For those of you with PayPal accounts this is something you need to be aware of. In fact, its not just PayPal its happening to other online bank account holders too. People get these emails pretty regular now. Some of them even have the bank's logos so it looks real authentic. Most of the emails come from out of the country and the website they lead to so you can do what you are led to believe your banking institution wants you to do. But you end up with a trojan or a keylogger on your computer and sooner or later the scam artist will catch you going to your bank account and he will immediately be able to see you typing in your Username and your password and next time you go back you are flat broke. The lesson to be learned here is that one should be very wary of being led to any website except the actual website of your bank to do anything. One tip off is that the banks will always use a https instead of an http on their websites. There are always other tip offs too but you have to be real careful. Be slow to do what your bank wants you to do. Often you will get multiple emails exactly alike and then you know for sure it's a trap to catch the unwary. We can use the header information to hope to find out where this email is coming from. To do that we use the IP address 65.94.189.20 and we plug that into the Dulles Visual Route Server at http://visualroute.visualware.com and we see that that hops around the Dulles, Virginia New York area a bit and then jumps up to Montreal Canada where it somehow gets lost. The trace route ends up somewhere near a big lake maybe a couple of hundred miles northwest of Toronto where it is gone and not traceable any more. Whoa here! PayPal is in Omaha, Nebraska and most assuredly not in the wilderness of Canada. So we know better than to click on that link and get skinned for any and all money we have in our PayPal or other online account, now don't we? So we take the next one and go plug that one in to the visual route server and we find that one gets lost in Toronto, Canada too. Here is an email I've gotten several copies of the last few days. Return-Path: <service@paypal.com> Received: from tomts26-srv.bellnexxia.net ([209.226.175.189] verified) by netnameone.org (CommuniGate Pro SMTP 4.0.6) with ESMTP id 3996385 for ceo@creditwrench.com; Sun, 06 Apr 2003 09:20:32 -0700 Received: from paypal.com ([65.94.189.20]) by tomts26-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with SMTP id <20030406162000.PVXF13343.tomts26-srv.bellnexxia.net@paypal.com> for <ceo@creditwrench.com>; Sun, 6 Apr 2003 12:20:00 -0400 Message-ID: 19598022103309.44359.qmail@paypal.com From: <service@paypal.com> To: ceo@creditwrench.com Subject: Verify Your Identity MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Date: Sun, 6 Apr 2003 12:20:00 -0400 X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 138406 This email was sent automatically by the PayPal server to verify your identity. We apologize for the inconvenience. To verify your identity and access to your account, follow these steps: 1. Click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser. http://www.paypal.com/fq/ac=AwLMcl-...7.TIAFV95tIFFtmIsGfsQjo6rAy5JkQRBR7iFkDL&t=pr The link will take you to our Verify Your Identity page. 2. On the Verify Your Identity page, answer the questions, and click Submit. Thanks for using PayPal! Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page. I'll bet that if you go there the website will look like it's really paypal and if you click on the help link that will load the trojan right then and there and you won't even be aware of it. You can bet that the computer that is running that webpage isn't on any back bone type server like a bank would be hooked up to. It's just a computer in somebody's living room or bedroom and it isn't even on a static I.P. address but rather on a dymanic one so that it's actual DNS numbers will change frequently and if they see the cops coming they can wipe the hard drive in a heartbeat so it can't be used for evidence against them. These guys are usually pretty slick. And when they make a "score" and people lose their money PayPal or the bank takes the hit.
Good advice but be careful Okay so I like my job way too much. This email is actually from paypal. The http: that they include in the link for their site will auto direct you immediately to a "secured sockets layer (SSL)" or an https: URL. Not all servers in a traceroute will be set up to "play" with UDP packets versus ICMP. Ie... a friend of mine's isp.. bridgeband.net does not play with UDP.. but that does not mean the data going through is stopping at that particular server or disappearing.
Good advice but be careful Ok. So this one is safe and actually from paypal then. I got one a while back and it installed a "security patch" on my computer and it wasn't more than a few seconds before my security programs strarted hollering about it so I ran my Norton Anti-virus and it spotted it right away too and disabled it. Then I had to go in and find all of it's programs and files and delete them off my system too. The problem becomes one of if they burn me once shame on them and if they burn me twice shame on me. Don't take long for people to get gunshy and even more quickly if they have their security properly set up so they can detect the trojans and whatever quickly. Thanks for telling us this one is safe and really from PayPal.
Good advice but be careful No problem. You are correct though-- there are so many crafty individuals out there who instead of using their talents for good things use them for their own gain regardless of how malicious. It is a shame really. A complete invasion. now if I could get my employer to take off our key logger!
