For those of you with PayPal accounts this is something you need to be aware of. In fact, its not just PayPal its happening to other online bank account holders too. People get these emails pretty regular now. Some of them even have the bank's logos so it looks real authentic. Most of the emails come from out of the country and the website they lead to so you can do what you are led to believe your banking institution wants you to do. But you end up with a trojan or a keylogger on your computer and sooner or later the scam artist will catch you going to your bank account and he will immediately be able to see you typing in your Username and your password and next time you go back you are flat broke. The lesson to be learned here is that one should be very wary of being led to any website except the actual website of your bank to do anything. One tip off is that the banks will always use a https instead of an http on their websites. There are always other tip offs too but you have to be real careful. Be slow to do what your bank wants you to do. Often you will get multiple emails exactly alike and then you know for sure it's a trap to catch the unwary. We can use the header information to hope to find out where this email is coming from. To do that we use the IP address 65.94.189.20 and we plug that into the Dulles Visual Route Server at http://visualroute.visualware.com and we see that that hops around the Dulles, Virginia New York area a bit and then jumps up to Montreal Canada where it somehow gets lost. The trace route ends up somewhere near a big lake maybe a couple of hundred miles northwest of Toronto where it is gone and not traceable any more. Whoa here! PayPal is in Omaha, Nebraska and most assuredly not in the wilderness of Canada. So we know better than to click on that link and get skinned for any and all money we have in our PayPal or other online account, now don't we? So we take the next one and go plug that one in to the visual route server and we find that one gets lost in Toronto, Canada too. Here is an email I've gotten several copies of the last few days. Return-Path: <service@paypal.com> Received: from tomts26-srv.bellnexxia.net ([209.226.175.189] verified) by netnameone.org (CommuniGate Pro SMTP 4.0.6) with ESMTP id 3996385 for ceo@creditwrench.com; Sun, 06 Apr 2003 09:20:32 -0700 Received: from paypal.com ([65.94.189.20]) by tomts26-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with SMTP id <20030406162000.PVXF13343.tomts26-srv.bellnexxia.net@paypal.com> for <ceo@creditwrench.com>; Sun, 6 Apr 2003 12:20:00 -0400 Message-ID: 19598022103309.44359.qmail@paypal.com From: <service@paypal.com> To: ceo@creditwrench.com Subject: Verify Your Identity MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Date: Sun, 6 Apr 2003 12:20:00 -0400 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 138406 This email was sent automatically by the PayPal server to verify your identity. We apologize for the inconvenience. To verify your identity and access to your account, follow these steps: 1. Click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser. http://www.paypal.com/fq/ac=AwLMcl-...7.TIAFV95tIFFtmIsGfsQjo6rAy5JkQRBR7iFkDL&t=pr The link will take you to our Verify Your Identity page. 2. On the Verify Your Identity page, answer the questions, and click Submit. Thanks for using PayPal! Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page. I'll bet that if you go there the website will look like it's really paypal and if you click on the help link that will load the trojan right then and there and you won't even be aware of it. You can bet that the computer that is running that webpage isn't on any back bone type server like a bank would be hooked up to. It's just a computer in somebody's living room or bedroom and it isn't even on a static I.P. address but rather on a dymanic one so that it's actual DNS numbers will change frequently and if they see the cops coming they can wipe the hard drive in a heartbeat so it can't be used for evidence against them. These guys are usually pretty slick. And when they make a "score" and people lose their money PayPal or the bank takes the hit.
Thanks for the info about the bogus PayPal emails. I'd like to add a few things, though. First, ANYONE asking you to verify your identity via email is a DEAD GIVEAWAY. Big red flag. Don't reply. Don't click on any links. Delete the message. End of story. Next, anyone doing anything with their personal finances on the Internet needs to pay really close attention to how their system is configured - ESPECIALLY if you have a DSL or cable connection, which is "always on". The "firewall" built into XP is NOT very reliable. It doesn't take much to get through it. If you're using IE, use the 128-bit encrypted version. Don't take any chances. I use Norton Internet Security Professional, and it's thwarted MANY, MANY, MANY attempted hacks into my system (on the average, about 50 per week!!!). If I sound paranoid, I'm really not. This is a BIG problem. And it's NOT going away any time soon! Why do you think Microsoft is constantly updating IE with "Security Updates"??? Finally, there's a site called paypalsucks.com. PayPal has had numerous problems since its inception. Check out the horror stories concerning that service. It was a good idea when it first started, but they dropped the ball. And screwed a lot of people out of a lot of money.
