This piece was originally published in my journal/weblog on Monday, 28 July 2003, and referenced in a longer article ("Fraud Artists Target PayPal Users") I wrote for the online magazine TidBITS, in its issue #691 of 4 August 2003. I have appended a copy of that article to the end of this piece.
Yesterday I received my nastiest-ever piece of spam e-mail. No, it wasn't pornographic, or offering to enlarge anything—I've been on the lookout for PayPal scams, since I've seen reports of them, and this was my first. A doozy.
My spam filter nabbed it (good catch!), so I only noticed it when I was skimming for legitimate e-mail that mistakenly got tagged. It is an HTML form sent in e-mail, disguised to look like it's legitimately from PayPal, with the subject line "Your PayPal account is Limited." It was made to look like it came from "email@example.com," but only clumsily, which is one reason my spam filter caught it. The first image below, however, shows how convincing it appeared (click the image to get a full-size, full-frame view of the message).
I've highlighted some of the awkward phrasing and consistency errors the scammers made—without them, it would be very hard to identify the mail as a forgery. Adam Engst of TidBITS sent me another screenshot showing a different but very similar scam e-mail. Both messages use a number of the tricks identified in ActiveState's Field Guide to Spam and in MacInTouch's Internet Fraud Reports.
The thing is, PayPal never sends this sort of e-mail in the first place. Neither do most of the other companies targeted in these scams, including eBay, Amazon.com, and EarthLink.
The code in the form was insidious too. Check out where the information (including credit card number, expiration date, and even bank PIN) was supposed to go:
At first, it looks to go to paypal.com, but no, follow all the meaningless 1s and 0s and it goes to client-support.biz—a domain apparently first registered in late July 2003 by someone in Austria. (Adam Engst's example used a similar trick—the link that appeared to go to paypal.com really went to exme.us, but all other links and images went to or came from the real PayPal site.)
I did some detective work, and after sucking up whatever information you might provide, the page at client-support.biz then redirects you to the real PayPal site (I think), which gives you an error, claiming that you didn't log in properly—because you didn't really log in there at all.
So, for someone who wasn't specifically watching out for this sort of scam, and who didn't have a smart spam filter, this could easily have turned into a quick harvest of name, PayPal ID and password, credit card information, and bank ATM PIN—juicy material for fraud, identity theft, and all sorts of other things. And you might never know it happened.
As I said, nasty stuff.
by Derek K. Miller <firstname.lastname@example.org>
Most spam is simply annoying—a waste of time, effort, and computer resources, to be sure, but not usually dangerous. However, a small but significant number of spammers go beyond being merely misleading or offensive by actively trying to defraud people. Their methods are increasingly sophisticated, both technically and socially, and many are now focusing their efforts on major ISPs, online retailers, telecommunications carriers, and, for my discussion here, the popular PayPal online payment service, which is owned by eBay.
Email fraud is nothing new. It follows naturally from the methods criminals use in mail, wire, and telephone fraud. The notorious "Nigerian banking" scams have even been traced back as far as the 1920s, when they were conducted through the mail and involved a fictitious Spanish prisoner instead. But the Nigerian banking scams are almost laughably obvious, whereas the new scams aimed at PayPal are really quite subtle.
Why PayPal? PayPal is not to blame for the situation. Some people dislike the service for a variety of reasons, but PayPal's staff makes significant efforts to keep it both secure and easy to use, two goals that are sometimes at odds. So why are these scam artists targeting PayPal?
People trust PayPal with information about their bank accounts and credit cards. PayPal is widespread, with many of its users maintaining a significant balance of funds in their PayPal accounts. A large majority of eBay auctions accept PayPal, and many services outside the eBay community use it as well—including TidBITS's own PayBITS author-payment system. Put bluntly, PayPal is where the money is.
Also, it's simple for nearly anyone with Internet access to use PayPal. That means many PayPal users are unfamiliar with the details of how Internet email and online transactions work, even if they use those technologies every day. With a bit of effort, criminals can convince even fairly experienced Internet users that they are logging into the PayPal Web site, when in fact they are giving personal and financial information away to unknown parties.
In short, PayPal appeals to fraud artists for the same reason it appeals to users: it makes accessing and transferring money entirely online both easy and quick. So people also can be tricked into losing their money quickly, easily, and entirely online.
