[HN Gopher] PayPal phishing scam uses invoices sent via PayPal
___________________________________________________________________
PayPal phishing scam uses invoices sent via PayPal
Author : shantanu_sharma
Score : 184 points
Date : 2022-08-18 15:35 UTC (7 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| sp332 wrote:
| This has been brought up on HN a few times over the years, but
| never got much engagement. Here's one from a month ago with a
| screenshot https://news.ycombinator.com/item?id=32153924
| mas-ev wrote:
| I get multiple PayPal requests for money from random throw away
| accounts with messages ranging from begging for money for
| something or just phishing invoices like this.
|
| Worst part is that the only option via email is to "Pay". I have
| to log into PayPal then go through multiple clicks to reject the
| money request.
|
| Why can't I report & deny in one click?
| koolba wrote:
| > Why can't I report & deny in one click?
|
| Because then PayPal would have a massive number of reports to
| follow up on.
| adventured wrote:
| I recently got one of these for $847 claiming I owed a payment
| for purchased Bitcoin. It was disconcerting for sure, because it
| appears to be a legitimate invoice that you owe a payment for
| (rather than an attempted fraud that PayPal is making possible).
| So your mind immediately goes to that your account got hacked in
| some form, and somebody used it to purchase Bitcoin.
|
| To make matters worse, the invoice sits there in your PayPal
| account, and you're just a mistaken click or so away from
| authorizing the charge. Under my "activity" section, it sits
| right at the very top, forever, under the "Pending" headline
| (since early July). For whatever reason I can't get rid of it
| (PayPal killed the actual invoice after a week, they must have
| noticed the fraudulent activity from that account; but the
| invoice card summary remains in my activity under pending,
| perpetually).
|
| Here is what the core of the emailed text looks like:
|
| "You Purchased BITCOIN (0. 054631) for $ 847. 12. Reference
| Number-N34421979 If you have any concern regarding your order
| kindly contact us because we are getting lot of complaints
| regarding fraudulent orders. HELP-DESK (806)440-0799."
|
| It arrives from service@paypal.com with the email subject saying
| the invoice is from PayPal (rather than being from xyz merchant
| or similar; which only adds to the concern that a fraud has
| already occurred within my PayPal account). The text in the email
| otherwise looks legitimate as I assume it did arrive from
| PayPal's service. It would be easy for a normal user to fall for
| the scam.
|
| In their haphazard greed, PayPal slipped up and made their
| invoicing system too loose, too unconstrained in how it
| functions.
| unknownaccount wrote:
| It's odd that they put a space in between the decimal and
| dollar amount. Same as in the OP story. Perhaps run by the same
| operator. No US person would ever put a space there..it stands
| out for sure. Perhaps gives us a clue as to the origin of the
| person running this scam.
| Scoundreller wrote:
| Anyone else getting occasional 2FA SMSs from PayPal that they
| didn't request?
|
| Like, I get it, somebody probably has my email address, but I
| never really got these before.
|
| And I doubt it's somebody's typo.
|
| Would think a company as big as PayPal would be able to cut off
| the source once the source requests more than 3 different logins
| by SMS.
| adrr wrote:
| I get it from outlook.com multiple times a day for a password
| reset. Assuming a six digit code, they do this 1M times a day
| across multiple accounts to get around per account throttling,
| they'll get one success. If they aren't using a secure random
| number generator, they get increase the probability if they can
| predict the random number seed.
| Scoundreller wrote:
| Coming soon:
|
| "Your login code is 8kqhc1abw0v6n11kmdi0py5lwy. Do not share
| this with anyone"
| tetha wrote:
| Stupid idea: Generate ~8 words... and shove them into GPT-3
| to create a ~100 word novel, and make that your security
| code. Suddenly your security code is about a bearded elf,
| riding a cucumber, wielding a unicorn to defeat ice cream.
| Try guessing that.
| TakeBlaster16 wrote:
| "This code will expire in 30 seconds."
| YVoyiatzis wrote:
| I got one a few months ago, an invoice from a contractor. I did
| bringing it to PayPal's attention, as I was fully aware of the
| dubious attempt. Haven't heard back, invoice still sitting
| there awaiting settlement.
