To all those who recently were praising paypal and knocking western union. I just got this in my email. It went to junk on live and I don't have a paypal account.

Dear PayPal Customer : PayPal is committed to maintaining a safe environment for its community of customers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity. We are contacting you to remind you that on 20 September 2010 our Account Review Team identified some unusual activity in your account. In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. To secure your account and quickly restore full access, we may require some additional information from you for the following reason: We have been notified that a card associated with your account has been reported as lost or stolen, or that there were additional problems with your card. This process is mandatory, and if not completed within the nearest time your account or credit card may be subject for temporary suspension. To securely confirm your PayPal information please download the attachement. We encourage you to log in and perform the steps necessary to restore your account access as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure. For more information about how to protect your account please visit PayPal Security Center. We apologize for any incovenience this may cause, and we apriciate your assistance in helping us to maintain the integrity of the entire PayPal system. Thank you for using PayPal! 28.09.2010PayPal Security Center Team

LOL bad troll is now dumb bad troll LOL

This happened to me and I barely use Paypal. And it really was locked down to a limited status. So I'm leaving it like that.

This happened to me and I barely use Paypal. And it really was locked down to a limited status. So I'm leaving it like that.
Did they also ask you to download an attachment and then misspell appreciate?

Actually checking your paypal account every couple of weeks by going to paypal.com is one thing. The above post is an obvious spam/virus/keylogger/attempt to screw you.

You clicked on the link and logged in, didn't you? You can't fool us....:buttkick:

Not recognizing a phishing email scam does wonders for your credibility on this topic.

I think the last six words of the third sentence should clue everyone in to the fact that this was a scheme to try to get access to your paypal account.

To all those who recently were praising paypal and knocking western union. I just got this in my email. It went to junk on live and I don't have a paypal account.

Dear PayPal Customer : PayPal is committed to maintaining a safe environment for its community of customers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity. We are contacting you to remind you that on 20 September 2010 our Account Review Team identified some unusual activity in your account. In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. To secure your account and quickly restore full access, we may require some additional information from you for the following reason: We have been notified that a card associated with your account has been reported as lost or stolen, or that there were additional problems with your card. This process is mandatory, and if not completed within the nearest time your account or credit card may be subject for temporary suspension. To securely confirm your PayPal information please download the attachement. We encourage you to log in and perform the steps necessary to restore your account access as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure. For more information about how to protect your account please visit PayPal Security Center. We apologize for any incovenience this may cause, and we apriciate your assistance in helping us to maintain the integrity of the entire PayPal system. Thank you for using PayPal! 28.09.2010PayPal Security Center Team



What Is Phishing?
The term phishing is a general term for the creation and use by criminals of e-mails and websites – designed to look like they come from well-known, legitimate and trusted businesses, financial institutions and government agencies – in an attempt to gather personal, financial and sensitive information


Read more: http://www.disabled-world.com/communication/phishing.php#ixzz10wY4sdNf

Did they also ask you to download an attachment and then misspell appreciate?

No, I don't open email attachments. I saw the email and thought it was bullshit. However when I logged into Paypal on its own, it stated I was on a limited account.

I can't believe I feel like I should explain this.
If you DO use something such as Paypal and get something weird like that, and you are compelled to believe it is real, do not click any links in the e-mail. Use your fingers to type www.paypal.com in the browser, log in, and if there really is a problem, Paypal will let you know.
This does apply to other secure websites. Or any other website really.


And for limited access, this happened to me recently, I had to call them to fix it, it ends up when you use a cell phone for a paypal transaction it can make you show up all over the country and it freaks them out.

Actually this just happened to me a few months ago and was worded about that same fucking way but was legit as I called paypal. It was over cancellation of a bank account, closed credit cards and address change.

All started with a purchase of mount and blade warband via download as a gift.

All said and done currently still limited access but never had to pay for the purchase either. I can put/receive money in and apply towards my paypal cc account but I can't spend out.

(Part of the delay for the shipping of those jerseys but that was more to the fact because my daughters were here and we were all over the state spending time together that week).

Paypal ARE cocksucks to work with on the phone no matter what. If you can understand them. I'm sure TheE wouldn't have a problem.

And for limited access, this happened to me recently, I had to call them to fix it, it ends up when you use a cell phone for a paypal transaction it can make you show up all over the country and it freaks them out.


Exactly. The purchased download was based in like turkey and they had a shit fit about it really.

lol. This thread fucking rules man. I love phish emails.

Not recognizing a phishing email scam does wonders for your credibility on this topic.

You really are a stupid one aren't you? I recognized it instantly. Live.com recognized it as they sent it to the junk pile.

