"PayPal" Seems to Want My Attention Again

If people didn't lose money to phishing attempts, they would be funny. PayPal continues to be one of the top targets of spammer scammers. The crooks get a bit more sophisticated every day, but I haven't yet seen a phishing attempt that isn't obvious within the first 5 seconds. I have another example to deconstruct today.

I had a few minutes to spare, so I took a look into the e-mail slop bucket and noticed 3 messages that purported to be from PayPal. I knew immediately that they were scams. How? Easy: I don't use the office address for my dealings with PayPal. PayPal doesn't have that address on file for me and, even if they did, the company wouldn't use that address because it wouldn't be my primary address. And even if they did, they wouldn't send 3 messages from 2 different addresses with the same subject line.

But let's say I received this message at home and the scammers managed to guess the e-mail account that I use for PayPal (and only for PayPal). Let's pretend this message came to that address. The message has been placed in a wrapper by SpamAssassin, which runs on the server and SpamAssassin doesn't think much of the message: "Spam detection software, running on the system "xxx.yyyyyy.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see The Email Administrator for details." It then provides a preview of the message, which begins "Dear PayPal® customer". In legitimate messages, PayPal always uses my name exactly as they have it on file. The wrapper from SpamAssassin also says that this message scored 19.2 points and that I consider any score above 5.0 to be spam.

SpamAssassin even tells me how it calculated that score.

• 1.8 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: user-confirmation.com]
• 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: user-confirmation.com]
• 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: user-confirmation.com]
• 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: user-confirmation.com]
• 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [85.187.40.141 listed in zen.spamhaus.org]
• 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ]
• 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: user-confirmation.com]
• 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
• 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.6857]
• 0.0 HTML_MESSAGE BODY: HTML included in message
• 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
• 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: user-confirmation.com]
• 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
• 0.0 HTML_SHORT_LINK_IMG_3 HTML is very short with a linked image
• 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS

But let's say SpamAssassin was taking a nap and missed the message and that I wasn't yet fully awake, so I opened the message. At this point, I should certainly notice that PayPal didn't address me by name, but perhaps I wasn't paying attention and I let the mouse cursor hover over the link they want me to click. Now I should notice that the link goes not to PayPal, but to "paypal.user-confirmation.com/acc/login.php". In other words, it will take me to the "acc" directory on a sub-domain called "paypal" at the "user-confirmation.com" domain.

Did I Click?

No, but I did several other things. First, I handed the link to SamSpade and told Sam to pretend to be Internet Explorer 5 running on Windows 98. I asked Sam to fetch the Web page I would get if I clicked the link. I also used CentralOps.net to find out who user-confirmation.com is registered to and where it is.

The full HTML for the fraudulent page is shown at the left. Click the image for a full-size view (2.5MB). The page immediately turns off Google indexing for its meta tags. This is probably done to avoid having the page show up in Google searches, which would reveal the page for what it is: Fraud. The next step involves loading a variety of style sheets to control the formatting. This is a good attempt to make the page look legitimate because there are specialized style sheets for IE6 and IE7.

There's a reference to "paypalobjects.com" and that's a domain that's owned by PayPal. The crooks are ripping off PayPal's graphics to make the page look legitimate. The page also makes use of PayPal's scripts that are provided to legitimate users via a link.

When you get to the form part of the page, all it asks for is your e-mail address and your password. There are no questions about credit card numbers or anything else that might give this away as a fraud. This is the setup for what happens next, but let's finish looking at the code first. I saved the HTML code to my machine and ran it without benefit of the style sheets (they're in China, but that's getting ahead of the story). The display would be more like PayPal's, but you can see that it has just the elements needed to look legitimate.

By the way, here's what PayPal's actual login panel looks like, complete with the appropriate graphics and formatting. These would have been present in the example shown above if I had enabled all of the appropriate links.

If the user's e-mail was available, it will already be filled in and the cursor will be in the password field. If not, the cursor will be in the e-mail field. And from there to the bottom of the page, there's nothing more than standard PayPal graphics and text.

What Happens Next?

