[Full-Disclosure] Posible PayPall Scam? FW: Your PayPal ac
nick at virus-l.demon.co.uk
Thu Mar 6 01:13:25 GMT 2003
> These Paypal spam scams are becoming more common. Here's where to
> report them at Paypal:
This kind of advice always intrigues me...
What can PayPal (or eBay or Amazon or AOL or any of the other popular
targets of such scams) do about this?
Precious little. They can complain to the service providers involved
in the spamming (if they are sent the full Email headers -- unlikely
from a substantial proportion of those naive enough to have to ask
what they should do about such things) and they can complain to the
service providers of the website hosting the bogus "login" form.
I guess that saves the concerned user the hassle of learning how to
track such contacts down (and PayPal et al. are bound to have better
resources for dealing with language translation issues that may seem
almost inevitable in such cases).
However, it also could significantly delay the processing of the
complaint _to_ the service providers that most need to act -- those
hosting the web servers or Email accounts in cases where the
harvested information is received by Email.
Think about it.
Someone hatches one of these schemes, buys into a spamming operation
for delivery of the bogus Emails and sets the Email in motion. Say
the spamhaus successfully delivers 100,000 of these bogus Emails per
hour (i.e. 100,000 messages get into real inboxes). Further, let's
say that 0.001% of recipients are gullible enough to be taken in by
the scam (I have no idea if this is a reasonable ball-park figure --
anyone?? It would partly depend on the relative popularity of the
targeted organization and on the relative savvy of that service's
clientelle.) Ignoring ramp-up issues (we'll assume the spammers
target addresses are randomly distributed around the globe and that
delivery-to-read delays have no effect) and assuming the above, the
scammer gets one PayPal account per hour his web server is running.
Thus, _only_ sending notifications of receiving such scams to PayPal,
etc gives the scammers a "get out of jail free" (or at least, a
"delay loosing your scam site") card worth at least however many
hours delay there is between notifying PayPal and its staff actually
even getting through the message queue to consider it.
Now, back to PayPal and the specific issue at hand...
incapable of displaying the content below. Please click here for
I suspect my views on the _SHEER IDIOCY_ of requiring (or at least
expecting) those trying to use your "report or investigate a security
problem" pages to lower their web browser's security options are
sufficiently well-known that I need not say anything here. Anyway,
the process is a tad involved, requiring you to select the right
"fraud reporting" option from virtually the bottom of a _very_ long
list of (mainly mundane) reasons people may have for contacting
PayPal. It might be better to point them to:
which has three links to, presumably, the most commonly reported
"fraud" related issues -- spam, fake sites and unauthorized
Anyway, whichever of the various mechanisms you use, all of the
online "send Email to our Customer Service team" pages have a very
brief introduction ending with:
We will respond to your email as quickly as possible, typically within
2-3 business days.
Hopefully that does not reflect the queue length for such reports
just to be read -- if so, _only_ reporting such issues to PayPal
means the scammer may get as much as a 48-72 user account
Full-Disclosure is hosted and sponsored by Secunia.