Beware: New PayPal phishing scam looks real.

[94Z28]

Don't trust any emails from a seemingly legit PayPal sender claiming someone unauthorized is using your PayPal account. It's a phishing scam and if your PayPal address is on any public website they can extract your email account used!

Mirror Online: PayPal 'unusual activity' email SCAM attempts to dupe users - don't fall for this hacking hoax. PayPal 'unusual activity' email SCAM attempts to dupe users - don't fall for this hacking hoax - Mirror Online

 

[BobMc]

Don't trust any emails from a seemingly legit PayPal sender claiming someone unauthorized is using your PayPal account. It's a phishing scam and if your PayPal address is on any public website they can extract your email account used!

Mirror Online: PayPal 'unusual activity' email SCAM attempts to dupe users - don't fall for this hacking hoax. PayPal 'unusual activity' email SCAM attempts to dupe users - don't fall for this hacking hoax - Mirror Online

Thanks for the heads up 94z28 I use paypal a lot, something to watch out for !!

 

[Elektrotechniker]

ha, just got this email today

 

[Benm]

I get them from time to time as well, usually quite obvious.

The best way to deal with it all is just to go to paypal.com manually, checking the security certificate just in case, and logging in. Any issue that requires your attention will be visible there. It's unlikely that something actually shows up.

Never click on links in the emails, they can always be fraudulent just trying to get you to input your username and password. It's very easy for fraudsters to get a domain name that looks somewhat legitimate (like audit-paypal.com) and even get a ssl certificate for that so it looks all legit. This should normally be a subdomain, but enough people don't see the dot-versus-dash thing there and fall for these scams to make them profitable.

 

[94Z28]

Yeah these emails are starting to look more authentic though, and the way they can mask the email address to look like a legitimate PayPal address is not cool either.

As Ben said make sure you never click links from your email that are suspicious especially if they immediately popup or request account information. I use Google Chrome which does have phishing protection, and you can get some plug-ins or anti spyware like Bit defender which keep you safe.

I use bit defender as it has a dedicated "safe terminal browser" for all bank, and payment or sensitive information sites.

 

[Alaskan]

I don't pay attention to any of those emails, suspect all of them are spear fish attempts to get my password. If I did believe one of them, I would never click their provided link, ever! Go directly to the web site yourself. Another web based business I see this happening with is Amazon, I fell for it once! Then immediately went to Amazon.com and changed my password. One good thing, I use different passwords for every web site I need one for, that way if someone does get one password, they can't get into any of the other accounts.

 

[Polonium210]

I forward all those emails to spoof@paypal.com to help them combat the scammers.

 

[trencheel303]

Yeah these emails are starting to look more authentic though, and the way they can mask the email address to look like a legitimate PayPal address is not cool either.
.

That's a big problem with email because it hasn't fundamentally changed much in the 40 odd years (possibly more) that it's existed. Things like reverse DNS, SPF etc have been tacked on to try and tackle it, and nowadays you usually can't send through any major SMTP server without credentials, but the fact remains it's still an ancient system from a time before threats really were even thought of.

I live in hope that a long overdue alternative to email arrives soon, because it still amazes me that on the whole business rely on email to this day as a communication medium.

 

[Benm]

The reality is that email is a very outdated system that has to remain this way for legacy support.

One important thing to note is that email is fundamentally not encrypted at all, and anything you send by email could pass a compromised system as plain text. This may not be the case for all emails, such as sending one from one gmail account to another, but otherwise you should expect that someone is potentially reading along.

 

[lasersbee]

The most important thing to remembern is....
PayPal will NEVER send you an E-Mail with
a link in it.
If there is a link in a PayPal E-Mail it is Phishing 100% !!!

Jerry

 

[Benm]

I'm not overly sure about that. I think they have sent some mails when changing terms and conditions that contained links. I never opened those links since i didn't care too much.

Then again you can get that information just as well when typing in the paypal domain name yourself and then logging in, so i'd opt for that just in case.

 

[94Z28]

I have seen a couple links from PayPal but I certainly know better than to click links from ANY email address period. I always make sure I type the address I want to visit in the address bar, and I also make sure it resolves properly.

I don't care if you THINK you know about security and that you are safe because you type it in your address bar... guess what? I have personally seen a malware that can alter your window's host file.

By altering the Hosts file, you could type in PayPal.com into your address bar and still visit http://paypalphished.com/ but to you, it would show PayPal.com because your window's hosts file is converting PayPal.com into Paypalphished.com

hosts file is usally for mapping hostnames into IP Addresses and I use it for mostly server related stuff, alot of people don't even know about it. Google it if your curious, bottom line is to be safe guys, I am probably preaching to the choir since we are all on a forum together but I cannot stress to you enough that security is a real issue in this day and age and I may be a little overboard with my own internet security but I haven't had any big issues thus far.


