[Dshield] New Paypal scam

Tony Sykora tsykora at stcloudwirelessholdings.com
Mon Sep 22 17:52:53 GMT 2003

I sent the fraud department at paypal the url and they requested the
original email/spam, so if someone has the original Paypal email, could
they forward it to paypal at spoof at paypal.com?  Thank you.

Dear Tony Sykora,

Thank you for contacting PayPal.

Thank you for bringing this potentially fraudulent website/email to our
attention. PayPal will investigate this incident thoroughly and take
appropriate action on the matter. 

If possible, we are also requesting that you forward the original email
us at spoof at paypal.com.  This will allow us to better research the
suspected website. 

If you have surrendered financial or password information to the
website/email, report this to your appropriate financial institutions,
immediately change your passwords and secret answers on your PayPal

If you discover any unauthorized transactions or changes on your
report these to PayPal immediately! You may report any unauthorized
activity by utilizing the Security Center section of our website. 

Again, we thank you for your concerns. 


PayPal Account Review Department

PayPal and its representatives will NEVER ask you to reveal your
password.  There are NO EXCEPTIONS to this policy.  If anyone claiming
to work for PayPal asks for your password under any circumstances, by
email or by phone, please refuse and immediately contact us via webform
at https://www.paypal.com/wf/f=sa_default
<https://www.paypal.com/wf/f=sa_default> .

-----Original Message-----
From: John Hardin [mailto:johnh at aproposretail.com]
Sent: Monday, September 22, 2003 12:26 PM
To: General DShield Discussion List
Subject: RE: [Dshield] New Paypal scam

On Mon, 2003-09-22 at 10:03, Blanchard, Joe wrote:
> <...isn't the host part delimited by the forward slash, though?
> That said, I wouldn't be at all surprised if the IE URL parser
> actually
> *is* that broken.>
> Nope. ftp://www.paypal.com@ftp.redhat.com Denotes User at domain_name but
> in lieu of ftp http: simply suggests login at domain_name. This is an old
> tactic I seem to remember seeing it in 4.0 days of IE too.

The URL syntax is proto://{user{:password}@}host{:port}/path/to/file

Note that the original URL had the @ *after* the first forward slash,
thus if the URL were being parsed properly it would *not* be an
effective redirect attack. Indeed it is not in mozilla/galeon. I got the
PayPal welcome page, which I assume is their default for 404s.

My questions (stated indirectly) were:

1) was this URL copied properly into the original email?

2) was this (malformed) attack URL indeed causing a "redirect" in some
browsers? Meaning, were they helpfully ignoring the forward slash as a
delimiter and parsing the "@whatever" as part of the host spec? This
would indicate a severely broken URL parser.

John Hardin  KA7OHZ                          
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  There is no problem that cannot be solved by the appropriate
  application of high explosives.
 44 days until Matrix Revolutions

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list