| cperciva wrote:
| I've been getting those a lot recently. I assumed it was my
| phone number being attached to an account which it shouldn't be
| attached to.
| arbuge wrote:
| I have noticed these coming in over the last few weeks. Didn't
| get any before.
| Scoundreller wrote:
| And they come from the right short-code as my legitimate
| requests.
|
| Just noticed my legitimate requests are in the form of
| "PayPal: xxxxxx is your security code. It expires in 10
| minutes. Don't share this code with anyone."
|
| But the last one I didn't request didn't have an expiration
| mentioned:
|
| "PayPal: xxxxxx is your security code. Don't share your
| code."
| toast0 wrote:
| PayPal offers using SMS to login as a one-time code, without
| the use of a password. So it's not like a 2fa code where you
| need to know a secret before verifying you have access to a
| token (SMS code), it just skips to sending you the code if you
| have the email or phone number.
| Scoundreller wrote:
| Yeah, as another poster stated, with a 6 digit code, brute
| forcing is a likely answer. 1 in a million (or less?) chances
| to get it right.
|
| PayPal has a problem on its hands if it's unable to see if
| they're legit.
| toast0 wrote:
| Brute forcing like that leaves a lot of data, if PayPal is
| looking for it.
| MOARDONGZPLZ wrote:
| Just counted, I got 23 of these in the last 30 days. Mostly in
| bursts. No idea what the deal is.
| IronWolve wrote:
| Hackers are going through lists of hacked password lists and
| automated test of each entry, causing tons of
| gmail/outlook/amazon/paypal/ebay/etc emails.
|
| One way to protect yourself is use a different email address,
| and only for services. Many email sites allow custom addresses,
| so you can create specific emails addresses for each service.
|
| And if your cellphone number is also leaked, get a sms service
| with a different phone number.
|
| https://haveibeenpwned.com and you can do a check on yourself.
|
| I find it sad Google sells titan keys but ignores them on
| login.
| bentcorner wrote:
| I'm curious - if the link in the email leads to paypal.com with
| what looks like an invoice, why doesn't the invoice appear on the
| target's email account?
|
| Is it just that the invoice is a real invoice but isn't debited
| against the target's paypal account?
|
| Or is the invoice fake somehow?
| kuratkull wrote:
| I think it being a real invoice would be the easiest answer.
| The scammers have obtained a legit business account at PayPal
| and are issuing baseless invoices. I don't know if they'd
| receive the money if you paid - maybe. But they want you to
| call them and install the backdoor.
| ryan-c wrote:
| In the version I looked at, the scammer sent it to their own
| email account and did a replay attack against the victim -
| which doesn't invalidate the cryptographic anti-spam signature.
| datavirtue wrote:
| You don't even need a legit business account on PayPal. You can
| send these from a sandbox account. Easy peasy. Quick.
| tlogan wrote:
| Invoice scam is old.
|
| My company is getting dozen of mail with "overdue" invoices from
| some random corporations for services like elevator inspection,
| heating checks, etc. Of course, they also have some strange phone
| number to call (which has just automated message). These people
| just hope we will pay and move on.
|
| We wanted to report them but it is a lot of work.
| bluGill wrote:
| The scam is decades old. Big companies all have complex expense
| report systems and have for years because if they employees
| don't account for every penny someone will send an invoice
| without delivering. Sure they also catch some employee fraud,
| but that isn't the only reason to do it.
| badrabbit wrote:
| Paypal-communications.com is a lookalike phishing domain, true or
| false?
|
| I don't think these companies understand the DNS system and
| purpose.
| jedberg wrote:
| I used to work in PayPal's anti-phishing group. In fact I was
| the first engineer on that group. We definitely understood DNS
| then. We even helped spearhead SPF and DKIM. And we _strongly_
| advocated that emails from the company never come from any
| domain other than PayPal.com
|
| Unfortunately after eBay bought PayPal, they put MBAs in
| charge, and the marketing team won every argument about the
| "necessity" of alternate domains to track marketing
| initiatives.
|
| They never really took into account the lost reputation of
| users getting constantly phished.