I can't display any more of this fraud because to do so would subject me to the fraud, so I don't know what would happen, but I can surmise: Users who enter an invalid user ID or password will be told that the credentials are incorrect, but users who enter their true user name and password will appear to be logged in and "PayPal" will start asking questions so that the user can validate his or her identity.

How does it know? This is a fairly simple bit of trickery that's relatively new to phishing. It's called "man in the middle". Victims give the fraudulent site their user ID and password. The fraudsters use that information to logon to the real PayPal site and look up the victim's information. It then passes some of that information back to the victim as proof that it is the real PayPal.

At this point, the fraudsters have all the information they need to gain access to the victim's PayPal account and, as an added bonus, they have all the other information they can wring out of the victim during the "validation" phase. If the fraudsters are clever, they will then thank the victim and state that full access to the account has been restored. The final step will probably be to redirect the victim's browser to the real PayPal website.

Who? Where?

A quick whois query revealed that user-confirmation.com is registered through the registrar Xinnet.com and that Xinnet.com is in China. Additional digging revealed the reported name of the person or organization that registered the name: "xiaowen, No.12 chang'an road, beijing Beijing 100001, China". Note, though, that this information could be just as fraudulent as the e-mail and the website.

Not being able to read Chinese, I found the Xinnet.com website to be not particularly helpful in finding out more about the domain. The dialog that I thought might be for whois information was actually the service that check to see if a domain name is available.

So I asked CentralOps.net to tell me where the website is hosted and this turned out to be a surprise. The site isn't being hosted in China, but on a server owned by AT&T (in the former SBC division). The server is actually in Saint Louis, information that is clearly revealed by a traceroute. It would be easy to be outraged that the site is on a server owned by AT&T, but "the telephone company" provides website hosting as all site hosts do. Nobody at AT&T knows about fraudulent sites until somebody reports them. I had intended to report the site on completion of this report, which would give AT&T everything they needed to shut the site down.

Somebody else beat me to it. When I tried one final traceroute to confirm the location, the traceroute aborted. When I then tried to view the "user-confirmation.com" webroot, the result was "66.1 Host Locked". Chalk up one for the good guys.

Identifying Tampered Images

It's easy to think that an organization that's ignorant about one aspect of digital image processing is ignorant about other aspects, too. A friend received a series of absurd requests from a publishing company that clearly illustrated they have a serious lack of understanding of digital images. They wanted him to provide an image that was 600 pixels wide at 72dpi and they also wanted him to provide an image at 300dpi that would be suitable for printing. In the first case, 600 pixels wide is 600 pixels wide and dpi doesn't matter. In the second case, they specified 300 dpi, but didn't bother to state how wide the printed output would be. Without that, it's impossible to provide what they want. They also warned that tampering with the original image wasn't permitted and that they would know about it if my friend did. Because they were so clueless about the first two points, it was easy to assume that they wouldn't be able to spot image manipulation, either. Betting on that would be unwise.

Here's an image that has been manipulated, but only a bit. Notice the minor jaggies in the histogram. If no changes have been made, the histogram will be smooth.

Now more significant changes have been made and the histogram clearly shows the signs of major modification.

Let's start with an image that has had no manipulation at all. The histogram shows that this is an image that hasn't been modified.

At this point, I've made some minor changes. Note the white areas in the bars.

Now the changes are more pronounced, both on the image and on the histogram.

There's no question about this one. The image has been modified substantially and the histogram doesn't lie about it.

Nerdly News

Google, Motorola, and Dell Sing the Blues

You don't find the words "Google" and "layoffs" in the same sentence very often, but you will today. Also, Dell is cutting more jobs and so is Motorola. The term "tip of the iceberg" is becoming more relevant as we seem to be finding out that the economy can't take the repeated abuse of tax cuts, war costs, cheating mortgage financiers, and offshoring jobs indefinitely without stumbling.

Google is cutting about 300 jobs from its DoubleClick subsidiary. Google recently acquired the advertising technology company and its 1200 employees, so this is a 25% staff reduction. Google will also spin off a DoubleClick business unit, Performics Search Marketing. That division works with companies to place ads on search engines.

