back to article Phisher-besieged PayPal sends users faux log-in page

PayPal, the online payment service that is a major target of phishers, has been caught sending customer emails that confuse its own login page with a third-party landing site that offers spyware protection and a bevy of other products. The faux hyperlink to secure.uninitialized.real.error.com was included in official emails …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    and that's another reason...

    I still use pine, and don't trust shopping on ebay (yes - I know it isn't ebay's fault but since you can rarely use one without the other...)

  2. Martin Gregorie

    Guess who doesn't want to know about phishing

    As I found out a few weeks ago, Paypal doesn't give a damn about phishing and other e-mail malpractice.

    abuse@paypal.com exists, but anything sent to it merely gets a reply saying that nobody will read what you've sent, presumably because its been binned.

    Even Northern Rock, that paragon of banking rectitude, didn't give the finger to its clients that blatantly.

  3. Allan Dyer
    Unhappy

    Corporate stupidity...

    Whatever happened to "thinking things through" and "testing"? It is hardly an isolated incident.

    I recently got an email telling me Paypal had a new Hong Kong site (with a choice of Chinese or English), follow this link. Michael Oldenburg would be pleased to know I immediately went to their old site to check it was genuine, but now that appeared in Chinese! Apparently, "for my convenience" they assumed I would want to read the site in a language I don't understand. I could change it back, of course, if I could guess which link labelled in Chinese did that, and I could call their customer support hotline, if I went to the Contacts page after login to find the number (want to type your userid and password into a page you don't understand? and what is Chinese for "Contacts"?)

    More details:

    http://articles.yuikee.com.hk/newsletter/2008/11/f.html

  4. Anonymous Coward
    Anonymous Coward

    Of course, if you follow Paypal's own instructions

    you will NEVER click on an alleged link to a Paypal login page which you receive in email, nor rely on an address in your favourites, but instead laboriously type it out anew every time, while running in pr0n mode and sitting behind seven proxies and using the most obscure, yet secure, browser you can find

  5. kb
    Thumb Down

    I have one of these faulty emails

    From July.

    "Your monthly account statement is available anytime; just log in to your account at https://SECURE.UNINITIALIZED.REAL.ERROR.COM/uk/HISTORY. To correct any errors, please contact us through our Help Centre at https://SECURE.UNINITIALIZED.REAL.ERROR.COM/uk/HELP."

  6. Paul Taylor
    Stop

    Fault of the mail-reading prograns

    "Recipients who configured their systems to read email as HTML wouldn't notice the link was incorrect unless they were paying close attention."

    As the first comment says, this is a reason to use plain text mail readers.

    But surely the GUI ones could help here? They just need to parse the HTML, recognising obfuscations such as http://www.bank.com@blah:phishery.com, and display suspicious links (such as those whose sites don't match the From: address) in a different colour!

  7. Alexis Vallance
    Thumb Down

    What a company

    What a sham of a company.

    I'm currently trying to verify my account once again:

    • needed code, which they can do automatically on the phone. Ask which phone number to use - home or work. I'm at work, so I choose that.

    Get number, tap it in and then they say they won't accept it because it's not my home number.

    • apply for code by post. 2 months later, no letter.

    • email them. They say to fax. Fax number rejected.

    • hunt on internet for correct fax. Find a London one, so I fax it across. I can only assume they have it. Even if they do, they'll probably just ignore it, just as they did when I first had to verify a couple of years ago.

    I really really hope PayPal get screwed over by the credit crunch and they'll be no Luxembourg or US government bail out.

    I think all our lives would be better if someone like Google ran ebay and PayPal.

  8. grom
    Thumb Down

    I call Shenanigans

    "Oldenburg repeated the now-tired advice that users should never, ever click on links in emails, even when those emails are sent by a bank, merchant or PayPal. Instead, they should open a new browser window and manually type in the address."

    If that's their official advice then they shouldn't send html emails out - they should send plain text emails only and include no clickable links - this includes images and all hidden tracking code.

    Somehow I doubt that would work so why give bullshyte advice?

  9. Soruk
    Thumb Up

    @Allan Dyer

    If you can find the text "英文" (which means English Language) on the page then that's the option to choose - in the left image in the referenced article had a dropdown which included "中文" (which mean Chinese Language) the "英" character is a reference to England or UK. While I can barely read any Chinese knowing that character is really helpful in looking for an English version, if the site operators are too stupid to provide the multi-lingual links in the target language instead of the original one. Similarly "日本語" is Japanese, so if you can find a drop-down showing that, it's a reasonable indication of a language selector.

    Now, can the El Reg comments thing display these characters?!

  10. Gav H.

    PayPal

    Scum. That is all.