| badrabbit wrote:
| Thanks for that insight. Curious though, why did they not use
| a subdomain? Would communications. Or paypal-communications.
| As a subdomain be worse in their opinion?
| bombcar wrote:
| Some of the "subcontracted" sites that do marketing stuff
| are better equipped to handle a top-level domain than a
| subdomain.
|
| And a subdomain requires negotiating with someone in the
| bowels of IT, whereas anyone can register PayPal-
| communications.com
| bad416f1f5a2 wrote:
| Oh man, this is been my exact experience. You can pretty
| much chart the growth of a company by watching how much
| marketing is done with in house teams and how much goes
| to external agencies.
|
| And as soon as the external agencies are involved, they
| want as much control as possible. I don't blame them:
| setting up DNS entries for some stupid marketing site
| rarely rises to anyones priorities. So they route around
| internal controls. Everyone is happier, and everything
| gets slightly worse.
| bombcar wrote:
| I've yet to see someone be able to handle a delegated
| subdomain (where you set subdomain.example.com to have NS
| pointing at the contractor's setup). Too bad, as it's
| exactly what it was designed for.
| jedberg wrote:
| I'm not really sure. Probably something about tools not
| respecting or ignoring them or "they don't look as nice" or
| some other silly reason.
|
| Edit: To clarify, there were a lot of good reasons not to
| allow them to _link_ to a subdomain, especially they were
| running marketing software made by other companies, because
| there is a lot of nasty security issues around cookies with
| subdomains.
|
| But there was no reason for them not to route their
| outbound email through a single domain, because the weren't
| supposed to run 3rd party mailers without deep audits.
| formerly_proven wrote:
| You generally can't know if a mail is actually from Paypal or
| not, because they use a huge number of domains to send mails.
| Just assume everything that says it's from Paypal is fake, much
| easier.
| badrabbit wrote:
| Pretty much my point, how not using subdomains meant it is
| very difficult to stop phishing from look alikes.
| cromka wrote:
| I personally reported it here on HN a month ago, to a little
| response: https://news.ycombinator.com/item?id=32153924
|
| I also reported it to PayPal. Apparently they're to big to care.
| dangus wrote:
| Not just PayPal, too - other services that offer the ability to
| send invoices to arbitrary people.
|
| The worst part about these scams is that the invoice email is
| legitimate, as in, it's actually coming from PayPal and it's not
| a "fake" email.
| ryan-c wrote:
| This scam does not rely on services being able to send to
| arbitrary email addresses without prior confirmation.
| Waterluvian wrote:
| I got one of these for textbooks. And it was temporarily alarming
| and the most convincing scam to come my way. Mainly because it
| comes from PayPal's actual email. This needs to be fixed.
| olliej wrote:
| I've had a few similar recently just "confirming" my purchase of
| some random product but using pretty much identical to real
| PayPal design. Occasionally with clearly bogus foo.bar@gmail or
| similar reply-to address though at this point given decent
| account security on PayPal (password manager for password, 2fa,
| etc) mean I just assume that such emails are bogus until proven
| otherwise.
|
| At the same time though I keep coming across companies that
| insist on using designs that trigger my "this is phishing" alarm
| bells because for whatever reason they insist on using links to
| the company that they contracted billing to instead of, you know,
| the company I did business with.
|
| It seems especially prevalent among, of all groups that should
| know better, medical companies[1]. So say I had a visit with The
| Awesome Doctor Company, I'll get emails that for "privacy"
| reasons saying "You have a balance due at wedopayments.com", or
| "billing-awesomedoctorco.com", etc the latter being one of the
| most common things phishing emails do (I think I've actually got
| billing-paypal.com or similar at least once).
|
| [edit: [1] Ah ha, found the actual site, so remember I got an
| email saying "you have a balance due", that included no other
| details to peryourhealth.com. Which was for the company "East Bay
| Anesthesiology" (which I also didn't know of/about, but Sutter
| Health just silently outsourced that part of operation to them,
| didn't tell me, and then had them bill me directly and
| separately??!??!!? God I hate the US healthcare system)]
| fotta wrote:
| I got one of these emails a few weeks ago. It looked real and
| passed Gmail's filters but when I logged into my account
| separately there were no invoices. I had never gotten an invoice
| from PayPal before so it smelled fishy. Reported it to phishing@.
