« A Nimble 419er: Abu Oma (& Mother) | Main | Pathetic PayPal Predators »

January 09, 2005

A new round of PayPal phishing messages seems to be on the prowl. Picking up on the real class action lawsuit against PayPal, the current predators want to make you believe that you are entitled to a payout. To receive the payout, they tell you, you must visit a link in the message and fill out your debit/credit card information so that funds will be credited to you.

The link, by the way, is to a numeric IP address hosted in Mexico. The page at that destination relies on visitors using Internet Explorer for Windows, because it abuses ActiveX and various vulnerabilities to trick visitors into believing they're really at PayPal, when, in fact, they're filling out a form hosted in Mexico. Submitting the form (which has blanks for PayPal login info, credit card number, security code, and PIN number) sends that information off to a server hosted in South Korea.

See, spam-watching can give you a geography lesson at the same time. Moreover, I'm pretty sure the data will cross international borders at least once more before being bundled for sale on the black market.

Each successful ripoff of a PayPal customer from this phish message is extra sad for a number of reasons. First, the amount in question (not that you'd ever see it from this scam) is all of $43.99. Imagine giving up your identity for the promise of 44 bucks!

Second, the message includes a real link to PayPal's real settlement site, which takes you to a page explaining this very scam, with a sample of an earlier attempt to do the same thing.

Third, if you bother to read anything about the real settlement, you learn that you would have had to apply for your claim by last October. If you didn't apply, you get bupkis.

Fourth, the settlement documents clearly state that payments to class members will be either by way of their PayPal accounts (the scam message says this would be illegal—feh!) or, if you asked for it in your claim form, a check by postal mail. There is no reason on Earth why you'd have to give anybody further personal information to collect your settlement, even if you filled out the claim form.

Finally, from what I can tell, the final settlement has not yet been ordered by the court. Nothing happens until that happens.

When PayPal sent a legitimate message about the proposed settlement in July of 2004, the phisher-sniffers among recipients thought it was a fake. But it was real. Just goes to show you how scammers are eating away at the Internet, byte by byte.