  11. Anonymous Coward
    Thumb Down

    My Paypal account was frozen....

    ....and they didn't tell me why? I had £400 locked in for 2 months before releasing it - only after I emailed almost every day - phoning was a nightmare.

    During this time I had a good study of Paypal and their methods, and I was a bit shocked at 2 things.

    1. Customer service is appallingly bad. I mead BAD.

    2. Security is weak, lax and ineffective.

    This was a company that had my bank account details! Guess what, I closed accounts.

  12. Richard Porter
    Stop

    NEVER view email in html

    The most important advice is to view email in plain text only, even if that means viewing html markup. That way phishing messages stand out like sore thumbs because the link URL doesn't match the link text. If I receive an html-only message it automatically gets spambinned.

  13. Robert Brown
    Stop

    Why not stop sending emails with links and URLs?

    PayPal have the following footer on their emails:

    "How do I know this is not a Spoof email? Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always address you by your first and last name."

    What's the point in that if they then send emails with random domain links? At any rate, finding a user's first and last name wouldn't be too hard if you had their email address. e.g. if you were FredBloggs@hotmail.com a phisher could run that against a database of first names and deduce that the match is the first name and the remainder is the last name and then generate an appropriate greeting.

    A better solution would be for Paypal never to send links or even URLs in messages and just state that they have to type Paypal.com into their address bar. But that's too easy.

  14. Tech Hippy
    Thumb Down

    Follow your own advice

    If they advise customers never to follow links within emails, then why send the link?

    My Tescos credit card related emails never provide a link to the site - far safer surely?

  15. Jeremy
    Paris Hilton

    I have one dated July 27th this year.

    So that's what, nearly four months old. Didn't think much of it at the time because I just assumed it was a one-off glitch but I kept it anyway. Paypal receipt for a online store transaction (not Skype) with all links pointing to

    https://secure.uninitialized.real.error.com/[etc]

    <~~ Her, because she wouldn't check the links either.

  16. dervheid

    ha ha ha ha ha ha

    just ha ha ha ha ha ha!

    Fuckwits

  17. Luther Blissett

    Wrong end of the telescope

    From the ebayer's PoV it would indeed look like phishing. But ITers know that a server is not a flunkey. If ebay is dishing it up, it got into ebay's codes either from inside or outside - no miracles were cooked in the process. So one has to ask, what else in ebay's codes has been (or could be in future) fubar'd that they don't know about? Can they even find out without combing every line of code for lice? It's enough to make your hair stand on end.

    (Radio Luther apologizes for the mixed metaphorizing. Bad hair day. Meh)

  18. Thomas Baker
    Coat

    @alexis vallance

    "I think all our lives would be better if someone like Google ran ebay and PayPal."

    A truly beautiful statement. Even better: Google offering an alternative auction site to eBay, with its own integrated payment gateway. A company the size of Google would be big enough to release a new auction site with enough fanfare to make it instantly well-populated and well-visited, as these are the biggest problems for any other auction startup site. Anyone at google listening? Puh-leeeaase.

    Tannoy: Will eBay and PayPal please get your coats.

  19. Anonymous Coward
    Happy

    @soruk

    > Now, can the El Reg comments thing display these characters?!

    No.

  20. Soruk
    Coat

    @AC (replying to me)

    >> Now, can the El Reg comments thing display these characters?!

    >No.

    Actually, it did work. If you're not seeing the Chinese characters you're missing the Asian character set support and/or fonts on your machine.

    Mine's the one with the unreadable book in the pocket.

  21. fins gd
    Black Helicopters

    Hmmm..

    Sounds like some variable name wasnt replace with the value SECURE.UNINITIALIZED.REAL.ERROR.COM

    should point to secure site, uninitialized security wise in the com.error.real package (or someother such java-ish gibberish that I don't claim to have the faintest idea about)

  22. Anonymous Coward
    Anonymous Coward

    Use the correct email address

    For Phishing attacks, use "spoof" rather than "abuse".

    Usual caveats about providing clear info.

    PayPal does seem to make some of this a bit too obscure.

  23. wim
    Unhappy

    online shopping woes

    I used to shop regularly online but I find myself buying less and less for a few simple reasons.

    most businesses asume you are a scammer / thief / phisher / whatever instead of a customer.

    buying anything online but with a different shipping address than your registred address is becoming more and more difficult. You first have to register the shipping address with your credit card company.

    being an international consumer is extra annoying. You can not have a second credit card from a different country for paypal. You have to create an extra account. After I did that I found out that my credit card company does not allow transactions with Paypal. Contacting the credit card company revealed the fact that they did not know what Paypal is and thus can not allow Paypal transactions. Actually I think it was more a case of I can't be bothered so I ll just say it is impossible from the credit card company.

    so for the last 2 months I have been eyeing a new laptop I would like to buy and I have tried to jump through all the hoops to get this laptop but yesterday something clicked in my mind and now I think I ll keep working with my crappy laptop for another 3 years. So my consumer confidence is indeed on the lowest point but not because of the economic situation but more because of disappointing customer service. The good thing is that it made me realize I do not actually need all the things I want to buy.