Don't follow links via eMail to any important personal service (401k, eBay, PayPal, Banking, Facebook) AND anything else that may give a hacker with malicious intent an entry way to your life. They don't just want to add your system to their bot-net; they want to steal your identity, farm your life earnings, and use your network for illegal actions.


TRUE story:

My woman has gone through an ordeal with phishing because she was naive to computers and followed an email link about a loan to buy a car, she entered her information for them to call her which included Name, Address, Phone Number, Amount in Bank for Down payment, Significant Others names, Children and more about dependents etc...

Anyway, a couple weeks or months later I get a call while at work and she is crying, says "OH MY GOD; I thought you were kidnapped... I am on the phone with some guy who says he has you kidnapped and I just sent him money and he is supposed to let you go..." and then I just say; Oh yeah, well I am just fine should have called or text me and I inform her to call the police to report it.

Story is > They phished her information and sold it or used it for a phone scam which was very dirty.

Guy calls her and tells her there was a car accident involving me, and his son needed medical attention but was an illegal so they wanted cash to be able to get him fixed up. I refused to give them cash, so they kidnapped me. She said they had it pretty well played out, someone in the background screaming, and that he was very assertive and would not even allow her to put the phone down to get ready or they would "shoot me"... He found out she had some money in the bank and informed her to drive to the store immediately to transfer a payment to allow my release. She gets to CVS still on the phone with this dipshit and he tells her to purchase Gift Cards!! So that they cannot be traced, well guess what she fell for it and spent over 500$ on them. Sent them to him, and they never caught him. I was able to trace them somewhat via her email and web history, found the website and all that... I couldn't get them to contact me though ever after they got a couple people locally; even seen it on the news... Keep it safe!

 

[ped]

I see an old face has re emerged. Hello Lasersbee.
I got a similar email to that a few weeks ago. I normally open them in a sandbox to see how good the copy website is .

Ped

 

[BowtieGuy]

Yes, welcome back Jerry, good to hear from you again! :yh:

 

[trencheel303]

Had me thinking I'd just stepped out of a time machine there ...

 

[94Z28]

Anyone who thinks they may have malware, or their hosts file is sending them to a "fake" version of the website they are typing it, can easily check them out.

How do I recover from Hosts file hijacking? Security | DSLReports, ISP Information

How do I recover from Hosts file hijacking?
If you are unable to access some Internet sites, or requests to one Internet site are redirected elsewhere, but you can access other Internet sites, your problem may be "Hosts File Hijacking."

What the Hosts file is:

On the Internet, people usually talk about Internet sites using domain names, like microsoft.com, dshield.org, whitehouse.gov or gc.ca, ut computer networks function using IP addresses.

Data to be sent on the Internet is broken up into chunks called packets (also called datagrams or "messages"). The destination IP address is put in the header of each packet and is used to by each machine along the path to route the packet to the destination computer.

Before packets can be sent through the Internet, the sending computer must look up the destination domain name, find out its IP address and put that IP address in the header of each packet.

The "Hosts" file is a special file in which your computer first tries to look up domain names. If it doesn't find the domain name there, it looks it up using your Internet Service Provider's (ISP's) domain name server (DNS).

Thus, altering the Hosts file can make Internet sites unreachable by misdirecting packets intended for one Internet site to the wrong place (the wrong IP address).



The steps for investigating and cleaning the Hosts file:


1. Backup the Hosts file. Here are the standard Hosts file locations:

Windows XP & Vista: C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K: C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME: C:\WINDOWS

First, locate the Hosts file; it is a file named "Hosts" with no extension. Right-click on it and select Copy. Now, right-click in the clear space to the right of the Hosts file and select paste. At the bottom of the file list, there should now be a file named "Copy of Hosts" (or "Copy (2) of Hosts" if this is the second time you are doing this).

The backup is no danger to your computer because the name is changed. Keep it on your computer for at least one month, just in case you need to refer back to it.


2. Examine your Hosts file.
Download HostsXpert (free easy tool for viewing and editing the HOSTS file)
http://www.funkytoad.com/index.php?option=com_content&view=article&id=13&Itemid=31

* Extract all files (that is, decompress or unzip) the contents of HostsXpert.zip to your desktop. This will create a folder called: HostsXpert. To run the program, open the HostsXpert folder and doubleclick on the file HostsXpert.exe

Click the "BackUp Hosts File" button.

The contents of the Hosts file appear in the window on the left. You will be able to edit, remove unwanted lines and save the Hosts file with HostsXpert. But don't change anything until you get to step 6. First, you have to analyze what is there now.