| gxqoz wrote:
| Yeah this is exactly what happened to me, although I didn't
| report to phishing. It both looked real and like a phishing
| attempt and after independently logging into my Paypal account
| and not seeing anything I concluded it was definitely phishing.
| Pretty terrible of the Paypal system to allow this to happen
| though.
| bcrescimanno wrote:
| Former PayPal employee here.
|
| In truth, you got the best possible experience and it's good
| that you reported it. Ultimately, what would happen internally
| is that we'd detect this malicious use and cancel the invoices
| so it's not possible for the scammer to continue to collect on
| them--but we couldn't "claw back" the emails that had already
| gone out. The email looked legit because it was an email from
| PayPal about a real invoice.
|
| I don't know if they should be more proactive in their
| communication with folks in this situation and it's been over a
| year since I left; but, this is not a new issue at all and it's
| something we would contend with from time to time while I was
| there.
| nabakin wrote:
| How do they spoof emails to not trigger any spam filter? I know
| you can change the headers but I thought email providers
| protected against that
| bcrescimanno wrote:
| The emails are not spoofed. They are actually generated by
| PayPal to notify an account holder of an invoice. The vast
| majority of the emails that these systems generate are
| legitimate emails with legitimate invoices.
|
| The vector here is:
|
| 1. Create a PayPal account. 2. Create an invoice through
| PayPal's invoice tool and send to nabakin@example.com. 3.
| PayPal sends an email to notify the recipient of the
| outstanding invoice.
|
| When PayPal detects fraudulent invoices are generated, they
| cancel those invoices so consumers no longer see them and can
| no longer pay on them; however, it's too late to stop the
| emails.
| tlogan wrote:
| I think this is a valid invoice created in PayPal. I assume you
| can do the same with Stripe, Quickbooks, etc.
| ryan-c wrote:
| DKIM signed emails from PayPal are treated favorably by spam
| filters.
|
| The sample I reviewed had been set to an account belonging to
| (or compromised by) the scammer, modified slightly, and BCC'd
| to the victim. Specifically, a Reply-To header was added -
| PayPal does not assert non-existence of a reply-to header in
| their DKIM signature, and the entire point of BCC is that it
| doesn't have a header.
|
| Thus, these emails can be relayed to any target, and the
| scammer can choose any reply-to address they like, and the
| DKIM signature will still be valid.
|
| If anyone has samples and can send me them with full headers,
| I would be _very_ interested to examine more. I have a public
| email address in my HN profile.
| coldpie wrote:
| I'm frequently impressed with spammer ingenuity. We had a similar
| thing happen at a previous job. Users could sign up for a free
| trial for our software using a web form. The form had fields like
| "email address" and "name" so we could follow up with the user.
| Scammers would fill in a victim's email address and some scummy
| website in the "name" field, resulting in our servers sending the
| victim an email starting with something like, "Hello, Click Here
| For Free Money FreeMoney.com," followed by the rest of our
| marketing copy. Never would've thought to use the form that
| way...
| cuu508 wrote:
| I run a SaaS where users can create projects and invite other
| users into their projects. When a user gets invited, the SaaS
| them an email notification "You've been invited to project
| such-and-such".
|
| So a spammer created a project, they put their spam message in
| the project's name, and started to go through their victim
| list, inviting each into their project. I suppose that's one
| way to send an email :-)
| judge2020 wrote:
| With SPF/DKIM enabling authenticated email, domain reputation
| is at a premium these days, especially if scammers want to
| end up in gmail inboxes.
| chrishynes wrote:
| Most spam I get to my gmail inbox nowadays is itself from
| an @gmail.com address :-/
| jjav wrote:
| Indeed. Nearly 100% of the phishing we get at my employer
| (which I monitor) is from gmail.com addresses.
| londons_explore wrote:
| It's because Mike Hearn retired from the Google anti-
| abuse team - their bot protections went downhill from
| there, and now bulk Google accounts sell for a few cents
| each.