I don't have a paypal account of any kind and haven't for years. I am not even sure how they got my email address.

I just thought it worth noting after all you were praising paypal to high heaven. I also did you a favor by pointing this out I might add.

This could never happen with western union, because you don't have an account to question.

You really are a stupid one aren't you? I recognized it instantly. Live.com recognized it as they sent it to the junk pile.

I don't have a paypal account of any kind and haven't for years. I am not even sure how they got my email address.

I just thought it worth noting after all you were praising paypal to high heaven. I also did you a favor by pointing this out I might add.

This could never happen with western union, because you don't have an account to question.

I lived out of the country for a few years and had my salary checks (from the US) sent to my parents (in the US, a few years ago in the US) and Western Union wanted a fuckton (official measurement used in the former Soviet Union) to send me that money every month. Paypal let me transfer it free of charge. Also Paypal let me get $220 in the course of seconds when I sold imaginary silvers last week. Also I used it to buy tacos on grubhub.com earlier today. I'm still waiting for the tacos I ordered in 2004 after I Western Union'ed my money to some (authentic!) tortilla makers in Oaxaca. So I think paypal is better.

You started this topic with that email quoted as proof that Paypal was faulty since you aren't a member. No where did you state you recognized it as a phishing scam.

How can you blame Paypal for a phishing scam? I've seen them come from all kinds of banks as well. Do you blame the legitimate institution for the actions of fraudsters?

You're backpedaling.

I lived out of the country for a few years and had my salary checks (from the US) sent to my parents (in the US, a few years ago in the US) and Western Union wanted a fuckton (official measurement used in the former Soviet Union) to send me that money every month. Paypal let me transfer it free of charge. Also Paypal let me get $220 in the course of seconds when I sold imaginary silvers last week. Also I used it to buy tacos on grubhub.com earlier today. I'm still waiting for the tacos I ordered in 2004 after I Western Union'ed my money to some (authentic!) tortilla makers in Oaxaca. So I think paypal is better.

Paypal does not help you out of the goodness of their hearts. They either charge you fees, perhaps hidden ones or they use your money for free for as long as they can do it without getting arrested.

You started this topic with that email quoted as proof that Paypal was faulty since you aren't a member. No where did you state you recognized it as a phishing scam.

How can you blame Paypal for a phishing scam? I've seen them come from all kinds of banks as well. Do you blame the legitimate institution for the actions of fraudsters?

You're backpedaling.

You all said you didn't want to use western union because it was used by these same fraudsters. On what exact basis does somebody of your limited intellect use to determine whether it's fraudulent or not? Talk about backpedaling.

There is nothing to be gained by me by an attempt to raise your intelligence from nothing. If you had any interest in doing so it wouldn't be as lacking in the first place.

Paypal does not help you out of the goodness of their hearts. They either charge you fees, perhaps hidden ones or they use your money for free for as long as they can do it without getting arrested.

I don't think anyone ever said they operate their business out of the goodness of their hearts.

They do allow free transfers for gifts or to relatives (I forget which). They get a couple days of float when you pull money out. Is your money seriously so active that you do overnight investing for a tenth of a percent?

Unlike western union which is a non-profit with superb security and in no way used by every scammer on earth as a means to easily steal money with no reprecussions.

You all said you didn't want to use western union because it was used by these same fraudsters. On what exact basis does somebody of your limited intellect use to determine whether it's fraudulent or not? Talk about backpedaling.

There is nothing to be gained by me by an attempt to raise your intelligence from nothing. If you had any interest in doing so it wouldn't be as lacking in the first place.

...there's a difference when dealing with fraud when processing a transaction and fraud when there's someone phishing for account info.

I'm somewhat dumbfounded that you can't or won't recognize the difference.

Unlike western union which is a non-profit with superb security and in no way used by every scammer on earth as a means to easily steal money with no reprecussions.

You are a bit late. This is the same factless, pointless arguement that has already been used. It's also not logical, it's called a strawman arguement.

...there's a difference when dealing with fraud when processing a transaction and fraud when there's someone phishing for account info.

I'm somewhat dumbfounded that you can't or won't recognize the difference.

Oh, I understand perfectly. The problem is you don't comprehend the difference yourself. I already said there can be no account fraud on western union because there are NO accounts.

How is it factless? I have seen cases of people picking up money orders from western union as Timothy McVeigh and its undisputable. If you dont get your items and the money order is already picked up you are just fucked.

With paypal and a credit card you can get money back.

If it looks like a crook, and smells like a crook.. don't worry guys it isn't a crook!

I was ripped of TWICE by people through Paypal and I got my money back both times. Also they are WAY faster/cheaper then Western Union.

