mail from paypal warning that someone had tried to log into my account from a foriegn IP address and urging me to change my password if it wasn't me.

EMAIL BEGINS:

Dear Harry Henry Gebel,

We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address.

If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. 
However, if you did not initiate the log ins, please visit PayPal as soon as possible to change your password:

https://www.paypal.com/us/cgi-bin/?cmd=_login-run

Changing your password is a security measure that will ensure that you are the only person with access to the account.

Thanks for your patience as we work together to protect your account.

Sincerely,
PayPal

----------------------------------------------------------------
PROTECT YOUR PASSWORD

NEVER give your password to anyone, including PayPal employees. Protect yourself against fraudulent websites by opening 
a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your 
account.


----------------------------------------------------------------


Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, 
log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

----------------------------------------------------------------

:EMAIL ENDS

The email had was pure text with no links or images so I'm fairly sure it's genuine. This makes me even more nervous that there is a man-in-the-middle attack going on. I can't change my password since there is no way for me to finish logging in (it just keeps saying retry). Can anyone figure out what is going on here, and what I should do to fix it? It is also occurring to me that maybe paypal thinks that my IP address (68.205.xxx.xxx, Brighthouse Cable in Orange County, Florida) is foreign for some reason and that that misconception is causing all of these problems. If anyone can help or at least explain to me what's going on I would appreciate it.

-Harry




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]