New PayPal Fraud?

[ThaneofFife]

I see the ebay hacking thread has been locked but this looks to be a new threat - or potential threat to your PayPal account.

 

Today I received an email entitled "Account Status Limited". If you have received the same email then read this before you take any further action - do not follow the on screen instructions yet. I think it has the hallmarks of another fraud.

 

The email is tagged "almacen@prenta.com (whoever that is) and I quote:

 

to undisclosed recipients

PayPal is intensively working to ensure security by screening the accounts in our system. We reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be disabled. We would like to restore your access as soon as possible,and we apologize for the inconvenience.

Why was account access limited ?

 

Your account access was limited for the following reasons:

 

 

 

We have reason to believe that your account was accessed by a third party. We limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an inconvenience, but protecting your account is our primary concern.

 

 

 

Use the following link in order to restore your account:

[Admin - link removed]

 

(Your case ID for this reason is PP #65133172) (end of quote)

 

Now I had my reservations about this unusual email but nonetheless I clicked on the link provided which took me into a legitimate looking paypal sign in page-(do not be taken in) which I did (that was maybe a mistake - do not even do this) however if you are the inquisitive sort then this takes you through to a page about how to reactivate your paypal account and it only asks for;

 

your credit card details

date of birth

card expiry date

sort code

card numbers

passwords you name it - I smelled a rat because like the banks no instutition would ever ask you for all of this secure information - usually you might be asked for certain parts of say a password but this I didnt like at all and immediately came out of the pages.

 

The reason why I think this is a fraud is simply because I went into Ebay then accessed my PayPal through the link there and after logging in as normal my account was absolutely fine - the balance was as I expected and the account had certainly not been frozen.

 

BEWARE and report it as spam.

[Guest Moria]

I hope that since you clicked on the link and went to the page, you have now disconnected from the net and run a full anti-virus check and a full security check and then fully rebooted, in case there was anything on the page that you accessed seperate from trying to get the info..

 

Pretty standard phishing message with typical give aways..

 

1) unknown name as sender.

2) to undisclosed recipients

3) we have reason to believe accessed by third party followed by in case your account has been accessed by third party

4) lots of implied issues followed by a click me link.

5) inconsistency between email title and body of email.. one is Account Status Limited, one is Account access limited.

 

probably hovering over the link at the end would also have given a non paypal address as the link as well.

 

Looking at it though, much better spelling etc, also usually a give away.

 

Typical delete without reading email, even better, delete before opening email.

 

Best bet was your final action, if you have any concerns.. close your mail reader then access paypal normally from your browser and see if theres an issue in reality.

 

Regards

 

Graham

[Horsetan]

I'd be looking for keyloggers, too, after this!

[Fat Controller]

Certainly is dodgy- they sent me one, and I haven't got a Pay-Pal account...

[Stuart-AU]

HI..

 

Ebay and paypal NEVER send an e-mail that don't start with your name. What you should do is report it ti paypal so they can find the people and warn others.

 

Stuart-AU

[nip]

Hi

 

I have also had an email .

 

Receit for your payment toSkype 39 GBP

 

Would you like to reclaim the 39 GBP log into your account via this link.

 

Checked my account via google nothing had been paid out. Done a full scan and changed my paypal password.

 

Regards

nip

[chris p bacon]

I'm not the most IT savvy but to me these are so easy to spot.

 

I am always amazed that anyone would click on them.

 

Capital key and delete deals with them.

[beast66606]

It's unlikely to be either a virus or a key logger, it's more than likely it was after your login details for PayPal, and then you would find some strange payments from your account.

[Guest Moria]

I agree Beast, the prize here is the account details but this is a slightly smarter one with better English being used, and recently theres been a trend with the smarter phishing messages that the web page taken to has included some sort of virus or keylogger as a back-up to get those that don't provide the details.. kinda like a second prize thing

 

I agree, I don't think this is one of them, any of these from PayPal or similar are so common now that they are pretty much like the ones from your uncle/friend/unknown relation/general philanthropist in Nigeria leaving an unclaimed $1,000,000 or more, but it's becoming more of a threat that people should be aware of that just going to the page for a looksee can be just as dangerous.

 

 

Regards

 

Graham

[DavidB-AU]

This isn't a new fraud or new threat. These phishing spams have been going on for the best part of a decade.

 

Cheers

David

[ThaneofFife]

This isn't a new fraud or new threat. These phishing spams have been going on for the best part of a decade.

 

Cheers

David

 

the thing is David, some folk on here may not have been hooked up with an online account 10 years ago or even 5 years ago or been as savvy as some people or knowledgeable for that matter so its not really a question of how long its been around but a case of keep on your toes, a warning bell for those not aware of this particular threat which has a more direct risk to your personal finances than the more common threats.

[mezzoman253]

Forward it to phishing@cityoflondon.police.uk and let them deal with it and the thousands of others sent out each day. In the rare event that one is actually genuine and you forward/delete it, the sender will most likely contact you by post, if you don't repond. The chances of you receiving a genuine one are about the same as being hit by a meteorite.

[mezzoman253]

Had several from Barclays re account details, four from various made up names thanking me for my job application, and one each from two people in know who's email had been hacked. All in my inbox this morning.

 

They have all been forwarded to the address mentioned in my previous post and deleted.

 

Rob

[Kenton]

I am sure everyone knows of the recent hacking event regarding passwords.

You may have heard in the news about the fact that the passwords of 6.5 million LinkedIn and 1.5 million eHarmony customers have been leaked online by a hacker.

