[Crime] FW: Your access to a false PayPal site on 8-9 Sep 05.

From: Michael Breamer (michael.breamer@private)
Date: Tue Oct 11 2005 - 07:34:11 PDT


Hi all,

A friend of mine forwarded this to me and I thought the group might find
it of interest...

-Michael

-----Original Message-----
From: Stephanie Schoenborn [mailto:sgschoenborn@private] 
Sent: Monday, October 10, 2005 10:05 PM
To: Me
Subject: Fwd: Your access to a false PayPal site on 8-9 Sep 05.

This is just about the funniest thing I've ever seen, so I just *had* to
share it. My friend Matt is an Internet security professional in DC.
As a hobby (because he is a total geek), he also runs a bunch of servers
out of his home. One of them was hacked and used to perpetrate a
phishing scheme attempting to get PayPal account info, which Matt
caught. 

He contacted PayPal, and they didn't care. So he personally e-mailed the
people who responded to the scheme using logs, who (apparently) also
didn't care. He's still getting daily hits to the fake site, so he put
up this content on the page today:
http://www.forensiclab.net/~ftpuser/Online.Access.Paypal.com/

Go read it. It'll make your day. (The "Kitty Poster" bit is the best
part.)


> ---------- Forwarded message ----------
> From: Matt Pepe <mtpepe@private>
> Date: Sep 9, 2005 5:17 PM
> Subject: Your access to a false PayPal site on 8-9 Sep 05.
> To: mtpepe@private
> Cc: spoof@private
> (A copy of this e-mail has been sent to the PayPal security e-mail, 
> spoof@private in addition to the individuals affected.)
> 
> Good Afternoon,
> 
>   This e-mail is to inform you that your PayPal account information 
> may have been compromised. On 8 September 2005, an attacker 
> compromised a user account on a server under my control by correctly 
> guessing a login password. Analysis of the security auditing records 
> suggests that the attackers had been scanning my server intermittently

> over the past 4 days.
> At one point, they guessed a correct password and uploaded a false web

> site that was designed to look like PayPal. Once the pages were 
> accessible, they sent an unknown number of e-mail messages, known as a

> 'phishing scam'
> - one
> of which you received, clicked on, and filled out.
> 
> The contents of this e-mail are unknown to me at this time, however I 
> assume that it referred to an account or password validation request.
> Luckily, my server logged the transactions made to the false web site 
> during the past 24 hours. These logs allowed me to identify the e-mail

> addresses entered on the web form and send you this warning. You are 
> one of the 14 users that submitted information on the false web site.
> 
> PayPal has been notified of the 14 user accounts that are affected by 
> this event. By law, they are not under obligation to inform you at 
> this point, as they may not be aware of fraudulent access to your 
> account. This is why I chose to e-mail each of you personally. Sadly, 
> it has been my experience that it is unlikely that they will contact 
> you.
> 
> PayPal is legally bound to protect your information from disclosure, 
> as it is classified as a 'financial institution' under the 
> Gramm-Leach-Bliley Act of 1999 (ref:
> http://www.ftc.gov/bcp/conline/pubs/buspubs/glblong.htm). In 
> particular they are charged with protecting the following information,

> known as Nonpublic Personal Information (NPI). (quoted from the 
> FTC.gov Web
> site)
> 
>         - any information an individual gives you to get a financial 
> product or service (for example, name, address, income, Social 
> Security number, or other information on an application);
>         - any information you get about an individual from a 
> transaction involving your financial product(s) or service(s) (for 
> example, the fact that an individual is your consumer or customer, 
> account numbers, payment history, loan or deposit balances, and credit

> or debit card purchases); or
>         - any information you get about an individual in connection 
> with providing a financial product or service (for example, 
> information from court records or from a consumer report).
> 
> A number of states have begun codifying laws that mandate notification

> of a consumer in the event of a breach of the GBLA Safeguards Rule, 
> however many companies have yet to issue policies that comply. I am 
> not aware whether PayPal has, or will have notification policies for 
> this type of event.
> 
> As far as I am aware, the only information that has been disclosed to 
> the attacker is the username and password that you supplied through 
> the web site you visited (in the last 24 hours). Until PayPal 
> discovers if the confidentiality of your NPI has been compromised, 
> they will not be held to any reporting standard.
> 
> Further investigation on this matter is in the hands of the security 
> folks at PayPal.
> 
> **** What This Means to You ****
> 
> Someone else has your logon information for PayPal. This means that 
> someone else has access to the services, payments, or personal 
> information that you have access to through the PayPal system. I 
> suggest taking the following remedial actions. By all means, research 
> this yourself at the Federal Trade Commission Web site and determine 
> your best course of action.
> 
>         - Change your password on PayPal / EBay and any other sites 
> for which you use the same
>         username and password pair.  I am not sending URLs in this 
> message, as you should _never_
>         click on links in e-mail.  Always look at what you are being 
> asked to click on and type
>         it in yourself. Additionally, you should _always_ be aware of 
> the name of the site you are
>         visiting. If something looks suspicious, manually type in the 
> URL of the home page of the
>         company and navigate to the Accounts page from there.
> 
>         - Notify the credit card and/or bank that you provided to 
> PayPal. Ask them to watch the
>         account for suspicious activity.
> 
>         - Visit the sites of the credit clearinghouses such as 
> Experian and ChoicePoint. Pay them the
>         $30 (or whatever it is) and get a copy of your credit report.
> Monitor it
> over the next few
>         months for suspicious activity.  They will not do this for 
> you, and if a problem is not
>         identified quickly the dispute resolution process is 
> convoluted and painfully slow.
>         Better yet, visit the Federal Trade Commission Web site to see

> how you request a free credit
>         report.
> 
> This is not meant in an alarming tone - you may get lucky and 
> absolutely nothing will happen. Although if you spend a couple hours 
> now, it may save you months of frustration later.
> 
> 
> In summary, as of 14:00 EST on 9 September 2005, I have initiated 
> contact with PayPal and am working to provide them with all of the 
> information that I have. What I know are the users affected, the 
> e-mail addresses to which the account information was sent, and the IP

> addresses of the systems that were used to place the false web site on

> my server. One end of the chain comes from Romania, the other end 
> terminates at an e-mail address in the yahoo.com domain. If you notice

> suspicious activity that may be related to this event, notify PayPal 
> immediately and inquire whether law enforcement is involved. Their 
> Resolutions department may be able to connect you with people that can

> help.
> 
> Good luck. If you have any questions, contact PayPal's Resolution 
> folks.
> 
> - -- Matt
> 
> More Information (Inactive links):
> 
> Phishing and Internet Fraud
>  Department of Justice white paper  www.usdoj.gov/criminal/fraud
> 
> Identity Theft
>  FTC Web site on ID Theft  www.consumer.gov/idtheft
> 
> How to Avoid Phishing Scams
>  The Anti-Phishing Working Group
> www.antiphishing.org/consumer_recs.html


		
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/


_______________________________________________
Crime mailing list
Crime@private
http://lists.whiteknighthackers.com/mailman/listinfo/crime



This archive was generated by hypermail 2.1.3 : Tue Oct 11 2005 - 14:03:46 PDT