[Dshield] New Paypal scam

John Dalton dubuque_1 at msn.com
Mon Sep 22 22:44:05 GMT 2003


Well at least you found a place to send to, I had very difficult time the
last time, I will send original
----- Original Message ----- 
From: "Tony Sykora" <tsykora at stcloudwirelessholdings.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Monday, September 22, 2003 12:52 PM
Subject: RE: [Dshield] New Paypal scam


I sent the fraud department at paypal the url and they requested the
original email/spam, so if someone has the original Paypal email, could
they forward it to paypal at spoof at paypal.com?  Thank you.

Dear Tony Sykora,

Thank you for contacting PayPal.

Thank you for bringing this potentially fraudulent website/email to our
attention. PayPal will investigate this incident thoroughly and take
appropriate action on the matter.

If possible, we are also requesting that you forward the original email
to
us at spoof at paypal.com.  This will allow us to better research the
suspected website.

If you have surrendered financial or password information to the
website/email, report this to your appropriate financial institutions,
and
immediately change your passwords and secret answers on your PayPal
account.

If you discover any unauthorized transactions or changes on your
account,
report these to PayPal immediately! You may report any unauthorized
activity by utilizing the Security Center section of our website.

Again, we thank you for your concerns.

Sincerely,

PayPal Account Review Department

***********************************************************
PayPal and its representatives will NEVER ask you to reveal your
password.  There are NO EXCEPTIONS to this policy.  If anyone claiming
to work for PayPal asks for your password under any circumstances, by
email or by phone, please refuse and immediately contact us via webform
at https://www.paypal.com/wf/f=sa_default
<https://www.paypal.com/wf/f=sa_default> .
***********************************************************

-----Original Message-----
From: John Hardin [mailto:johnh at aproposretail.com]
Sent: Monday, September 22, 2003 12:26 PM
To: General DShield Discussion List
Subject: RE: [Dshield] New Paypal scam


On Mon, 2003-09-22 at 10:03, Blanchard, Joe wrote:
> <...isn't the host part delimited by the forward slash, though?
>
> That said, I wouldn't be at all surprised if the IE URL parser
> actually
> *is* that broken.>
>
>
> Nope. ftp://www.paypal.com@ftp.redhat.com Denotes User at domain_name but
> in lieu of ftp http: simply suggests login at domain_name. This is an old
> tactic I seem to remember seeing it in 4.0 days of IE too.

The URL syntax is proto://{user{:password}@}host{:port}/path/to/file

Note that the original URL had the @ *after* the first forward slash,
thus if the URL were being parsed properly it would *not* be an
effective redirect attack. Indeed it is not in mozilla/galeon. I got the
PayPal welcome page, which I assume is their default for 404s.

My questions (stated indirectly) were:

1) was this URL copied properly into the original email?

2) was this (malformed) attack URL indeed causing a "redirect" in some
browsers? Meaning, were they helpfully ignoring the forward slash as a
delimiter and parsing the "@whatever" as part of the host spec? This
would indicate a severely broken URL parser.

--
John Hardin  KA7OHZ
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  There is no problem that cannot be solved by the appropriate
  application of high explosives.
-----------------------------------------------------------------------
 44 days until Matrix Revolutions

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list