 

It has also been reported that the released files do not contain any associated usernames or email addresses, but this information has also been compromised and is likely to be leaked in the future.

 

Both LinkedIn and eHarmony have now confirmed that they have had passwords stolen.

 

Another fine example of well known and trusted sites storing unencrypted passwords.

 

Of course the same old rules apply - don't use the same passwords for different site - we all know it but ....

 

It is often easy to guess a Paypal username.

[beast66606]

There was an interview with a Sophos (I think) spokesman where he contradicted himself, he said it was unencrypted but then said the file had been posted to a Russian hackers forum so that a group attack could be made to try and decrypt it - given information elsewhere it's pretty likely it IS encrypted

 

Hackers posted a file containing encrypted passwords onto a Russian web forum.

 

My bold.

 

On Wednesday it was revealed that 6.4 million passwords from LinkedIn had been posted on a Russian web forum, along with a message encouraging other hackers to help decrypt the "hashed" data

 

Not my bold or ""

 

Facts not assumptions.

[30801]

he said it was unencrypted but then said the file had been posted to a Russian hackers forum so that a group attack could be made to try and decrypt it - given information elsewhere it's pretty likely it IS encrypted

The linkedIn passwords are unsalted hashes so while you can't directly get the password from the hash you can easily figure out which words match the hash by using a precomputed table or even using brute force and a graphics card GPU.

Salting the hash with some random data makes it much much harder to figure out which words match.

 

In case anyone was wondering, that's why you don't use a dictionary word for your password.

[Kenton]

Thanks beast66606 for updating my evidently out-of-date information (not assumptions).

There was an interview with a Sophos (I think) spokesman where he contradicted himself, he said it was unencrypted but then said the file had been posted to a Russian hackers forum so that a group attack could be made to try and decrypt it - given information elsewhere it's pretty likely it IS encrypted

 

Though I remain very skeptical (as opposed to simply suspicious) of anyone (Sophos, politician, data manager, software supplier) who changes their mind. Especially when that change of mind can be conceived as protecting their own backsides. I do not blame them for doing that, it would be a natural position and possibly one forced on them by owners/managers/even politicians wishing to cover up the loss. After all who is going to admit that passwords, or any data, was insecure?

 

As always in these situations it is not what data was harvested but the simple fact that any data was harvested.

 

A simple list of password hashed or otherwise is of no use to anyone unless other information such as a data key to other data items has also been obtained. Unfortunately, having already gained access there is no guarantee that has not happened.

 

We must also remember that both these entities are fairly big players in the personal information game and only goes to add to the almost certainty that if they are unable to get it right then some of the smaller (one man IT companies) are likely to have even lighter security. Though to some extent are less likely to attract the "professional" hacker.

 

None of this changes the advice to regularly change and keep different passwords, and above all beware where your information is placed.

[Guest Belgian]

I also had a request to click a PayPal link which seemed a little odd so I forwarded it to 'spoof@paypal.com' and received a confirmation that it was a fraud.

 

I also regularly receive an e-mail 'from YouTube Service' (which still appears to be genuine when I hover my cursor over it) with the subject line 'YouTube Service has sent you a message; your YouTube video has been approved' (with some variations such as 'your inbox is full') in the body of which is a link.

 

I've never clicked on the link, since I haven't sent any videos to YouTube for some long time. I assume this is another phishing effort so ignore them all. I went onto my YouTube account from their own address and there's nothing like this on it, so has anyone else experienced this?

 

Another thing I have 'got' in my computer is an unwanted taskbar called 'Incredibar' (by 'MySpace') which Google searches say is dangerous: it has placed itself as the default search bar in my Firefox account. However, none of three different anti-virus programmes (including the paid-for version of AVG) seem able to locate it, prevent it or delete it. I am getting somewhat anxious/neurotic as to whether all these hacks have found a way to bypass all the anti-virus software. Has anyone any suggestions as to how to block them? (I do use different passwords on all sensitive sites and do change them occasionally although it's getting harder to remember them all!)

 

JE

[Guest Belgian]

I have had another 'PayPal' spoof today. This one looks even more genuine, saying I have paid £46-49 to Skype for a three month subscription when I know I haven't. It then includes a 'link' for me to click if I have 'issues with this transaction', as follows:

 

You sent a payment of 46.49 GBP to Skype (cashiers@skypeon.com)

Merchant Instructions to merchant Postage details

Skype

cashiers@skypeon.com You haven't entered any instructions. The seller hasn’t provided any postage details yet.

Description Unit price Qty Amount

Online Number, 3 month subscription 46.49 GBP 1 46.49 GBP

Subtotal 46.49 GBP

Total 46.49 GBP

Payment 46.49 GBP Payment sent to cashiers@skypeon.com

 

 

Issues with this transaction?

If you haven't authorized this charge, open a dispute at:

and get a full refund.

NXCGDSNQCPXSCPBQLBYTKXGHGHTZOELOCDTCRE

 

 

This was all set out in the standard PayPal form and looks totally legitimate except for that weird code at the bottom. They are getting more sophisticated every day!

 

JE

 

EDIT: PayPal have confirmed it's a spoof.

[Mod4]

Most of these examples are standard Phishing emails and all online user should by now be aware of them. Paypal will always use the full name (that you registered with them) at the start of all their emails. Any without such will be Phishing.

 

Posting every variation of such emails here and even including the suspect links really should not be necessary. Please simply follow the basic advice of on line security, or plain common sense, very few if any official communications will ask for full details to be entered via a link.