Also, you might want to alert PayPal of this situation. Instead of investigating it yourself, let the FBI or Secret Service handle it. That's their job!
It really wasn't PayPal that screwed up so bad but rather their parent company which was X.Com who really did it. About the only thing they do "wrong" now is that they won't let the internet MLM marketers pay their downlines using PayPal and will illegally (I think) confiscate their funds if PayPal thinks they are doing MLM payoffs through PayPal. They have always been real good and I guess that when ebay bought them it might very well have improved their chance of survival a lot. I've always been real happy with them and have never had a problem of any kind in the 3 years I've been using them now. Any time there is any kind of a mis-understanding on my part they have been real quick to clean it up. For instance when I signed up with privacyguard I got dinged for the $1 9 times by mistake. I called them up right away and they got the problem under control but I also called privacyguard and explained to them what had happened to so I never lost a penny over the $1 I was supposed to pay them. I know for a fact that if I had used a local bank they would not have been nearly as cooperative and helpful as PayPal was. As to your comments on personal security, you are right on the money for sure. I use a lot tighter security than most folks do because I come from my modem into a 4 port router and then into a DHCP server and then into a hub and then on into the individual computers on my network. The DHCP server runs on Linux and has firewalls and security and the router has security and each of the machines has their own set of firewalls and security too. Anybody can get through that has got to be better than Houdini. And then each machine runs a virus scan automatically every night in the wee hours of the morning just to be sure I'm not infected anywhere. You can't ever be too careful. Truth is that there is hardly any amount of security precautions that can be considered to be the final answer.
That's quite true as well. I spoke to them a while back when I got the same kind of email but a lot more sophisticated than the one I put up was. They already knew about it and said they get hundreds of such reports every day and move as quickly as possible to find them and shut them down. PayPal is now a very large company with millions of customers whose accounts they are handling. In time they will probably end up being one of the largest banks in the world. They can't take chances with the security of their customer's accounts.
Here's the REAL dirt from paypalsucks.com. Evidentally, the company is well aware of the problem, but chooses NOT to place any priority on coming up with a solution. Personally, I wouldn't use the service. WARNING: Scams abound re: your paypal account Sent: 27-01-2003 12:32 This has been going on for about 2 years and getting worse. If you get an email telling you to log into your paypal account via email, DO NOT click on the link in the email! Most likely this is a scam. The email will appear to come from paypal due to forged headers. However, if you view the source of the email you will see that the link does not go to paypal but some other site like paypal.domain.com (as a subdomain) or paypals.com (with an s) or paypa1.com (with a 1) or some other variation of the paypal domain. What is ironic is that paypal sends it's lawyers after us on our paypal domains (and losses!) but they don't seem to be doing anything about these scammers. To the point: IF you have a paypal account, ONLY log into it by typing https://www.paypal.com into your browser window. If you are on a website and click on a link, be SURE the address is really paypal's in the address bar. Otherwise you will be giving your paypal account information to a scammer. -------------------------------------------------------------------------------- For the reasons stated above, and in light of the message below I have to agree, NEVER click on a link in an email sent to you! Not for e-gold, paypal, your bank, etc. -------------------------------------------------------------------------------- Paypal COULD stop some of these scams in a heartbeat by notifying the ISP/Host of the fraudulent accounts, but they don't seem to put a high priority on it. They could also be sending emails to people to notify them of the problem. But instead they confuse the issue by sending propaganda email telling you to watch out for sites like this one! Also note: the same scam is done to e-gold accounts also, and in fact ANY ONLINE payment system is susceptible. NEVER click on a link in your email, and always check the URL when clicking on a link from a website.
