Of Paypals, server hacks and email scams
Posted on June 25, 2003
Filed Under /dev/null/ | 226 views |
Recently I received three emails purportedly from Paypal requesting that I click a link that would take me to a page where I could validate my personal Paypal information. These emails are fake. It’s a scam designed to get unwary users to give away their Paypal account info (and credit card info?) to someone who broke into an unwitting server and set it up to appear as though it were a legitimate Paypal site.
If you received an email who’s header data looks like:
From: service@paypal.com
Subject: Security Measures
and who’s body contains the following URL:
http://www.paypal.com@207.44.196.35/~redbarpr/cgi-bin/webscr%3fcmd=verification/
you too received a copy of the bogus email.
How It Works
Even though the URL above appears to legitimately come from Paypal, it actually doesn’t. The key this is the presence of the @ in the URL just after the www.paypal.com portion. This @ is a special character that tells your webbrowser to treat anything that comes before it as a username and anything that comes after it as the true URL.
In other words: your browser thinks that www.paypal.com is your username for the webserver at 207.44.196.35. Instead of contacting Paypal, your browser connects to 207.44.196.35 and the scam is afoot.
For a harmless example of this in action click this link: http://www.apple.com@216.201.96.68. That’s not Apple’s site, that’s my site - the link just looks like it goes to Apple’s.
The hacked victims have taken down the fake Paypal pages and replaced them with this explanation page.