This post originated from an RSS feed registered with Java Buzz by John Topley. Original Post: No Pal Of Mine Feed Title: John Topley's Weblog Feed URL: http://johntopley.com/posts.atom Feed Description: John Topley's Weblog - some articles on Ruby on Rails development. Latest Java Buzz Posts Latest Java Buzz Posts by John Topley Latest Posts From John Topley's Weblog

This morning. 7:15 a.m. Bleary-eyed and reading my e-mails. An e-mail from PayPal asking me to verify my account:

“We recently have determined that different computers have logged onto your PayPal account, and multiple password failures were present before the login. One of our Customer Service employees has already tryed to telephonically reach you. As our employee did not manage to reach you, this email has been sent to your notice. Therefore your account has been temporarily suspended. We need you to confirm your identity in order to regain full privileges of your account. If this is not completed by April 13, 2005, we reserve the right to terminate all privileges of your account indefinitly, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your identity please follow the link below:

https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thank you for your patience in this matter.

PayPal - Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.”

—Different computers have logged into my PayPal account? I think about the fact that I've just bought another computer and the complicated steps I had to go through before to verify myself to PayPal, so I click the hyperlink in the e-mail and get taken to the PayPal login screen. And then I pause in my tracks and read the e-mail properly.

“One of our Customer Service employees has already tryed [sic] to telephonically [sic] reach you.” I hover the mouse over the hyperlink in the e-mail and look at the Thunderbird status bar. It tells me that the hyperlink actually goes to:

http://www.paypal.com.login-user43.info/webscr.php?cmd=LogIn

…which when clicked on, takes you to a passable clone of the genuine PayPal login screen.

Another giveaway: I actually received two of these e-mails, one sent to the editor address for my domain and the other to the webmaster address. Neither of which are the e-mail address that I use for PayPal.

Finally, I view the message source. The Return-Path is set to an account at lil.univ-littoral.fr, which turns out to be a French university. If this is the genuine account from which the e-mails were sent, then the sender was extremely naïve, or else some poor student has been set up to appear as the sender. I fire off an e-mail to abuse@lil.univ-littoral.fr and postmaster@lil.univ-littoral.fr so that they can investigate.

I'm horrified that I came quite close to divulving my PayPal credentials, but in the end the worse that happened was that I clicked on a dodgy hyperlink and maybe verified that the e-mail had got through to me. If there's a moral to this story then it's that in an Internet age when everybody seems to be out to get you, you have to make sure you're fully awake when you read your e-mail.