It's happening to almost all banks now. Lots of these scammers and rip off artists are in China, Russia, India and many other countries. Iran is probably guilty of a few of those kinds of attacks as well unless I miss my guess. Countries they can try to investigate forever and they won't have any more luck at it than we have in finding Osami. So far they have only grabbed one person who was living in Oklahoma at the time of the 911 attacks and they put him on trial and its beginning to look like they might have to let him go. But despite our FBI, CIA, Homeland Security and the U.S. Military forces all over the world they apparently haven't got even one Al Queda terrorist from overseas they can parade before the American public and point a finger at him and say with finality "HERE HE IS! WE GOT HIM! NOW HE IS GOING TO PAY FOR HIS CRIMES AGAINST AMERICA!" Not even one from overseas and only one from Norman, Oklahoma. And yet some people want to put PayPal down like they were some kind of dirty dogs trying to hurt as many people as possible. Like I said earlier, some people just ain't happy unless they are bashing others.
Whoa! I just got 2 e-mails this morning with a header stating my cc expiration date is about to expire on Paypal.. I haven't been running my auctions lately so I didn't bother to open the mail yet. Funny, I was just thinking what card was about to expire when they all are good through 2***. Thanks for the heads up. I regularly get aol re-directs also and they truly look real. My mom is naiive so I always tell her to sign into nothing. I always put a few good swear words in the user name and passcode session. I don't know if they see it or not but it makes me feel better. Usually by the time you can report it to AOL, the server ,or link address, or whatever it is, is now invalid. Sneaky bastards. Again, thanks for the info!
Just some more advice from someone who does work in internet security-- not all "attacks" coming from a firewall are really attacks. Most ISPs... including the company I work for do regular scans of their network... check out the ports utilized by their consumers for the protection of their own networks... ie.. with my company they will check the traffic coming from your pc and network to determine if you have various trojans and virii originating from your connection. We always have customers calling in thinking that someone from our ISP or with one of our IPs are trying to infiltrate. Also-- if you REALLY want to get protection for your PC... upgrade from a software firewall to a hardware firewall (Read: Router with built in NAT protection). A piece of hardware does not rely on your pc to run software and for that software to not become corrupt. A Router with NAT creates a private network by taking on the IP address handed down from your ISP and then by assigning private addresses to your pc or to the other pcs put onto your network.
Bill beat me to it.... Very good Bill with the router. People ask me daily what kind of firewall do I recommend.. I tell them I do not. If you want protection think of it in this way is what I always say. Your modem goes into a router-- the router plugs into your pc. Intruders go into your modem then into your router and are stopped. Now think of firewall software. Your modem to your computer. Intruder goes through the modem right into your computer and now you need to hope and pray that the firewall works ok and that your pc is running the firewall ok. Why even risk it is my question? Some firewalls can become so corrupt that it totally locks up your pc from even being able to access a dos prompt or to even pull up a webpage like Cnn.com. Uninstalling does not help-- because the firewall has embedded itself deep inside the registry and other systems files.
paypal Ok, just a bit of info. Paypal is based out of Campbell/San Jose, CA Their parent company is Ebay. Ebay and Paypal hunt these guys down like dogs. They have a dept that is dedicated to doing so. Same with false Ebay sites. If it doesn't say httpS://www.paypal.com then it is not paypal. Never ever respond to any email that requests usernames or passwords. Never send credit cards numbers through email, even encrypted email.
Re: Bill beat me to it.... Actually, most software firewalls have a kernel component that plugs into the IP stack. They have the ability to do stateful inspection. Provided it's configured correctly, it will do the job just fine. They also come with registry hacks in the uninstall scrypts. the older software components suck. Most DSL routers out there are NAT (network address translation) firewalls. They don't let anything in, which is good unless you're trying to host web pages, receive files in chat, etc. They're good, unless improperly configured. I've done penetration studies on Zone Alarm and most DSL routers provided by Linksys and D-link. They're very good right out of the box. Only problem these days is improperly configured wireless routers. WEP (Wireless Encryption) is a very important thing to use, or all I need is an receiver to get on your network. Of course, I am running a Nokia IP 350 at home with CP FW-1 (NG) All of my boxes are running IP Tables. All of my windows boxes are hard. I've removed Netbios and any services running natively in windows. Bill, before you ask: I am CISSP and CCIE. Google searches will easily bring those up.
