Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Posible PayPall Scam? FW: Your PayPal ac
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 06 Mar 2003 14:13:25 +1300

These Paypal spam scams are becoming more common.  Here's where to
report them at Paypal:

   https://www.paypal.com/cgi-bin/webscr?cmd=_contact-general-flow

This kind of advice always intrigues me...

What can PayPal (or eBay or Amazon or AOL or any of the other popular 
targets of such scams) do about this?

Precious little.  They can complain to the service providers involved 
in the spamming (if they are sent the full Email headers -- unlikely 
from a substantial proportion of those naive enough to have to ask 
what they should do about such things) and they can complain to the 
service providers of the website hosting the bogus "login" form.

I guess that saves the concerned user the hassle of learning how to 
track such contacts down (and PayPal et al. are bound to have better 
resources for dealing with language translation issues that may seem 
almost inevitable in such cases).

However, it also could significantly delay the processing of the 
complaint _to_ the service providers that most need to act -- those 
hosting the web servers or Email accounts  in cases where the 
harvested information is received by Email.

Think about it.

Someone hatches one of these schemes, buys into a spamming operation 
for delivery of the bogus Emails and sets the Email in motion.  Say 
the spamhaus successfully delivers 100,000 of these bogus Emails per 
hour (i.e. 100,000 messages get into real inboxes).  Further, let's 
say that 0.001% of recipients are gullible enough to be taken in by 
the scam (I have no idea if this is a reasonable ball-park figure -- 
anyone??  It would partly depend on the relative popularity of the 
targeted organization and on the relative savvy of that service's 
clientelle.)  Ignoring ramp-up issues (we'll assume the spammers 
target addresses are randomly distributed around the globe and that 
delivery-to-read delays have no effect) and assuming the above, the 
scammer gets one PayPal account per hour his web server is running.

Thus, _only_ sending notifications of receiving such scams to PayPal, 
etc gives the scammers a "get out of jail free" (or at least, a 
"delay loosing your scam site") card worth at least however many 
hours delay there is between notifying PayPal and its staff actually 
even getting through the message queue to consider it.

Now, back to PayPal and the specific issue at hand...

   https://www.paypal.com/cgi-bin/webscr?cmd=_contact-general-flow

   It appears that you have JavaScript disabled, or your browser is
   incapable of displaying the content below. Please click here for 
   the non-JavaScript version.

"here" is:

   https://www.paypal.com/cgi-bin/webscr?cmd=_contact_no_js

I suspect my views on the _SHEER IDIOCY_ of requiring (or at least 
expecting) those trying to use your "report or investigate a security 
problem" pages to lower their web browser's security options are 
sufficiently well-known that I need not say anything here.  Anyway, 
the process is a tad involved, requiring you to select the right 
"fraud reporting" option from virtually the bottom of a _very_ long 
list of (mainly mundane) reasons people may have for contacting 
PayPal.  It might be better to point them to:

   http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/security-main-outside

which has three links to, presumably, the most commonly reported 
"fraud" related issues -- spam, fake sites and unauthorized 
transactions.

   https://www.paypal.com/ewf/f=sa_email

   https://www.paypal.com/ewf/f=sa_fake

   https://www.paypal.com/ewf/f=sa_unauth

Anyway, whichever of the various mechanisms you use, all of the 
online "send Email to our Customer Service team" pages have a very 
brief introduction ending with:

   We will respond to your email as quickly as possible, typically within
   2-3 business days.

Hopefully that does not reflect the queue length for such reports 
just to be read -- if so, _only_ reporting such issues to PayPal 
means the scammer may get as much as a 48-72 user account 
advantage...


Regards,

Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]