|
| It's easy to make money when you can send out thousands
| of spam emails, each with hundreds of recipients, for
| under a cent.
| kccqzy wrote:
| And where do those bulk Google accounts come from?
| Compromised accounts due to weak/leaked passwords,
| without 2FA.
|
| What does Google do about them? Making it harder to log
| in to dormant accounts from new devices and locations.
| What's the result? Periodic HN complaints on someone
| unable to access their decade-old dormant account, or an
| active account with a truly forgotten password, etc.
|
| Anti-abuse is hard. Damned if you do something, damned if
| you don't.
| londons_explore wrote:
| They could do far more things to solve this issue...
|
| For dormant account reactivation, they can ask the user
| for lots of details that are in the account. For example,
| "please type in email addresses of as many people as
| possible that you have sent emails to from this account".
| Which cities have you previously logged into this account
| from?
|
| All info would be optional, but the more the user
| provides the quicker they're going to get in.
|
| When the user has provided enough information to be
| fairly sure that it's a real user attempting to login,
| then start a 7 day countdown. During the 7 days, contact
| the users top contacted email addresses and ask them to
| reply confirming the user is trying to reactivate the
| account.
|
| Hire attackers to try and break into old accounts, and
| use their input to find the likelihood of each type of
| information being correctly given by the real account
| owner and an attacker.
| xorcist wrote:
| And Facebook, for some reason. Which is weird as I've
| never signed up for any Facebook owned service. Never
| looked into how they do it, but they keep coming.
| Mordisquitos wrote:
| As someone with the unfortunate privilege of having an early
| GMail address with _${FIRST_NAME}.${LAST_NAME}@gmail.com_ , the
| fact that your description of the first email you would send
| your ostensible customers does not sound like a straightforward
| confirmation email is already a red flag.
| shaftway wrote:
| I had a form like that. You put in your email and it sends an
| email from us@foo.com, to us@foo.com, and to them@whatever.com.
| We had internal mailing lists for clients, including something
| like all-clients@foo.com, but they were locked down so only
| certain people could send to them. Turns out us@foo.com was one
| of those people, and so someone would spam all of our clients
| by putting their return address as all-clients@us.com. We just
| took the form down and posted our email address.
| rtkwe wrote:
| Alternatively don't accept any internal @foo.com email
| addresses in your contact us form unless you're an email
| provider would work too.
| misterbwong wrote:
| Add me to the chorus of people that are impressed/scared by
| spammers.
|
| In a previous life, I worked at a semi-well-known auto
| publisher site where scammers literally stood up a copy of
| almost _the entire site_ (ads, functionality, and all) in order
| to execute an auto escrow scam. We know of at least one
| instance where a user in the UK was scammed out of ~$10,000-ish
| using this method.
|
| Democratization of technology at its best (worst?) I guess...
| SoftTalker wrote:
| Never trust user input. If a user input value will be used on a
| page or email or other output, it will be abused once this is
| discovered. You must sanity check.
|
| Edit: this was already pointed out downthread. Missed it before
| I posted.
| dylan604 wrote:
| The fact that in 2022 user input sanitation is still such a
| low hanging fruit for attackers shows that you cannot preach
| this loud enough or often enough.
| mkmk wrote:
| The worst offender here is Atlassian. Every week, my common-name
| email address gets added to a new JIRA instance and is
| relentlessly spammed using the 'you've been made an admin of an
| organization' or 'you were mentioned on an issue' features. Each
| time, another phishing or crypto-pumping scam gets delivered by
| their high-reputation email servers.
| dclowd9901 wrote:
| Just got one of these recently. I was legit worried someone had
| somehow managed to charge me without my consent. The invoice
| doesn't help at all at clarifying the fact. PayPal really needs
| to clean up the design of that email.
| axsharma wrote:
| Avanan had reported seeing this exploited by hackers back in
| July. https://www.avanan.com/blog/sending-phishing-emails-from-
| pay...
| almog wrote:
| I received a phishing email like this two weeks ago (different
| text and phone number but same scheme overall):
| https://pbs.twimg.com/media/FZWERGlXgAIUVF7?format=jpg&name=...