Re: Bill beat me to it.... I apolgoize for posting so many times with redundant information, but this is something I love talking about. I actually do this for full time work. It's tough to load a trojan through HTTP. The world of java makes it easier and there are some cookies out there that can be considered malcious, but certainly not a trojan like. A trojan for the most part takes you clicking on an executable after downloading. Programs like Adaware work pretty well for finding spyware and other trojans that your AV won't pick up. There are many spyware locators. Bill, sounds like you have a nice set up. I would also add an IDS system like SNORT to your network , since you're already running Linux. Like you said, it will keep out most of the script kiddies, but determined hackers can get through. There are several DHCP exploits and unless you're keeping up with all patchesvia email lists and using them, someone will make an automated script that will eventually get through.
Re: Re: Bill beat me to it.... LB, the latter part of this thread is important for anyone storing records on their machines. If a hacker can get to your box, he/she can grab your ID.
Re: Bill beat me to it.... I am very familiar with all of the things that you are talking about here. I know from my own knowledge and experience that your "lingo" is right on the money. I got into computers as an engineer for Minneapolis Honeywell back in 1975. I helped design and build the MIRV warhead system just for starters. I'll guess you probably aren't old enough to have ever heard of that system. It was built to fit on an Atlas rocket which would carry 6 atomic bombs from anywhere in the U.S. and each bomb would be targeted to land on a different city up to 1,000 miles apart and hit within 150 feet of their programmed target. That's so old hat now most people such as yourself would just about die laughing at such crude stuff. Our military can do much better than that now. But then we didn't have the satellite guidance systems they have now back then either. They were talking about it long before 1975 but we just didn't have the technology back then we have now. I don't question people who obviously know what they are talking about unless it's because I want to learn something.
Re: Re: Bill beat me to it.... Actually, I've been in a position to study that system and more. You don't know how old I am I started with computers in 1978. I took training in the Army as a MI counter-intelligence electronic warfare specialist in the late 80's. We used that system to analyze the effects of jamming on early guidance systems as an effective way to bring down Soviet ICBM's which were of course decades older than ours. Of course, network attacks weren't big until 92 os so, when I was re-trained. I had to be Ranger and Airborne for that job, because most of our enemies weren't on ARPAnet and hacking involved getting into their network and splicing into their thin or thicknet!!!
Re: Bill beat me to it.... I got zapped with a keylogger a while back. I posted about it. It came in through the last PayPal look alike email and had a file which it said was a security patch for PayPal. So I fell for it since the email had all the paypal logos and looked real "official" and then I get a popup that said the security patch had been installed and now my system was secure and I should then go log into my paypal account so it could be checked out. That got my hackles up real quick so I started going to Google just to see what would happen and I got about 5 characters typed into the URL bar and my Norton started popping up and told me I had a keylogger on my system so I shut down immediately and ran Norton then McAffee and Thunderbyte one right after the other. All 3 agreed I had a keylogger on my system so I let Norton quaranteen it and it also told me what files were associated with it and so I went and deleted all those too. Then ran Disk Doctor utiities and that fixed up whatever other damage might have been done so the hacker didn't get anywhere at all. He probably got "http://" and that was the end of him. So tell me, do you think there are scripts out there than can get through an Addtron EP 200 router and a dhcp server set up with 3 software firewalls then through a router and into any of my other computer also running three firewalls?
Re: WEP *hehehe* My neighbour found out the hard way about his ill configured wireless router. Half of his apartment building was tapping into it and he had no idea until his ISP shut him down for excessive bandwidth. As for the sw firewalls-- you hit it on the nail.. if it is configured correctly and not corrupt. Here in my ISP (TierIII) we have had customers have tremendous issues with certain vendors and once they try to make any modifications without the knowhow. Makes for a headache on my side.
Re: Re: Bill beat me to it.... Yep. By clicking on that link that was the "security patch" and was set to run (permissions on your browser) you brought it into your network. There's nothing a firewall can do if it's allowed traffic. I run smartfilter on my HTTP traffic. Only valid HTTP headers are allowed in. Anything with a payload on ports 80 or 443 must be expressly allowed in. In any environment, a user can mitigate every security measure in the world.