Why Me? How do PayPal scammers get your email address? The same ways other spammers do, which include harvesting addresses posted in Usenet and on Web pages (perhaps especially if you have a PayPal payment link on your site, as I do), obtaining illegitimately compiled databases of addresses from unscrupulous companies with whom you might do business, crawling eBay's active auctions looking for usernames, and unleashing semi-random "dictionary" attacks on major email providers such as Hotmail, EarthLink, AOL, and Pobox.
Since so many people use PayPal, even random spamming of millions of email addresses will turn up a fair number of people who have PayPal accounts, and therefore some who can be convinced that PayPal needs them to re-type some information.
Anatomy of a Scam -- Like most varieties of spam email, every PayPal scam is slightly different. The goal of each one, though, is the same: to mislead victims into believing that they are communicating with PayPal, so that their trust in it, and thus their money, can be misappropriated.
Usually that attempt takes the form of an email forged to look like it comes from PayPal, claiming that the company is trying to verify its customer list, has had a database problem and needs some information re-entered, or has another apparently legitimate reason for you to log in with your user name, password, and maybe credit card information and ATM code. The email might include a link to a site that seems to be owned by PayPal, but is not, or the email might include an HTML form itself, as the one I received last week did:
Over time, the perpetrators of these scams have gotten tricker. Early versions were plain-text email messages with links that were obviously misleading. More recent attempts are HTML-formatted messages with genuine PayPal logos (sometimes linked directly from PayPal's site) and a layout similar to PayPal's genuine Web pages.
There are still signs that give away the real nature of these messages. Every one I have seen has errors in design or language that are unlikely in correspondence from a legitimate company. The writers might misspell words or use them sloppily (such as writing "e-mail" in one place and "email" in another), use slightly inconsistent font sizes, or have spaces missing between words. Often the phrasing that isn't stolen directly from PayPal's own pages is off-kilter and strange, obviously not written by professionals. Another giveaway is URLs that point at IP numbers or other domains rather than the paypal.com domain. With HTML email, though, you must view the source of the message and scan it carefully to find these telltale signs.
Yet for someone who isn't a technical writer and editor like me, those mistakes are easy to miss. The scam email I received last week is even set up to redirect you to the real PayPal site after it has harvested your personal information, so unsuspecting victims may never know they had been duped until the money started disappearing from their PayPal account (a good reason to check your account activity every so often too).
Consequences and Precautions -- Crooks who manage to obtain your name, email address, password, and banking information are in a position to drain your PayPal account of all its funds, at the very least. They could also launch fraudulent auctions in your name, launder money, or (in the extreme) use the information they have as the basis for identity theft. These are not misdemeanors, but serious crimes.
So, if you use PayPal, you should be cautious. Fortunately, that's easy to do. First of all, PayPal never sends email messages requesting your password. Any transaction requiring you to log in goes through the paypal.com Web site and uses a secure (https), encrypted connection (so make sure you see https at the beginning of the URL in your Web browser's address field and paypal.com as the URL's domain name). Be careful, though, since some scammers are using unusual URLs that use the paypal.com domain as a username for another site, whose domain is hidden later on in the URL (after an @ character). So if you see something like the following URL, your browser is actually going to example.com, not paypal.com.
PayPal itself maintains a repository of useful anti-fraud information in its Security Center:
If someone attempts to defraud you with a PayPal scam—even if you don't respond and suffer no loss—the "Report a Problem" link on PayPal's Security Center page lets you tell the company about it so that it can try to track down and prosecute the offenders. The company also encourages you to forward any scam email messages purporting to involve PayPal (including all headers) to <email@example.com>.
PayPal remains profoundly useful. We must learn to recognise those people who are trying to degrade that usefulness and steal our money, just as we recognize suspicious activities in other areas of our lives. One simple way to avoid any problems is to log into PayPal only when you type its URL into your browser yourself.
The situation reminds me of a Calvin and Hobbes cartoon where Calvin brings a note to school, written in big lettering using a pencil on lined paper: "Please let Calvin off from school today as his genius is needed on a matter of vital national importance. Signed, The President. P.S. Really." With a bit of scrutiny, you too can learn to spot fraudulent messages.
[Derek K. Miller is a writer, editor, drummer, and stay-at-home dad in Vancouver, Canada. He maintains a disturbingly extensive weblog journal on his Web site.]
Page BBEdited on 20-Mar-04 (originally posted 4-Aug-03)