|
| It took me a while to figure out what's going on, these were the
| steps that I took: 1. Examined the headers which
| looked legit, because well, it's really from paypal. 2.
| Googled the phone number, and could not find any mentioning of it
| on Paypal (though I must say it did seem like a similar number to
| at least one of Paypal's numbers) 3. Checked Truecaller and
| found no record of this number (I later updated this number
| description to alert other people from phishing attempts.
| 4. Logged in to my account, just to make sure (without clicking
| the link), and found no evidence of any funny activity. 5.
| Googled the phishing text and could not find relevant results but
| Paypal itself did have a page with very similar text (well
| thought out phishing attempt) 6. I stripped the link from
| all query strings, opened it in incognito, and voila, I saw that
| it's an invoice page that anyone can access and pay.
|
| I tried to click the "Feedback" button on the right which I
| expected to show me an option to report a phishing attempt but
| instead, it just did nothing, absolutely nothing, on both FF and
| Chrome (not even a console error that I can remember seeing).
|
| Some conclusions: 1. Paypal are using _exactly_
| the same email address for invoice notifications as other formal
| emails that I get from Paypal. 2. Paypal are not framing
| the invoice text as a text that's originated from the invoice
| sender, thus allowing fraudsters to convey the same official tone
| as the rest of their email. 3. phishing@paypal.com is how
| you report phishing attempts to Paypal though I'm not aware of
| any changes they applied since.
| noahtallen wrote:
| Yeah, having used PayPal invoices for Reddit's r/hardwareswap,
| all you need is an email address and you can bill someone for
| anything via PayPal. It even gives you their shipping address
| after they pay. Very convenient for the happy path, but
| definitely ripe for abuse.
| almog wrote:
| I've used that for legitimate use too, and yes, it can be
| convenient. I think it can stay convenient without some of
| the issues that made this particular phishing mail so well
| made (i.e. tell the recipient that the message they're
| reading is part of an invoice text sent by the invoice sender
| + use a dedicated email address for invoices).
| TakeBlaster16 wrote:
| Don't trust any text that a malicious adversary could change.
| This is the email version of the Line of Death
| https://textslashplain.com/2017/01/14/the-line-of-death/
| __derek__ wrote:
| I'd never seen that Line of Death article, but it seems like a
| useful heuristic. Thanks for sharing.
| EGreg wrote:
| I once wrote an email to Steve Jobs, saying that operating
| systems like MacOS and iOS should have a secret phrase or icon
| that they show to you whenever they show a system-level
| security dialog. (And of course implement the same restrictions
| on screenshots of that dialog as they do for movies.) Because
| otherwise, an app can totally fake the interface of a security
| dialog. The only way you know, these days, is that password
| managers and cookie jars work with the "approved" sites, but
| they can simply show you a site that doesn't require those, and
| then fool you into entering your passwords! Steve never replied
| to me. And Apple never implemented it.
| datavirtue wrote:
| The only company I have seen use the secret icon was a
| bank...and that was quite a few years ago. I forget which
| bank. Maybe Wells Fargo?
| dylan604 wrote:
| They probably showed you the secret icon to indicate that
| they had opened an secret account in your name where the
| secret was kept from you
| Animats wrote:
| Secure paths are a big issue.
|
| Windows used to have a "secure attention sequence", CNTL-ALT-
| DEL, which you had to push when you really wanted to talk to
| the security functions of the operating system. That stopped
| being mandatory in Windows 10, due to "customer confusion",
| although some enterprise configurations turn it back on.
|
| The concept comes from some DoD security projects from around
| 1980. Microsoft picked it up when Windows NT was being
| developed. Some DoD systems have also used a brightly colored
| screen border to indicate the degree of classification of the
| content. But that's too intrusive for consumer use.
|
| There are so many layers now that it's hard to provide a
| secure path that can't be compromised.
| dfox wrote:
| SAK is controlled by group policy since Windows 2000 and is
| disabled by default on client SKUs that are not domain
| member.
|
| On the other hand all current iOS devices have some
| hardware level SAK-like gesture that directly confirms the
| user intent to the secure enclave. The overall UX design is
| such that it is not especially noticeable unless you know
| that there is such a thing.
