Home page logo

basics logo Security Basics mailing list archives

Re: Possible PayPal security problem
From: "Fabio Fagundes" <fabio.fagundes () gmail com>
Date: Wed, 19 Dec 2007 19:49:44 -0200

Hi all,

nslookup paypal.com :

Reverse resolution seems to be  fine too... 1st & 2nd resolve to
www.paypal.com and the 3rd & 4th to

A malware/spyware may be accessing your encrypted traffic just after
decryption and before encryption. Your network may be tapped and a
man-in-the-middle attack is in place.

Check these recent research on different Attacks to Hash Functions
like "Colliding X. 509 Certificates based on SHA1-collisions" and
Impact of Recent Attacks on Hash Functions

Fabio Fagundes

On Dec 19, 2007 4:21 PM, Bob Dienhart <rdienhart () alt-tab cc> wrote:
Flush your DNS cache and any browser history.  Then try connecting via IP
rather than url.  I just ping'd "www/paypal.com" and that url resolved to from where I sit, which is in snowy Milwaukee.  Can anybody
collaborate that address as a valid one for PayPal?

Bob Dienhart

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Albert R. Campa
Sent: Wednesday, December 19, 2007 9:44 AM
To: Harry Henry Gebel
Cc: security-basics () securityfocus com
Subject: Re: Possible paypal security problem

I just logged into my paypal and didnt get that form.
You may want to verify from paypal that this form is new practice on
their part. Worst case, they dont know what it is.



On Dec 18, 2007 5:31 PM, Harry Henry Gebel <hgebel () fusemail com> wrote:
I tried to log in to paypal about half an hour ago. I manually typed
www.paypal.com to login. I got the normal paypal login page, and after
entering my password I got the following message:

Security Measures

Help with this page ?

We are currently performing regular maintenance of our security
measures. Your account has been randomly selected for this maintenance,
and you will now be taken through a series of identity verification pages.

Protecting the security of your PayPal account is our primary concern,
and we apologize for any inconvenience this may cause.

It then had a dropdown box listing the last two digits of the cards I
had registered with paypal and asking me to pick one and type in the
full number associated with that card. This looked extremely phishy to
me, so the first thing I did was look at the url to make sure I was
actually at paypal, then I checked the security certificate and it says
it is verified to be associated with www.paypal.com by verisign (The
certificate's serial number is
6E:6B:9C:A3:F7:52:35:B4:95:37:86:D4:E5:13:54:A9 if anyone knows paypal's
actual serial number.) I checked what ip address my computer thinks
www.paypal.com is and used several web dns reverse lookups to verify
that it really belongs to www.paypal.com. Then I closed Firefox and
tried to log in with Internet Explorer and it brought me to the same
page (I also verified the certificate with IE). Then I rebooted the
computer in Linux and tried to log in again and it brought me to the
same page and I was able to verify the security certificate.. I searched
on the internet to see if this message was associated with phishing, and
found several phishing emails with the same or similar text but no
reference to any man-in-the-middle type attacks using this text. During
all this I also shut down my router's wireless capabilities in case
someone was doing anything strange with the wireless network.

I looked at the page source and it was a straightforward web page
without frames or anything that might disguise where parts of the page
were coming from. It pulled some stylesheet information and images from
paypalobjects.com, but they are registered with paypal, and in any case
the form was sending it's results going to paypal.com.

I was still afraid that someone could be between me and paypal, but I
picked a card with a very small dollar amount available and tried to see
what would happen. If they were in the middle they already had my
password and I figured I could cancel that card if this turned out to be
fake. When I submitted the information I just got a screen asking to
retry. Now I was really nervous. I picked a card from a company I no
longer have an account with and tried that, I got the retry screen
again. Finally, I tried the first card again and got the retry screen a
third time.

I then looked at my e-mail and every time I had tried to log in I had
gotten an e-mail from paypal warning that someone had tried to log into
my account from a foriegn IP address and urging me to change my password
if it wasn't me.


Dear Harry Henry Gebel,

We recently noticed one or more attempts to log in to your PayPal account
from a foreign IP address.

If you recently accessed your account while traveling, the unusual log in
attempts may have been initiated by you. However, if you did not initiate
the log ins, please visit PayPal as soon as possible to change your


Changing your password is a security measure that will ensure that you are
the only person with access to the account.

Thanks for your patience as we work together to protect your account.



NEVER give your password to anyone, including PayPal employees. Protect
yourself against fraudulent websites by opening a new web browser (e.g.
Internet Explorer or Netscape) and typing in the PayPal URL every time you
log in to your account.


Please do not reply to this email. This mailbox is not monitored and you
will not receive a response. For assistance, log in to your PayPal account
and click the Help link located in the top right corner of any PayPal page.



The email had was pure text with no links or images so I'm fairly sure
it's genuine. This makes me even more nervous that there is a
man-in-the-middle attack going on. I can't change my password since
there is no way for me to finish logging in (it just keeps saying
retry). Can anyone figure out what is going on here, and what I should
do to fix it? It is also occurring to me that maybe paypal thinks that
my IP address (68.205.xxx.xxx, Brighthouse Cable in Orange County,
Florida) is foreign for some reason and that that misconception is
causing all of these problems. If anyone can help or at least explain to
me what's going on I would appreciate it.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]