Jump to navigation
This is an update to my Dec 23, 2005 post. No, you do not need to update or verify your PayPal account information at the end of every year. I got this phishing attempt talking about getting ready for 2006.
There are also more victims of this type of scam than just the email recipients.
Dear users of PayPal services,
Due to upcoming year 2006, and recent changes in PayPal's Service Agreement you need to submit additional details on your PayPal account. Starting from 2006 all PayPal accounts will come with complete detailed information! You can submit additional information at the following link:
According the new changes in Service Agreement any unverified account will be deleted from the system in 72 hours after receiving this letter.
Thank You for using PayPal!
Your PayPal team.
Attention! Do not reply to this letter, it has been sent to You automatically by an email robot!
The link would have taken you to a page on sickfaq.com registered to Martijn Wijts in the Netherlands. This is where you find the other victim. How would you like to spend your Christmas trying to recover your hacked website. Since this is a GoDaddy registration, I reported this to their abuse department as well as to email@example.com. Of course this got Martijn's attention and he corrected the problem. This was confirmed by his hosting service. Matt Barlow, CTO, Alpha Red, INC provided me with an email supporting his client's claim of being the victim. I have to commend his company for being so responsive to his clients. Martijn and I have been exchanging a few emails regarding this attack and Matt provided very fast feedback regarding this situation.
Now put yourself in Martijn's shoes for a minute. It's Christmas Eve and you get emails from GoDaddy and PayPal wanting you to justify why your site is the sender of thousands of phishing emails and a host for the phishing webpage. Great way to ruin a holiday, especially when you have to explain to your girlfriend that you need to fix you website versus spending Christmas with her. OUCH! As Martijn said "Operating systems have security flaws" as well as do many open source and commercial available scripts. It's a constant challenge keeping updates on servers and the applications installed on them. The scammers know this and I'm sure they were very aware of the vulnerabilities of the sites hosted where Martijn hosts his sites. They also timed it to hit on a holiday with the idea that the owner wouldn't become aware of the hack until they'd done their damage. Yes, they do think like this. I've seen a lot of evidence with this in just the pattern of attacks against the Quikonnex servers. The comment spammers hit on Friday nights as do the guys trying to guess our password via telnet.
Now I have to eat some crow. My apologies to Martijn for my original post. I was rather harsh with him.
I've received a few comments in the past about folks not having the time to forward this type of email to PayPal or Ebay's spoof department. It only takes a second to do this. Just think if one of your friends or a family member fell victim to one of these scam artists. Please remember though, the sites you're getting linked to in these emails are often victims themselves.
Posted on 07/10/06 at 14:04:00 by Jim Gray
I received an email yesturday regarding paypal telling me that my credit card # needs to be verified again. I laughed, and then called paypal asking what they were talking about. I couldn't understand how they claimed somebody accidently erased it considering I don't own a credit card!! Never have...never will!!
Hey Jim, thanx for the update.
Phishing is not only an email problem, but a telephone problem as well. The other day I got a call from a robot, telling me that Credit Card Services would like to give me the opportunity to lower the interest rate on my card.
I hung up on the robot and contacted my credit card company, and they told me that no such offer exists.
Had I continued with the call from the robot, I most likely would've ended up with my identity being stolen.
My rule of thumb... never give out any personal information to anyone, unless you are the one who initiated the call.
Really appreciated your information. I never click on a link to go to any pay type accounts. That must give me a little more security eh?
Thanks for another great article...yeah...I get these pay pal things all the time...the https://
fooled me this time though...I usually look for that...
I recently was asked to verify my paypal details and when the link took me to a very convincing-looking paypal page asking me for credit card details. I almost sent these details when something within me compelled me to phone Paypal. I did so and they asked me to forward email to spoof dept. Unlike the person above , they got back to me very quickly and informed me that the email was definitely not theirs and that I was subject to an illegal scam.Thank heavens for that sixth sense we all possess.Trust your intuition folks.
Well I have contacted pay pal about this not once but twice. I even sent them a cut n paste from the letter I received in yahoo and the one I received in Google. They acknowledged getting the letter and then ...nothing
I decided that pay pal did not need my business so I went some where else --
To me when a company will not tell you what they are doing about these types of issues -- or worse yet acknowledge that they are spoofs or phish expeditions -- then this tells me they have a customer service issue so why do business with them?