funsec mailing list archives

RE: Paypal allows what?!

From: "Hubbard, Dan" <dhubbard () websense com>
Date: Fri, 16 Jun 2006 10:46:48 -0700
Also, does anyone have a code example? 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Blanchard_Michael () emc com
Sent: Friday, June 16, 2006 9:15 AM
To: dudevanwinkle () gmail com; funsec () linuxbox org
Subject: RE: [funsec] Paypal allows what?!

Anyone know what the IP address is of that Korean site that is hosting the scam? 


Michael P. Blanchard
Antivirus / Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE Office of Information Security & Risk Management EMC ² 
Corporation 4400 Computer Dr. 
Westboro, MA 01580 
 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Dude VanWinkle
Sent: Friday, June 16, 2006 11:45 AM
To: FunSec LList
Subject: [funsec] Paypal allows what?!

From:
http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_ide
ntity_theft.html

A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other 
personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The 
URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented 
to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by 
the fraudsters via a cross-site scripting technique (XSS).

The genuine PayPal SSL certificate used by the scam paypal-ssl.png

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal 
site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will 
now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, 
which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com 
domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web 
site - and why would he expect PayPal to redirect him to a fraudulent web site?
-----------------------------------------------

Pictures and screenshots available on the link

This one is BAD

-JP<who wonders how long phishers have known about this one>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:

Paypal allows what?! Dude VanWinkle (Jun 16)
- <Possible follow-ups>
- RE: Paypal allows what?! Blanchard_Michael (Jun 16)
- RE: Paypal allows what?! Hubbard, Dan (Jun 16)