Sneaky sneaky

I’ve heard of these shenanigans before, but never been so lucky as to be personally involved. I just received an official looking email with return address [email protected] asking people to verify their account information to cut down on fraud:

Your As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below :
https://www.paypal.com/cgi-bin/webscr?cmd=verification

Please fill in the required information.
This is required for us to continue to offer you a safe and risk free
environment to send and receive money, and maintain the PayPal Experience.

Of course the barely-trained eye notices that the link points to the site exme.us, and not the assumed paypal.com. The horror! Who is responsible for this preposterous event? The WHOIS database points the finger at some guy named Tim Carey from Wisconsin:

Registrant:
tim (EXME-ORG-DOM)
carey
n9170 jordan st
appleton, US 54915
US
920 733-8254
[email protected]

Of course it’s suspicious that a person whose homepage links to friends in lithuania (.lt = lithuania) would also have a lithuanian email address and live in Appleton, WI. Googling this email address returns one webpage (I’m feeling lucky), which is to a user account on an IRC scripts website. Oh my lord, what a surprise! Our friend isn’t actually from Appleton, WI, but in fact from Lithuania, and a ripe 17 years old he is. Doing a reverse DNS lookup on his IRC server of choice (212.122.68.56) gives the hostname exme.skynet.lt, some sort of media network as far as I can tell.. my Lithuanian is a bit shaky. Likely story: our friend here works for skynet.lt, or has friends who do.

Our friend’s guestbook shows that other people are doing their own sleuthing. What’s the point of this whole exercise? I’m interested in how long it will take PayPal to recognize this idiot and silence him. I’m putting my money on less than 5 days. But how many PayPal accounts must die in the process?

Update: Less than 12 hours later, the site is down and PayPal has responded to my inquiries. Read the comments for the details.

19 thoughts on “Sneaky sneaky

  1. I’ve gotten a few of these over the past year and report them immediately to PayPal, even if they are already aware of it. I’ve found that PayPal often has the fake site shut down within a matter of hours.

    They really need to do a better job of educating their consumers, though. A good education campaign about online fraud would likely reduce the number of people who fall for it. But instead, we get the same silence we’ve been getting for years from Visa and Mastercard and the banks whenever fraud is discussed.

  2. I did report this incident to the PayPal fradulent behavior people, which will inevitably affect the outcome of my experiment. I guess this just puts all the cards on the side of PayPal.. they have no excuse not to have him down immediately.

    On a side note, I did date a Lithuanian girl a few years back, and this animosity is in no way directed towards her, her brother, or her family. It’s just a coincidence!

  3. Wow. I’ve received three of these e-mails, going back as far as a month ago (as best I can recall, I deleted them). They were directed to an e-mail address by which I set up a PayPal account a long time ago. I don’t think I ever used it.

    I have another account that is active, so I assumed the e-mail was valid (I did look at the full headers long enough to think it was legit … didn’t see the URL switcheroo), and since it made sense to have that account shut down, I simply ignored it.

    Nice catch. I was only saved by inaction.

  4. I just received this email from the PayPal support staff, also noticing that the website is now down. Good job PayPal!

    Dear Cameron Marlow,

    Thank you for contacting PayPal.

    Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website.

    If you have surrendered any personal or financial information to this fraudulent website, you should immediately log into your PayPal Account and change your password and secret question and answer information. Any compromised financial information should be reported to the appropriate parties.

  5. Followed by a more personal mail:

    Subject: Re: ReportFraud/Spam:FakeSite:61:753 (KMM31595082V63338L0KM)

    Dear Cameron Marlow,

    Thank you for contacting PayPal.

    The email that you received is not from PayPal. It is a malicious attempt to gain your financial information or to gain entry to your PayPal account. The particular email that you refer to has already been reported by others as well. As a precautionary measure I would request that you take a moment to change your password and security questions if you have not already done so.

    In regards to your questions on how unauthorized access occurs, members of every type of email, internet, and financial services are randomly bombarded with emails attempting to compromise their user ID and password information.

    Some people fall prey to these emails and unknowingly surrender passwords, credit card numbers, and a wide array of personal information that is locked so well inside the secure servers of internet companies, that fraudulent parties and would-be hackers have to resort to email and website scams to deceive people into thinking they’re dealing with the trusted site.

    PayPal is just one company whose users sometimes see these types of emails and websites.

    PayPal is dedicated to maintaining safe and secure online transactions, and is always attempting to increase user awareness of how to avoid online fraud. Despite the fact that this problem exists between a fraudulent party and a victimized user in external communication from PayPal, we are constantly seeking more ways to increase this awarenessand create a safer, more secure online experience for everyone.

    We at PayPal work hard to protect our customers, and have many security measures to help ensure your protection. For this reason, we provide our customers with ‘Security Tips’, which allow us to work together to protect against fraud.

    To view PayPal’s ‘Security Tips’, click https://www.paypal.com/securitytips or copy and paste the entire link into the address bar.

    If you have any further questions, please feel free to contact us again.

    Sincerely,
    Charlene
    PayPal Account Review Department

  6. Oh man, I got something very similar — an HTML form via e-mail, also PayPal-branded (to perfection), asking the recipient (me) to please complete this verification form by providing my credit-card number, ATM card number, and (amazingly) ATM PIN. Then, please click the nice, fat submit button below.

    When I called PayPal to make sure they were aware of this, the representative seemed quite blase about the whole thing. I asked whether they’d inform their users (at least with a link somewhere on the PayPal site) of this message and of others like it, his response was dismissive at best. “We have 22 million users,” he said. “If we did that, we’d cause more panic than anything.”

    Scary, though, how many actual PayPal customers people filled out that form.

  7. Do we know how many PayPal customers actually were duped into completing the form?

    Also – does anybody have a screenprint of the fake PayPal site? I’m curious how good the copy was.

  8. I’ve gotten a couple more since the day you posted this. I’m wondering why they don’t ban outside linking to their tab images? That would at least make the email look broken, which might arouse suspicions.

  9. Or MAYBE the heads at PayPal are behind this entire thing, and commit as much fraud as possible before people ask them to shut down the sites, and apologize for losing their money.

  10. Turning off HTML is a great idea not only for avoiding scams, but also to prevent those in control of our junk mail the ability to track us. Since I’ve been away from Cambridge, I’ve started using pine for all of my email, and more than once I’ve caught an aptly placed bug. They didn’t get me this time!

    Of course, for those stuck in the gears of the Microsoft Hegemony, it’s a little bit harder to make that decision. Turning of HTML viewing is impossible as far as I can tell.

  11. I have had two such emails that appear to be from barclays bank and the url directs you to ibank.barcIays.co.uk rather than ibank.barclays.co.uk. the content of the website is replicated.

    It was just as easy as your paypal person to track down the responsible individual.

    Barclays are useless and would have probably ignore by email to inform them of the scam.

Leave a Reply