A new round of attacks by online criminals is being directed at online payments service PayPal this week, including e-mails that inform account holders they need to re-enter their credit card data because “we had some trouble with one of our computer systems.”
The scam appears to be aimed at harvesting PayPal
account numbers, passwords and credit card data from unsuspecting users of the online service, based in Mountain View, Calif.
The scam e-mail, slugged “URGENT: PayPal Account Update,” that has been going around this week starts off by saying:
“Dear PayPal User,
Today we had some trouble with one of our computer systems. While the trouble appears to be minor, we are not taking any chances. We decided to take the troubled system off-line and replace it with a new system. Unfortunately this caused us to lose some member data. Please follow the link below and log into your account to make sure your information is not affected. Account balances have not been affected.”
It goes on to entice users by saying that: “If fees would normally apply, you will not pay anything for the next two incoming transfers you receive” because of the inconvenience of having to re-enter data.
The scam, an e-mail with the subject line directed account holders to this site, which was active at presstime but may have been taken down by now.
The URL listed was https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run. However, when clicked on, it directed the user to an ostensibly secure site, but with a URL starting with: http://www.paypalsys.com/. Users were then asked to log in with their e-mail addresses and their passwords.
Ironically the attack began to surface at about the same time as PayPal was announcing that the U.S. Postal Inspection Service recently presented awards to members of its anti-fraud team “in appreciation and recognition of their aid in the investigation of a man accused of Internet auction fraud.”
The scams are becoming more sophisticated, and now sometimes arrive in the form of HTML e-mails complete with PayPal logos and type faces. They offer Web links to sites that even contain the little lock symbol of security. The Web site addresses are subtly different from PayPal.com, however.
“We have had no problems with our computers — our site is completely up,” said Julie Anderson, a PayPal spokesman, adding that the company would track the fake site back to its ISP and attempt to get it shut down.
These attacks are becoming more and more commonplace, and more sophisticated in their ability to mimic a legitimate site, according to David Steiner, president of AuctionBytes.com, a site that covers the online auction world.
“For the past year or so they have been e-mailing sellers saying that your password or your account has been compromised, go to this site and re-enter your data,” Steiner told internetnews.com. “The site looks just like an eBay or a PayPal site but is on different server.”
“Some people fall for this. People are still falling for the Nigerian oil minister e-mail scam, so they fall for this, too,” he said.
Steiner advised all PayPal and eBay account holders (PayPal is becoming more integrated with eBay all the time, thanks to eBay’s acquisition of the company) to be very careful about looking at the address bar in the browser.
The scams redirect you a similarly named site, where someone usually has used a stolen credit card to register a fake domain name for a quick-hit scam.
Steiner said a whois search on the URL used in this particular scam attempt shows it was registered on Sept. 10 and the administrative contact shows PayPal, but the technical contact is in New York, not California, where PayPal is based.
The cops, of course, continue to look into such scams as best they can. Don Masters, head of a U.S. Secret Service high tech crime unit in Los Angeles, told internetnews.com last week that “We have a couple of undercover operations working.”
PayPal, meanwhile, has been working to combat similar frauds. The company said that PayPal fraud investigators were recently presented with commemorative plaques thanking them for their “significant contribution” to the investigation and capture of Jay Nelson, of Gilsum, N.H. Nelson, 34, recently pleaded guilty to charges of mail fraud, wire fraud and money laundering for failing to deliver thousands of items he offered for sale on Internet auction sites.
“It’s no secret that PayPal aggressively pursues people suspected of fraud in the PayPal network,” said David Sacks, PayPal chief operating officer. “We have no tolerance for these people in our system and are more than happy to help law enforcement bring them to justice in any way we can.”
But it’s no wonder PayPal is a target. It’s big, it’s everywhere and it’s where a lot of online money is.
The service lets users transfer money via e-mail, mobile phone, or Web-enabled pager, with transactions charged to the customer’s bank account, credit card or PayPal balance. About 13 million users (80 percent are individuals) use PayPal; most are online auction participants, and transactions average about $50, according to Hoovers.
PayPal does have a security center right on its site, with advice of all kinds both for sellers and buyers.
And one of the tips for everyone is: “Never, ever share your PayPal password with anyone. Never, ever share your PayPal password with anyone. PayPal representatives will NEVER ask you for your Password.”
It also says: “If you receive an email and are unsure whether it is from PayPal, come directly to the PayPal site at www.paypal.com. Don’t click on any link in an email which seems suspicious to you. These security measures will help ensure that you are logging into PayPal. The only site you should ever type your username and password into is at www.paypal.com.”