    I think it is weird that as a customer you have to almost beg companies to sell you something and then you also have to take all the risks of giving them your credit card information and hoping you did not get phished / scammed in the process

  24. Keith T
    Black Helicopters

    Forced anonymity

    We've got anarchy on the internet. It is like the lawless days of the wild west.

    Sure it is great to have anonymity in most web browsing, but what about when we want to do business, to be trusted?

    How can anyone, or any business, trust us when there is no way for us to be anything but anonymous on the internet?

    To make the internet "fit for purpose" requires 2 things:

    1. A re-do of the architecture so that people and businesses have the *option* to do transactions in a "non-anonymous mode".

    2. Policing. Domain name registrars and ISPs, have to do their part to ensure they are not knowingly allowing crime to occur.

    If domain name registrars and ISPs don't do their jobs, they should be prosecuted. If a new law is required, a new law should be written.

    If domain name registrars and ISPs can't do their jobs, because of the international nature of the internet or because of privacy concerns, then government should step in and do it for them.

    The internet is like privately owned roads, and either domain name registrars and ISPs will police them adequately, or we citizens will get the government in to do it.

    You don't expect your corner store to keep you safe on the roads leading to the store. You shouldn't expect an internet merchant to keep you safe, except in their store.

    It is a primary essential duty for governments to keep citizens safe.

  25. Allan Dyer
    Coat

    @Soruk

    Yes, I can recognise those characters, but the paypal.com site (the right image) was showing:

    香港 (繁體中文)

    i.e. "Hong Kong (Traditional Chinese)" in a font small enough that I can't make out the Hong Kong characters until I've zoomed four levels, and it isn't an ordinary selection list, it's a link, which presents a javascript box with two selection lists, but I wasn't about to blindly click a link I didn't really understand on a page that was, the last time I used it, in English. Either I wasn't where I thought I was, or they had messed up, not a situation where I wanted to experiment. I somehow doubt Paypal would be sympathetic if I followed a link I didn't understand and fell for a phisher's trick, "So you weren't suspicious when it came up in Chinese?".

    @AC, replying to Soruk, yes, Soruk's right, and, if haven't got those fonts, you won't see the text I pasted above either.

    Mine's the one with the font-pack for languages I don't understand in the pocket...

  26. Daniel B.

    @Soruk, Allan

    I can see your 繁體中文 as well, thank you.

    My grudge with Accept-Language sites has been that, for some reason, they insist I live in Spain; so not only am I served with Spaniard Spanish (who insist on calling files "microfilms/small cards" and computers "sorting machines"), but I'm also served in some sites with EU pricing! ZoneAlarm, in fact, wanted to sell me the ZA Suite at a premium, as the US site sells it for $45/year, but the Spaniard site sells it for €45. (Hey, it looks like the UK isn't the only one being shafted with the $/£ swaps!)

    I wonder why the Chinese sites can't have an English-readable language link. My good ole' Fujitsu Lifebook 280Dx had its BIOS set up with Japanese as the default language; however there was a nice "(Language)" option which was obviously there written in both Japanese and English so anyone who can't read Japanese could easily switch to a readable language.

  27. Anonymous Coward
    Boffin

    @Daniel B

    I see only squares.

    They aren't Spaniard Spanish sites, they are simply orphaned pages from the arpanet circa 1968 requested by a 2K modem and finally finding a computer of similar vintage to display them on.

    I've always wondered what happened to the pages I requested when IE hangs and I press cntrl/alt/del, no doubt they will turn up in 2030

  28. Allan Dyer
    Unhappy

    @Daniel B.

    If the site is using the Accept-Language header to choose the language for the content it sends, and you're getting Spanish, then the obvious reason would be that your browser is setting the header to say that - check your browser settings.

    But the site might be doing a location look-up on your IP address (bad assumption there: if someone is in a country, do they necessarily understand the language), in which case, if you are not in Spain, perhaps your ISP is using an IP block from there, or you are using a Spanish-located anonymising service, or your company's internet gateway is in Spain, or...

    Apart from the translation resources required, there is no reason why the Chinese sites can't have an English-readable language link, so when an international company like Paypal that is deliberately addressing different language markets makes a mess like this, it annoys me.

    We have the technology, we don't have the common sense or the will.

This topic is closed for new posts.

Other stories you might like