| mholt wrote:
| Yeah. That was also roughly the conclusion of my masters
| thesis: https://scholarsarchive.byu.edu/etd/7403/ ("After
| HTTPS: Indicating Risk Instead of Security") -- we examined the
| flaws of current browser warnings and security messages and one
| of the big ones is that attackers can use those UIs against
| you. (Hence our proposed solutions all involved UI above the
| LoD.)
| SilasX wrote:
| Heh, I did a version of this as the attacker in early Second
| Life.
|
| In SL, you can create objects and have them speak (via the
| onscreen text chat window). You were allowed to give them any
| name, so I would name them after another player, letting me
| "throw my voice" and impersonate them.
|
| The devs apparently realized this problem early on, and their
| fix was: objects speak with green text, human players speak
| with white text. But this isn't disclosed anywhere, and there
| weren't many speaking objects at the time.
|
| So my workaround was to name an object after another player,
| wait for them to go afk, and then have the object say, "Hey
| guys, guys, check this out! I can make my text green! Woo hoo!"
| And _then_ say all the malicious stuff I wanted them to say.
| redm wrote:
| This problem is similar to problem's I've had as well.
| Scammers/Spammers exploit services and tools in such ways that
| its difficult to prevent without manual review. Just like in
| Field of Dreams, If you build it, they will come.. The best
| advice is Buyer (or reader) Beware.
| robrtsql wrote:
| Intuit Quickbooks is another service that gets used like this. My
| mom received some fraudulent invoice from an Intuit Quickbooks
| user, which was from the legit Intuit domain since it was sent by
| the service, which claimed that she owed "PayPal, Inc" $600 for
| something or other. I told her to delete the email and reported
| the activity to Intuit but never heard back.
| yieldcrv wrote:
| > Also, the email headers in the phishing message (PDF) show that
| it passed all email validation checks as being sent by PayPal,
| and that it was sent through an Internet address assigned to
| PayPal.
|
| More awareness of the various possibilities of this need to
| occur.
|
| I recall when this was happening to me in 2017 many people on
| forums like this wouldn't believe me, choosing to blame the
| victim instead of the person that made a choice in trying to
| create a victim. I'm all for some level of agency amongst people
| to not be a victim, but in the order of diagnosis of the problem
| this email header issue should be put more highly up on the list.
| noasaservice wrote:
| Yep, I've been seeing this for a few months.
|
| I've screamed each time I saw one of these. Not that it likely
| did any good.
| labrador wrote:
| I received one of these as a text msg. I ignored the message and
| then checked my PayPal and bank to see if there was a charge of
| $400. There wasn't but I deleted my PayPal account just to be
| safe. My reasoning at the time (March) was that sanctions on
| Russia would motivate a lot of Russian programmers to devote more
| effort into hacking Americans and I should reduce my attack
| surface.
|
| There was a posting on HN around that time about a hacker
| accessing passwords stored in the browser. I didn't save it, but
| cleaned out my stored passwords just the same.
| Animats wrote:
| > I received one of these as a text msg. I ignored the message
| and then checked my PayPal and bank to see if there was a
| charge of $400. There wasn't but I deleted my PayPal account
| just to be safe.
|
| This. If your site is being used for phishing attacks, many
| users may just stop using your service, because it's not worth
| the trouble.
|
| I used to have an automated list of popular phishing sites.[1]
| It's still running, but since it's driven by PhishTank, which
| isn't used much any more, it's not that interesting.
|
| [1] http://sitetruth.com/reports/phishes.html
| elefantastisch wrote:
| Basically the same here. I looked for a way to report the issue
| to PayPal. There was no way to do it, so I just deleted my
| account and gave as a reason that PayPal didn't take fraud
| seriously if they didn't have a way to report / get advised on
| suspicious emails.
|
| Oh well. Guess they don't care.
| cfeduke wrote:
| Paypal doesn't care about fraudulent use of their payment
| system, they practically promote it by not offering anyway
| whatsoever to report crimes committed on their platform.
| labrador wrote:
| The tipping factor for me was PayPal had recently added
| crypto
| [deleted]
___________________________________________________________________
(page generated 2022-08-18 23:00 UTC)