PCMag Solutions Special Report: Inside a "PayPal" Scam

By Neil J. Rubenking  |  Posted 2003-05-02 Print this article Print

A very legitimate-looking piece of e-mail turns out not to be from PayPal. Here's how we found out and what you should do if you're targeted by this or another e-mail scam.

We were mildly surprised when SiteOfTheWeek@ziffdavis.com received an e-mail asking for confirmation of its password, credit card number, and other PayPal account details (Figure 1) . PayPal is the online transaction and bill-paying service favored by millions of eBay auction users (eBay now owns the service). But our SiteOfTheWeek isnt a person and to the best of our knowledge owns neither a credit card nor a PayPal account. The message looked legitimate—the return address was paysecurity@paypal.com, and all of the visible links pointed to pages on the PayPal Web site. But the fact that the e-mail asked for a credit card number and password roused our suspicions. Combing through the source code of the message, we discovered that its Log In button sent data not to paypal.com but to the URL http://www.paypal.com@topboost.port5.com/pp.php, which proved to be hosted by the legitimate site http://www.portland.co.uk. The URL in question was defunct by the time we checked it, but we notified both PayPal and the hosting site anyway. PayPal verified that it never under any circumstances sends e-mail asking you to enter private information. In fact, there is no legitimate reason for any site to ask that you verify or update private information via e-mail. You might be asked to log in to a secure site to prove your continued interest or update your profile—but thats all. Never supply your credit card number or other personal information in a direct response to an e-mail message!
If scam sleuthing piques your interest, you can hunt for clues as we did. The first step is to peruse the HTML source code of the message. In Outlook, right-click in the message body and choose View Source, which will open the messages source code in Notepad. In Outlook Express, open the message and choose Properties from the File menu. Click on the Details tab in the resulting dialog, click on the Message Source button, then copy and paste the message source into Notepad. Now search for http:// and verify that each URL in the message has a reasonable connection with the alleged source. You may find some .gif or .jpg links that go to advertising sites; dont worry about those. But if a links URL doesnt go where its text says it does, or if a FORM tags action connects to a site other than the alleged source, something is rotten. You can also check the message header as explained in our recent article "Heading Off Spam". Using the techniques from that article, we discovered a spoofed IP address in the header. The header line listed compuserve.com as the source, but the IP address actually belonged to a company in Beijing.
Neil J. Rubenking Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990 he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His 'User to User' column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of them) provided both useful programs and examples of programming in Pascal, Visual Basic, and Delphi. Mr. Rubenking has also written seven books on DOS, Windows, and Pascal/Delphi programming, including PC Magazine DOS Batch File Lab Notes and the popular Delphi Programming for Dummies. In his current position as a PC Magazine Lead Analyst he evaluates and reports on client-side operating systems and security solutions such as firewalls, anti-virus, anti-spyware, anti-spam and full security suites. He continues to answer questions for readers in the ongoing 'Solutions' column and in PC Magazine's discussion forums.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel