Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Anyone seen this yet??? Watch out PayPal


ElLeonBlanco

Recommended Posts

Hi gang:

Ran across this little article while looking for something else. Thought it might be of interest to the Paypal folks out there. We don't use Paypal but I know several of you do.

 

Posted the URL here: http://www.internetnews.com/ec-news/articl...cle.php/2232421

 

And the article here:

 

July 8, 2003

PayPal Scam Site Using Legit SSL

By Ryan Naraine

 

 

:shock: Intrusion detection specialists Internet Storm Center (ISC) on Monday raised an alarm for a fake PayPal site using a valid SSL (define) to dupe users into giving up personal information.

 

By using a legitimate SSL certificate to masquerade as a PayPal site, scammers are now adopting trickier techniques to perpetuate identify theft that are not as easy to spot, the ISC warned.

 

The SSL (Secure Sockets Layer) protocol is used by Web sites to obtain confidential user information, such as credit card numbers in a secure, encrypted environment. By convention, URLs that require an SSL connection start with https: instead of http:.

 

PayPal, the eBay-owned online billing/payment firm, uses SSL to secure its Web-based interaction with millions of users. By using a legitimate SSL certificate to masquerade as a PayPal site, the ISC warns that scammers are now adopting trickier techniques to perpetuate identify theft.

 

"Usually it is the goal of these sites to extract information from users which will be used in identity theft or credit card fraud. The page is usually advertised via spam and looks just like a regular PayPal/eBay page," the monitoring service said, noting that users are usually directed to a Web site to confirm billing information.

 

A standard technique to mask the actual URL and make it look valid, the ISC explained, is the addition of username/password prefixes that are prepended to the URL.

 

In most cases, the scam sites are easily spotted because they are not using SSL. "Sometimes they attempt to hide this fact by increasing the browser window size to push the lower part of the browser window off the screen, so users will not see the open browser lock," the monitoring service noted.

 

However, the latest scam spotted making the rounds in inbox uses a valid SSL certificate which makes it tougher to spot the fake. The ISC found that the e-mail spam message lures users into going to a URL that looks like a secure PayPal site but it actually uses a CGI script to redirect the user to a fake page.

 

To spot the scam, users are urged to be wary of overly long URLs that redirect to strange-looking domains, such as https://www.paypal.com:ac=alksdjflakdjflkas...jrlkajdf@KI54fT. WoRlDiSpNeTwOrK.CoM/[email protected].

 

Before entering personal information on a Web site, PayPal users were urged to pay careful attention to details of the site's URL and look for red flags such as an unusually long domain name that contains the "@" sign

 

The use of SSL certificates is the latest in a long list of scams targeting PayPal users.

 

Last month, electronics retailer Best Buy (Quote, Company Info) became the latest victim of scammers using e-mail spam to steal credit card numbers.

 

The Best Buy scam also used URL redirecting techniques to lure users into entering sensitive personal information, including Social Security numbers, on a fake Web page.

 

My opinion which ain't worth much: F-'n Bastards!!! Whatever became of honest folks? This is just bad for Ecommerce all the way around. We need to help protect our clients from people like these. :evil:

ElLeonBlanco

 

"The man of genius makes no mistakes. His errors are volitional and are the portals of discovery." James Joyce (1882?1941)

Link to comment
Share on other sites

This happens all the time, I get at least four or five a week for both paypal and ebay supposed account verification, was recently slammed with spam to verify my supposed Citi's c2it account so let's not just focus on the paypal/ebay scams. It is also common for aol users to recieve emails to verify their info and there is an aol wallet that stores cc info too.

 

These sites all post in big bold letters not to answer these emails and tell their customers they WILL NOT EMAIL YOU FOR ACCOUNT VERIFICATION.

 

If you are stupid enough to think a company is going to verify your information in this way well..... you don't deserve to be defrauded, but you certainly have to watch out for yourself.

[no external urls in signatures please, kthanks]

Link to comment
Share on other sites

And you are right, we need to EDUCATE the public about this crap. Another one I have been getting is the old "someone, possible you, requested your password" and "go here to verify".

 

Some folks need to get caught so they can get lives.

[no external urls in signatures please, kthanks]

Link to comment
Share on other sites

Thanks for the input. I never use Paypal as I have heard so many bad thngs about it I would never recomend it to one of my clients. I still find the best method is to obtain a Merchant Account and use good judgement when accepting orders by credit cards. I hate the people that order, sign for and receive your merchandise, waste you time,money, packing and shipping only to call the card issuer in a month and say "I never ordered from thes people. Take this off my card." Then the poor struggling merchant has to eat the whole thing.

 

I have often thought about setting up a blacklist that could be made available to ALL OSC merchants to help protect from these creeps. Anyone else possibly wish to lend some ideas or help on this issue? Between all my merchants we lost almost 4500 dollars to chargebacks last month alone. Too much more of that and several of my good clients will no longer be in businsess.

 

What really irks me is the credit card issuer's attitude: Too bad so sad sorry about your luck. What about the card companies trying to assisit and protect the merchant for a change? Now that would be a new twist.

ElLeonBlanco

 

"The man of genius makes no mistakes. His errors are volitional and are the portals of discovery." James Joyce (1882?1941)

Link to comment
Share on other sites

Actually,

 

You can contest any chargeback you ever recieve. If it's a chargeback from Amex, it's a little hard to get out of. But if it's from Visa or MC, you can contest it. They will ask you for proof that you shipped it to the cardholders billing address. If you have that proof, the customer can not take the charge off the bill. Proof that I have used before is USPS or UPS delivery confirmation. I have escaped 2 chargebacks valued at over $100 each in this way.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Sounds like you live in fantasy land. You must live in USA.

 

But if:

You are a merchant from another country. Then the card issuer basically will tell you: Send us the information on the transaction. I am tired of sending COPIES of Identification, Front and Back side of Credit card, SIGNED delivery receipt and anything else that may prove useful. (At much expense to DHL I might add.) There is no doubt about it. All the card issuer's care about is covering their ass at the cost of the merechant. F---K the credit card companies. Their "We protect our cardholders agreements. By screwing the merchants." Something needs to be done to PROTECT honest merchants that dso their best to fulfill orders, pay huge international shipping fees, and get screwed by the consumer.

ElLeonBlanco

 

"The man of genius makes no mistakes. His errors are volitional and are the portals of discovery." James Joyce (1882?1941)

Link to comment
Share on other sites

  • 2 weeks later...

although i am a very small time etailer, but i totally agree and empathise with ElLeonBlanco on scumbag customers. i am also for the blacklist. it is indeed lonely to be honest.

Link to comment
Share on other sites

Sounds like you live in fantasy land. You must live in USA.

 

But if:

You are a merchant from another country. Then the card issuer basically will tell you: Send us the information on the transaction. I am tired of sending COPIES of Identification, Front and Back side of Credit card, SIGNED delivery receipt and anything else that may prove useful. (At much expense to DHL I might add.) There is no doubt about it. All the card issuer's care about is covering their ass at the cost of the merechant. F---K the credit card companies. Their "We protect our cardholders agreements. By screwing the merchants." Something needs to be done to PROTECT honest merchants that dso their best to fulfill orders, pay huge international shipping fees, and get screwed by the consumer.

It sounds to me like to need to get your clients together along with other merchants that have encountered similar problems and get a class-action suit against the CC companies.

 

With that kind of proof, there is no way the customer should be allowed the chargeback.

 

WizardsandWars and I do live in the US and he is correct. As I said above, if you have all of that information (especially delivery confirmation) the chargeback cannot be allowed.

 

You might want to consider having your attorney give the CC company a call to inquire about the situation. That might get their attention. ;) Not to mention that you could seek reimbursement for all of the DHL charges incurred to ship the information to them.

"Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein

Link to comment
Share on other sites

So Jim, you wouldn't trust your money in PayPal, but you put all your faith in a merchant account which you lose $4500 a month through?

 

I have used PayPal for over 2 years now, had hundreds of thousands of dollars in transactions and I think I maybe have had about $100-200 in chargebacks. However, PayPal didn't even charge me for them. All they said was that the transaction was disputed by the customer, and that I should be sure to always ship to a confirmed address. I don't know if they have special rules for businesses that deal in high volume, but it works for me.

 

I also have a merchant account, and have never really had any problems there either.

Link to comment
Share on other sites

we offer paypal and have a merchant account for CC's and we have never had a chargeback in paypal (3+ years), but we do get nailed occassionally with chargebacks from international customers (non-US)

 

none of the merchant account companies (that we are aware of) offer any real fraud protection against bad cards from outside the US. There is one company that has a basic solution, and with companies like Visa starting to implement things such as Verified by Visa, these will help, but they will only help if the merchant account companies (such as Authorizenet and others) actually implement the solutions.....

 

it is very dangerous for online merchants and we are at the mercy of not only scumbag customers, but we are also treated as an adversary of the companies that issue merchant accounts

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...