Even the technologically savvy can come close to being scammed by modern phishers using the latest Internet tools. Arm yourself with knowledge, read this article.
My name's Allen Strider and today I was one step away from having my PayPal account hijacked. I know some stuff about the Internet and always thought phishing scams only ever worked on mid western housewives like my mom. Even if you've eaten some 409's, or just think you're totally 1337 and could never be hit up by one of these scammers read this article and/or pay special attention to the next time you try unsubscribing from something.
I try very hard to never be boastful or arrogant. I'm not the smartest person in the world but I'm fairly smart. I'm not the most technologically savy person in the world but I could teach a lot of people things they don't yet understand about their computers and the Internet. I've built plenty of websites, some even with moderate success, and played host to Internet radio stations and then (when they decided to name them years later) podcasts. I played counter-strike before de maps were invented (and still do.) I've read countless articles on different types of Internet scams, spams, tricks and crimes out of interest and paranoia throughout the years. Perhaps thats why my defense was down, and why I would be cleaning up identity theft issues if these scammers had faster servers.
At this point, I was still clueless. I'm not the least bit surprised to see promotion emails from companies I've authorized to contact me about activity on my account with them. I don't recall receiving spam from PayPal before, but it doesn't seem out of the question.
So, I open the email. As you can see below (like any carefully made phishing scam) it looks the part.
Above you can see that the email was sent through the most convincing means. Gmail hadn't caught it and neither had I yet.
At this point, I figure there has to be a way to not receive emails like this. I scroll down and look for an unsubscribe button. As you can see below I find it and even make sure to check the linking url, which appears to be a
paypal.com
address.
I was a bit wary when I opened this email and knew I should check things out, but the first glance at the paypal.com address actually eased my mind and I plunge. Click!
This link undoubtedly would have taken me to a page that looked exactly like a paypal site with a place to "log in" and unsubscribe from their newsletter. Below you can see my one and only red flag.
At this point I know with %99.9 accuracy that even PayPal wouldn't hire someone stupid enough to direct me to any paypalsomething.com website. As you see above, my browser is actually tricked into thinking I'm securely on paypal.com.
A google search for paypalobjects.com and phishing confirms it.
Below you can see some ambiguous but clearly unsecured whois information from PayPal, and then from paypalobjects.com which eventually lead me to
ebay.com
.
So, essentially I was just hacked, and the only saving grace bestowed on me was the fact that their servers weren't fast enough to load without me seeing where I was really going. Granted; I probably would have noticed something once inside their realm, but it was still a little close for comfort.
And deeper into a paranoid, untrusting, defensive, little hole I go....
How can the link point to the paypal.com domain, the browser show a SSL connection with the paypal.com domain on the address bar, and yet the page is hosted on paypalobjects.com???
Is it a browser vulnerability???
#2 by Pallab, Mar 21, 2007
Thats why I find Opera's tooltips so usefull. Most people find it annoying, but its usefull in detecting phishing, as when you hover over any link, it shows the target.
Another trick is never click on the link, but copy it and paste in a new tab.
#3 by Limeny Snatchet, Mar 29, 2007
That is actually very interesting. On myspace you get messages that when you click it says you must be logged in to do that. When you type in name and password... BOOM! account hacked. Usually only for advertising though but still bad.
P.S. checkout my stuff. I have a lot of stuff pending. I need the exposure.
#4 by Jonathan Pickard, Apr 4, 2007
Nice article. How about I click on your articles and you click on mine to guarantee some money? Post me a comment on one of my articles like The Apprentice to let me know?
#5 by weirdal, May 4, 2007
Yeah, paypalobjects.com is a legitimate part of paypal. The link went to the paypal url you saw in the status bar, and paypal redirected you to paypalobjects. There is no way for a link to show in the status bar but go to a different url when clicked. You weren't "hacked", you're just paranoid.
Pallab, Opera doesn't have a magical ability to see redirects before you click a link. The tooltips in opera display the exact same thing firefox would display in the status bar.
#6 by Craig, May 5, 2007
I little bit of knowledge can sometimes be "dangerous", in more ways than one. ;-)
1. Allen - It is a legitimate redirect.
2. weirdal - Google "window.status" and "onmouseover", even Google itself uses this Javascript effect in their SERPs. It is possible to disable in some browsers but is not usually by default.
#7 by Nekosune, May 5, 2007
@Craig gmail (which he opened email with) at least and i belive others filter them out
#8 by Ruby Hawk, Nov 29, 2007
It is scary out there. I was phlished on myspace and now they wont let me back in with a new pass word or the old one. I watch my paypal closely and try to stay safe. What is one to do?
#9 by Keith, Feb 3, 2008
>A google search for paypalobjects.com and phishing confirms it.
A google search doesn't confirm anything.
However, I have the same concern about paypalobjects.
I have the noscript firefox plugin and it disables javascript from unknown sites (so the paypalobjects.com js was not allowed to run when served from paypal.com sites).
I google searched and saw these paranoid ramblings about it, but I've also found people like weirdal here who say:
"Yeah, paypalobjects.com is a legitimate part of paypal."
I've sent a message to paypal and am waiting to here back from them personally.
Is it a browser vulnerability???