3. Analyze the Hosts file.

The Hosts file consists of lines with up to 3 parts:
a) The IP address to direct messages for a domain to
b) The domain name
c) Anything after "#" on a line is a comment for people, and the computer will ignore it.

Here is a sample Hosts file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine (host) name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by some anti-spyware software
# [Misc Add-ons][A - Z]
127.0.0.1 abcsearch.com
# End of entries inserted by some anti-spyware software
101.4.5.2 aardvark.com # Everything after a pound sign on a line
101.5.6.8 emeraldcs.com # is a comment for people and
127.0.0.1 kaspersky.com # ignored by the computer.
127.0.0.1 mcafee.com
127.0.0.1 symantec.com

3.1 "127.0.0.1 localhost" is in every Hosts file. It merely tells the computer to send messages for other parts of the same computer (the local host) to the "loop back" address 127.0.0.1. In a new default installation of Windows, this is the only line in the Hosts file that is not a comment.

3.2 The line that reads "127.0.0.1 abcsearch.com" was added by anti-spyware or anti-tracking software. Since the anti-spyware in question mentioned in the comment is installed on the computer, this is not unexpected.

Before sending messages to abcsearch.com, the computer would check the Hosts file and see that it should send the messages to IP address 127.0.0.1, which loops back to the computer itself, which, in turn, will ignore the messages. In this way, messages to abcsearch.com are blocked from ever getting there.

3.3 The line that reads "101.4.5.2 aardvark.com" was added to make access to aardvark.com faster. The computer won't have to look up the IP address of aardvark.com on a DNS because when it first checks the Hosts file, it sees it should send messages for aardvark.com to 101.4.5.2.

The Hosts file is rarely used to speed access anymore, because of the problems with keeping it up to date as domains move from one IP address to another and because DNS servers are usually very fast now. DNS servers are updated automatically. The host file has to be updated manually.

3.4 The line that reads "101.5.6.8 emeraldcs.com" was added when Emerald's clock software was added, so that customer computers enter their site using a different IP address than non-customer computers.

This is invisible to Emerald's customers unless they check the Hosts file. To determine that the entry was put there legitimately, one would have to ask someone else who also ran Emerald's software and had a clean machine to check their Hosts file; or check the FAQs and forums on Emerald's website; or email Emerald's technical support. (Because your email goes to an email server first, and not directly to Emerald, you can still contact Emerald using your ISP's email or a web-based email like Hotmail.)

3.5 The lines that read "127.0.0.1 kaspersky.com," "127.0.0.1 mcafee.com" and "127.0.0.1 symantec.com" were added by a malware in an attempt to prevent the computer from communicating with and getting anti-virus information and database updates from anti-virus companies.

When the program that updates Symantec's anti-virus database tries to contact the Symantec Internet site, the computer will read the Hosts file and find the line saying to use IP address 127.0.0.1 to reach Symantec. Therefore communications with Symantec and the other anti-virus companies listed will fail.

If there are lines for many anti-virus, anti-trojan and firewall companies in your Hosts file, it is a pretty safe guess that they were put there by malware or a hacker. To solve the immediate problem, you will delete the unwanted lines and save the Hosts file.

If your Hosts file looks okay, then you are done here. The problem has a different cause. Try following the investigation steps here instead: Click here.


4. If you need help cleaning your Hosts file, post the Hosts file in a new topic in the BBR Security Forum.


5. Make the desired changes to the Hosts file using the HostsXpert utility and save the changed file.

(Caution: Only use HostsXpert utility or notepad.exe to edit the Hosts file. The file has to be in text format, not word processor format.)

If you aren't sure what to do, after you have done "Backup Hosts File," remove all the lines that do not begin with a "#" except for the line "127.0.0.1 localhost." If it makes things worse, click "Restore Backup Hosts File."

Once the Hosts file is saved, you can optionally go into Windows Explorer and navigate to the file again, right-click on it, select Properties, select the "Read Only" attribute and click OK (or click the "Make Hosts File ReadOnly" button in HostsXpert).

If you have problems, you can go to the Hosts file with Windows Explorer, delete the Hosts file and rename "Copy of Hosts" to "Hosts."

(Few computers actually make any use of the Hosts file and almost all will work perfectly fine without one. The extra steps in here are in case your computer is one of the few that needs one.)


6. Check your computer for the cause of the Hosts file hijacking.

Hosts file hijacking is the simplest problem you can have, unless whatever did the hijacking is still on your system. So, once you have fixed the hosts file, it is important to follow the steps here: Click here since you may have a virus or trojan.


7. Take action to secure your computer so it doesn't happen again: click here.