The man in charge of integrating DoubleClick with Google, Tom Phillips, wrote on the company's blog that Google should not be in the search engine marketing business because it's important to maintain the trust of users. Google's and Performics Search Marketing's objectives are at odds with each other. Google wants to maximize profits and PSM's objective is to get the best performance for the least money.

For some DoubleClick employees, Wednesday was their last day. Others will work in transitional roles that will end when the consolidation is complete.

Google has nearly 17,000 employees and added more than 6000 last year.

Dell, in planning to cut $3 billion in costs over the next few years, announced this week that it will lay off more than just the 8800 employees previously announced. Michael Dell said he is not satisfied with the current state of affairs. Dell will close an Austin plant to cut 900 jobs and the overall reductions represent about 10% of the company's workforce.

Dell has already cut 5500 jobs and 1000 more heads are on the block this quarter. Dell has increased head count in sales and support, which is welcome news for owners of Dell computers. The company has received poor marks for outsourcing support to offshore workers whose grasp of English is limited.

Motorola announced plans to take a $104 million charge as part of a reorganization that will cost 2600 workers their jobs. The charge includes $113 million in severance costs, but those costs are reduced by $9 million by reversing accruals from previous periods.

Investor Carl Icahn has been pressuring Motorola to split itself into two separate publicly traded companies, spinning off its unprofitable mobile phone unit to investors. The company announced recently that it would do just that.

File Sharing May be Good for the Music Industry

The Guardian (England) quotes EMI Music executive Glenn Merrill as saying that music downloads are "not necessarily bad". What!? Someone in the music industry has finally figured this out! Merrill came to EMI from Google, where he was the chief information officer. At EMI he's working to develop the company's digital strategy, innovation, business development, supply chain and global technology activities. Better late than never.

Napster wanted to negotiate a payment scheme with the recording industry a decade ago, but the industry refused and managed to put Napster out of business. They won the battle, but clearly are losing the war. Now companies such as EMI seem to be willing to see if they can work with file sharing systems instead of opposing them.

Merrill says that some academic research "shows file sharing is a good thing for artists and not necessarily bad." Even more important, Merrill suggested that research might be better than pig-headed stubbornness: "We should do a bunch of experiments to find out what the business model is." (OK, Merrill didn't really say anything about being pig-headed or stubborn. That was mine. It wasn't in quotation marks and I didn't attribute it to anyone.) "There is evidence that people we think are not buying music are buying music. They're just not buying it in formats we can measure," the Guardian quoted.

Additionally Merrill criticized the Recording Industry Association of America (RIAA) for going after individual file sharers in court. "It's a poor business model to sue your customers. I don't think that's a sustainable strategy." EMI plans to experiment with ad-supported music download services and subscription music services. Common sense may yet prevail.

The Weekly Podcast

Podcasts are usually in place no later than 9am (Eastern time) on the date of the program. The podcast that corresponds to this program is below. The most recent complete podcast is always located here.

My attorney says I really need to say this: The TechByter Worldwide website is for informational purposes only. Although I strive for accuracy, I cannot assume any responsibility for its accuracy. Any actions you take based on information from the podcast, streaming audio, or from this website are entirely at your own risk. Products and services are mentioned for informational purposes and their various trademarks and service marks are the property of their respective owners. TechByter Worldwide cannot provide technical support for products or services mentioned here.

If you're still reading, you're most thorough!

This is the only ad you'll ever see on this site. It's for my website host, BlueHost in Orem, Utah. Over the past several years, they have proven to be honest, reliable, and progressive. If you need to host a website, please click the banner below to see what BlueHost has to offer.

TechByter Worldwide receives a small advertising payment for each new client that signs up with BlueHost but I would make the same recommendation even if the affiliate program didn't exist. (If you don't see a banner ad above and you would like to know more, this link takes you to BlueHost.)

TechByter Worldwide is committed to maintaining appropriate technical standards:

Still here, are you? Well, then, if you really must have something to read, please examine the official TechByter Worldwide disclaimers.