Also one time was well over a grand and I got every penny back.

This could never happen with western union, because you don't have an account to question.

Good point. The type of scam you mentioned did indeed originate with the advent of email. Before email came along there was absolutely no way to communicate with people via written form over long distances. None whatsoever. So people were unable to execute such a flawless type of scam. Thank you for opening our eyes.

I was having a hard time deciding where to start because Honorbound doesn't seem to be able to properly analyze threat vectors or distinguish between different targets and threat models. That's a very general problem. I'm rather serious about security so I think it's important to be comprehensive in discussing these threat models. All you "TLDR-ers" just scroll on by as I do so.



First, Honorbound, consider your original thread that spawned this:
- You were a relative unknown (3 months activity) almost all of which as a customer.
- You chose a name that was a rub-it-in-your-nose level of "hey, your money is in good hands... trust me..."
- You suggested the scammer's EFT method of choice, Western Union.

Second, consider the following next course of actions with respect to your sale of virtual goods:
(1) You honor your word and both you and your customer are pleased with the exchange.
(2) You scam your customer and make off with the cash. Since he used Western Union, he has no discourse.

Third, consider the same event except with you accepting PayPal:
(1) You honor your word and both you and your customer are pleased with the exchange.
(2) You scam your Customer and make off with the cash. Since he used PayPal, he can get his money back.

The conclusion is: Both versions have an identical case 1. Both also have a case 2 but proper use of PayPal allows the victim to get their money back. It's obvious which the customer should prefer. Your thread offered a textbook "approach with caution, potential scammer" scenario.



Next let's look at phishing emails:
- You get some email that presents some out of the ordinary circumstances.
- The threat vector is a person who is complacent or who doesn't otherwise pay attention while reading such emails.

Phishing emails, with a single threat vector, have a subset of attack styles and targets:
(1) Generally compromising your system.
- Usually this is done by sending you to a webpage that nails the browser with some exploit (usually tailored to your useragent string and reported software versions)
- It might make your machine a spam/DDoS/etc zombie (which may have no implications for your bank account)
- It might install some keylogger-style software to harvest passwords (to everything and anything)
- It might do something else if you're a high-profile target
(2) To forward you to a fake login screen (in this case, PayPal)
- One set of credentials is targeted and compromised
(3) Someone lies about their identity/condition
- Specifically, we're talking about circumstances where a victim thinks that they will realize a gain or they will prevent someone else from realizing a loss
- Just note that these almost always result in the scammer requesting that you wire some money Western Union

Here are some reasons why (1) is better than (2) and why it comprises the VAST majority of attacks today:
- Taking over a system allows the attacker to collect the most assets as it is not targeted and adaptive
- Clicking the malicious link implies that an attack will be launched
- Clicking on a malicious link might result in an immediate loss of assets for the victim if their system is compromised (auto-login credentials for messenger clients are often right there for the taking, or simply use browser tokens to hijack your current email session). Immediately running to a clean machine to change such passwords is the fastest way to become safe and it might not be fast enough. Powering off the infected computer may not even necessarily help.
- If the user clicks on the link and doesn't realize they've made a mistake, they'll certainly be realizing some losses once they use any credentials (if not sooner)
- In the case of false login pages, some client-side configurations can nullify the attack
- In the case of false login pages, some server-side configurations can nullify the attack
- Even if no banking is done on the system, an attacker can still fork the attack by implimenting (3). This was a popular attack recently. Scammers would mine emails for data about friends & family and would present themselves as a loved one in distress who needed money. Most often it was to the tune of "hey buddy, I'm stranded/screwed in (some country) and need $X to solve my problems." I can personally say that my emails would prsent some very plausible targets.

Domain-game login pages were a short-lived threat. In current attacks, (i.e. case (1)) PayPal is NOT the threat vector but it is a potential asset which can be claimed by an attacker after the attack has already proven successful. Even still, direct bank credentials are higher value assets (rather than credentials to a middle-man service). It is not even the target, a full take-over of the machine is. As a side-note, PayPal offers multi-factor authentication. If you set this up, not only do your credentials have to be stolen, someone has to physically steal your one-time-password token. Of course, on a compromised system, I can't imagine a purely online transaction that is necessarily safe.



The bottom line:
- A customer can be more assured of their investment if they send money through PayPal as opposed to Western Union. No caveats or provisions to this statement.
- You've falsely attributed the human vulnerability of phishing as a vulnerability of PayPal.
- The phishing attack that most closely backs your statement is regarded as a threat of yesterday (relatively speaking) and presents a much lower threat cross-section than any other phishing attack that utilizes malicious links in emails.